Security experts are afraid that DMA will break WhatsApp encryption

On March 24, the EU governing body announced that it had reached an agreement on the broadest law covering European big tech, known as the Digital Markets Act (DMA). -Under the bill’s measures, all major tech companies with a market capitalization of more than € 75 billion or a user base in the EU of more than 45 million will interoperate with smaller platforms. You need to create a possible product. Messaging app. This means confusing end-to-end encryption services like WhatsApp with insecure protocols like SMS. Security experts are concerned that they will undermine the hard-earned profits in the field of message encryption.

The main focus of DMA is the class of large technology companies called “gatekeepers”. It is defined by the size of your audience or revenue, and thus the structural strength you can exert against your smaller competitors. With the new regulations, the government wants to “pioneer” some of the services these companies offer, allowing SMEs to compete. This could allow users to install third-party apps outside the App Store, or rank or request external sellers to rank higher in Amazon searches. A messaging app that sends text across multiple protocols.

However, this can cause serious problems for services that promise end-to-end encryption. The consensus among cryptographers is that maintaining encryption between apps is difficult, if not impossible, and can have a significant impact on users. It is not affected by the DMA regulations, but it does affect WhatsApp owned by Meta using the Signal protocol. As a result, some, if not all, of WhatsApp’s end-to-end messaging encryption can be affected. It has been weakened or removed, robbing 1 billion users of the protection of private messaging.

Given the need for an accurate implementation of cryptographic standards, experts say there is no easy fix to adjust the security and interoperability of encrypted messaging services. In fact, there is no way to merge different forms of encryption between apps with different design capabilities. Stephen Bellobin, a highly regarded Internet security researcher and professor of computer science at Columbia University.

“It’s not easy to try to align two different cryptographic architectures, one of which needs to make major changes,” says Bellovin. “A design that works only when both parties are online is very different from a design that works. Using stored messages …. How do you interoperate these two systems? “

Making the various messaging services compatible could lead to a lowest common denominator approach to design, Bellovin said. This approach removes unique features that make a particular app valuable to the user until they reach a shared level of compatibility. Encrypted multi-party communication and other communication are not. Decryption is usually required to maintain communication between them.

Alternatively, DMA uses “end-to-end” encryption, where messages sent between two platforms using incompatible encryption schemes are decrypted and re-encrypted as they pass between them. We propose another approach to create by cutting the chain of. The point of the vulnerability of interception by a malicious attacker.

Internet security expert Alec Muffett, a former Facebook engineer who recently helped Twitter launch an encrypted Tor service, said: The Verge It’s a mistake to think that Apple, Google, Facebook, and other tech companies make identical, interchangeable products that can be easily combined.

“If you go into McDonald’s and say,’To break the company’s monopoly, ask me to include sushi platters from other restaurants in my order,’ they will of course stare at you.” Maffet said. Does the requested sushi occur when the requested sushi arrives at McDonald’s by courier from the seemingly requested sushi restaurant? Can McDonald’s serve the sushi to its customers? Also, was the courier service legal? Have you been prepared safely? “

Today, all messaging services are responsible for their own security. By requiring interoperability, Maffet and others claim that users of one service are exposed to potential vulnerabilities created by another service. The weakest link.

Another concern raised by security experts is the maintenance of a consistent “namespace”, which is a set of identifiers used to specify different devices in a network system. The basic principle of encryption is that the message is encoded as follows: Proper identity management is fundamental to maintaining security, as it is unique to known cryptographic IDs.

Alex Stamos, director of the Stanford Internet Observatory and former Facebook Chief Security Officer, said: Do end-to-end encryption without trusting that all providers handle identity management … If the goal is for all messaging systems to treat each other’s users exactly the same. Is a privacy and security nightmare. “

Not all security professionals have responded so negatively to DMA. Some of the dissenting opinions previously shared by Maffet and Stamos are covered in a blog post by Matrix, a project aimed at developing secure open source communications standards.

Written by Matrix co-founder Matthew Hodgson, this post acknowledges the challenges associated with mandated interoperability, but the benefits that come from challenging the tech giant’s claims to the closed messaging ecosystem. Claims to be better.

“In the past, gatekeepers [interoperability] Not worth it, “Hodgson said. The Verge“After all, the default course of action is to build a walled garden, and once you’ve built it, you’re tempted to lock in as many users as possible.”

However, users are generally happy to centralize trust and social graph in one app, so it’s unclear if the top-down imposition of cross-platform messaging is reflected in demand from below.

“IMessage already has interoperability. It’s called SMS and users really hate it. And it has very bad security characteristics that the green bubble can’t explain.”

About the author


Leave a Comment