npub1hnh3gjkese72l4t437c45hwnypjh83elsdl92285jnv5nvcd9w8qgprrkt (npub1hnh…rrkt) : wow, that's a lot of snake oil in the FB article that The Verge refers to.
*THE* problem with consumers losing access to their phone (stolen, forgotten in the subway, dropped in the toilet etc.) is typically that *ALL* secrets are gone - except a screen unlock code, while *possibly* the user may remember the password of their iCloud or Google account (or may have access to a rescue code).
B.t.w., passkey synchronisation suffers from the same problem: asking people to remember one or more additional *strong* passwords is doomed to fail in too many cases; fortunately black magic comes to the rescue.
From https://engineering.fb.com/2024/10/22/security/ipls-privacy-preserving-storage-for-your-whatsapp-contacts/:
❞
But losing your phone could mean losing your contact list as well. Traditionally, WhatsApp has lacked the ability to store your contact list in a way that can be easily and automatically restored in the event you lose it.
[...]
If you lose your phone, your contact list can be restored on a newly registered device.
[...]
Certain events [...] trigger the creation of a new cryptographic keypair that is associated with your phone number.
❝
So al the military grade encryption, HSM's and Cloudflare supervision eventually depends on a PHONE NUMBER - with, in modern computer terms, a VERY limited number of possible combinations of digits.
And all that apart from the fact that phone numbers may be spoofed and "SIM-swapping" attacks happen to be a lot easier than most people are aware of.
What could possibly go wrong?
P.S. Of course I may be totally mistaken, for example because additional protections are in place. However, I do not see them mentioned in the FB article.
#WhatsApp #AddressBook #Contacts #Meta #Facebook #Cloudflare #HSM #SnakeOil #MilitaryGradeEncryption #WriteOnceReadMany #BlockChain #Transparency #Passkeys #Synchronisation #E2EE
Erik van Straten /
npub1yz…ql3r7
2024-10-22 20:01:18
in reply to nevent1q…p6yr
Author Public Key
npub1yzfshvmugq4nd4jhwve7hhwqzvvt7g9g23sharz5f5wdvg65r92qhql3r7Seen on
wss://nostr.sprovoost.nlPublished at
2024-10-22 20:01:18Event JSON
{
"id": "dcce32407ac384a98085e4ed72dcc92fc08ab72b056ebfb28e5399a1a26dfbe9",
"pubkey": "20930bb37c402b36d6577333ebddc01318bf20a854617e8c544d1cd623541954",
"created_at": 1729627278,
"kind": 1,
"tags": [
[
"p",
"bcef144ad9867cafd5758fb15a5dd3206573c73f837e5528f494d949b30d2b8e",
"wss://nostr.sprovoost.nl"
],
[
"p",
"058496468df5321bcd5c8bf11090a9689f49f6308d9cef5d46487155e089b380",
"wss://nostr.sprovoost.nl"
],
[
"e",
"8cc950cfd551a4f4b829bf2cc39f84aea4580d7b09a9f2a50ef90bc7630e6de9",
"wss://nostr.sprovoost.nl",
"reply"
],
[
"t",
"whatsapp"
],
[
"t",
"addressbook"
],
[
"t",
"contacts"
],
[
"t",
"meta"
],
[
"t",
"facebook"
],
[
"t",
"cloudflare"
],
[
"t",
"hsm"
],
[
"t",
"snakeoil"
],
[
"t",
"militarygradeencryption"
],
[
"t",
"writeoncereadmany"
],
[
"t",
"blockchain"
],
[
"t",
"transparency"
],
[
"t",
"Passkeys"
],
[
"t",
"synchronisation"
],
[
"t",
"e2ee"
],
[
"proxy",
"https://infosec.exchange/users/ErikvanStraten/statuses/113352853314121418",
"activitypub"
]
],
"content": "nostr:npub1hnh3gjkese72l4t437c45hwnypjh83elsdl92285jnv5nvcd9w8qgprrkt : wow, that's a lot of snake oil in the FB article that The Verge refers to.\n\n*THE* problem with consumers losing access to their phone (stolen, forgotten in the subway, dropped in the toilet etc.) is typically that *ALL* secrets are gone - except a screen unlock code, while *possibly* the user may remember the password of their iCloud or Google account (or may have access to a rescue code).\n\nB.t.w., passkey synchronisation suffers from the same problem: asking people to remember one or more additional *strong* passwords is doomed to fail in too many cases; fortunately black magic comes to the rescue.\n\nFrom https://engineering.fb.com/2024/10/22/security/ipls-privacy-preserving-storage-for-your-whatsapp-contacts/:\n❞\nBut losing your phone could mean losing your contact list as well. Traditionally, WhatsApp has lacked the ability to store your contact list in a way that can be easily and automatically restored in the event you lose it.\n[...]\nIf you lose your phone, your contact list can be restored on a newly registered device.\n[...]\nCertain events [...] trigger the creation of a new cryptographic keypair that is associated with your phone number.\n❝\n\nSo al the military grade encryption, HSM's and Cloudflare supervision eventually depends on a PHONE NUMBER - with, in modern computer terms, a VERY limited number of possible combinations of digits.\n\nAnd all that apart from the fact that phone numbers may be spoofed and \"SIM-swapping\" attacks happen to be a lot easier than most people are aware of.\n\nWhat could possibly go wrong?\n\nP.S. Of course I may be totally mistaken, for example because additional protections are in place. However, I do not see them mentioned in the FB article.\n\n#WhatsApp #AddressBook #Contacts #Meta #Facebook #Cloudflare #HSM #SnakeOil #MilitaryGradeEncryption #WriteOnceReadMany #BlockChain #Transparency #Passkeys #Synchronisation #E2EE",
"sig": "8500229bcbe214795ee5b885501299e8134c164647d46a116bd60b102645ddcc8b8e77f8a13d12bc1e8e3f80cf1f85bfdcafa269a197358a2522032a8b90a97c"
}