3

Last week at the country I live in there was an article in a newspaper with a list of people (journalists, businessmen, etc) that were being spied by the intelligence services of the country... They explained that this agency was spying all their whatsapp conversations, skype calls, cellphone calls, etc...

So when I read that I started to wonder HOW can they spy whatsapp conversations as they are over TLS, if they want to do a man in the middle attack they need to change the certificates in the device so they can attack the connection... is there another way??!?!?

This is a big surprise for me because I have nothing to hide, but I was happy just checking if the connections were https to feel secure as I thought that way nobody could see what I was sending/receiving (I know if they have access to the servers they can check anything but that's not a concern for me...)

And another question, how secure is to use Skype/Viber for calls? Is skype safer than a landline or cellphone line? Is telegram more secure than whatsapp?

Andres
  • 133
  • 3

3 Answers3

2

No. The extra Root Certificates in your browser's (or computer's) key store/wallet can be used to engage in Man-in-the-middle attacks should anyone in the Internet providing chain be able to get a signed certificate for the web server you're connecting to from one of those extra Root CAs. For example, say you've got a Turkish Root CA in your key store on your Mac. If your ISP can get the Turkish Root Authority to issue a server certificate for the host www.whatsapp.com (bribe, intelligence service in Turkey) then your connection from your computer or phone to whatsapp.com can be routed to a middle server for an MITM attack.

Remove those untrusted Root CAs and you'll be safer. You may have a problem with the new logjam attack, which is a cipher suite downgrade attack, or with using an algorithm that cryptographers now strongly believe can be broken (a handful of commonly used DH keys of length 1024 bits or lower).

See these answers on How NSA can break Web and VPN sessions and MITM attack against SSL.

I've never studied Skype's security.

Community
  • 1
Andrew Philips
  • 1,411
  • 8
  • 10
  • 1
    Both Skype and WhatsApp are strongly suspected to be able to mitm conversations over their services, at the behest of intelligence agencies. They control the name to key directory and there is no way to check your client encrypts using the public key for which only your friend has the private key. Cryptographers recommend Signal. Also, targeted attacks against phone/laptop circumvent all on the wire security. – Z.T. Nov 09 '15 at 18:47
  • 1
    In that sense, whatsapp and skype are MITM attacks we trust to maintain privacy. If an intelligence service co-locs, that trust is broken. – Andrew Philips Nov 09 '15 at 18:53
1

To answer your main title question: Yes, sort of. (I'd like to provide an opposing view to Andrew's answer.) The whole concept of certificates is based on trust. You are trusting that the site or service you are communicating with and the CA providers are both trustworthy to begin with. If you begin with that assumption, then you can be reasonably sure that your privacy is protected from unauthorized access outside of those parties.

If you can no longer trust the CA, or if you cannot trust that the service or website you are using to protect your data, then the entire process breaks down. If a CA or a service allows intelligence agencies to view their data, or a backdoor in, then of course you can't trust it, but that would still be authorized access. As an analogy, you and your landlord both have keys to your apartment. Do you trust your landlord not to let anyone into your apartment other than you? If your landlord chooses to let someone else in without your permission, that is still authorized access. (As opposed to unauthorized access such as copying your key when you aren't looking, picking your door lock, or kicking down the door.)

TTT
  • 9,122
  • 4
  • 19
  • 31
  • So there is no way that someone can read what I send on Whatsapp except if the CA or WhatsApp itself allows them to access their systems? So what I read in the newspaper is fake? I live in South America, so I'm sure the intelligence agencies can't reach whatsapp or the CA... – Andres Nov 10 '15 at 17:18
  • @Andres I can't speak to the validity of that article. Can you link to it? I wouldn't say "there is no way", but in general, if an intelligence agency is "spying", they are probably doing it via a backdoor or information sharing instead of cracking encryption or performing MITM attacks. It's much easier for a government to buy their way in... – TTT Nov 10 '15 at 19:21
  • http://www.infobae.com/2015/10/20/1763699-denuncian-espionaje-jueces-politicos-y-periodistas-el-listado-completo It's in Spanish... and it's not a technical article... but it says something like: "They were intercepting landlines and storing information from Whatsapp, emails and text messages from cellphones and computers" Thanks for all the good stuff you shared!! – Andres Nov 10 '15 at 19:39
1

The exact level of security of TLS/SSL isn't really relevant here. Because it's good enough that the easiest way to eavesdrop on a session in WhatsApp or similar is to compromise one of the endpoints, which necessarily have access to the unencrypted data.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35