[SystemSafety] Messaging Vulnerabilities
Peter Bernard Ladkin
ladkin at rvs.uni-bielefeld.de
Thu Feb 15 10:48:32 CET 2018
Matt Green has a post on the recently-discovered vulnerabilities in group messaging using the Signal
protocol (used by Signal and WhatsApp). They are a little different in each app, but both allow
people to be added to a group in an unintended fashion.
https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/
Green's conclusion might strike some of us as a little odd. He suggests protocol specifications are
not enough (Signal has quite detailed specs). To find weaknesses, he suggests *testing*.
Duuuh. It is true that if you hammer on something, you can if you are lucky find pervasive
weaknesses if there are such, which is why people distinguish between testing which aims to see if
you have the right function, as contrasted with testing which aims to see if you have the function
right. But I am not sure that having a rigorous-SW-and-algorithms guy saying "testing is key" is
going to help those of us concerned about the overreliance on testing for assurance of critical SW.
I wonder if this is an instance of an old phenomenon: the cryptography is impeccable but the
cryptology vulnerable? One might thereby suggest more extensive use of methods such as BAN-logical
analytics. But I haven't looked at the analyses so I might be talking through my hat.
PBL
Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319 www.rvs-bi.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20180215/21eb1922/attachment.sig>
More information about the systemsafety
mailing list