Security enthusiast claims Wire isn't secure and that end-to-end encryption can be intercepted

[notnsane]

I'm not going to claim that I know the slightest about security, but I'm going to leave these links here so the community and developers can review them:

• https://medium.com/@pepelephew/how-to-intercept-all-wire-voice-and-video-calls-13da1246675c#.fmyybvcn6
• https://medium.com/@pepelephew/wires-certificate-validation-vulnerability-f2b415298e2e#.vsdmp5eo5

The whole point is getting the community involved. I did a couple searches and didn't found anything related to these articles.

Also, I don't know if this repo is the best one to publish this, but I chosen this one becase the wire (core?) repository has only 1 issue. Excuse me if I made any mistake.

[darkbluelight]

Wire's advertised security is a huge, essential selling point for users like me. If these linked concerns hold true, this is a massive problem that needs urgently fixed.

[darkbluelight]

Wire's advertised security is a huge, essential selling point for users like me. If these linked concerns hold true, this is a massive problem that needs urgently fixed.

[someoneEsle]

While you wait for an official reply from one of the developers, you may as well know that pepe_le_phew is an internet troll who has been spreading intentionally misleading rumors about Wire and its security. Wire's protocol implementation has been reviewed by a real company, that is by people with a much better credibility than some internet troll: https://medium.com/wire-news/wires-independent-security-review-61f37a1762a8#.vtaerb9s3. An even wider review of the code should be coming in the next months, I think.

As for the bug regarding certificate pinning it's already been fixed, and authenticated calls should be on their way very soon since (if I remember well) they are being heavily tested by the team.

[someoneEsle]

While you wait for an official reply from one of the developers, you may as well know that pepe_le_phew is an internet troll who has been spreading intentionally misleading rumors about Wire and its security. Wire's protocol implementation has been reviewed by a real company, that is by people with a much better credibility than some internet troll: https://medium.com/wire-news/wires-independent-security-review-61f37a1762a8#.vtaerb9s3. An even wider review of the code should be coming in the next months, I think.

As for the bug regarding certificate pinning it's already been fixed, and authenticated calls should be on their way very soon since (if I remember well) they are being heavily tested by the team.

[raphaelrobert]

Hi @notnsane,

As @someoneEsle mentined, some misleading blog posts were written about Wire's security and were quickly debunked by the community (https://twitter.com/tqbf/status/830126993156997120).

Wire addressed the calling:
https://medium.com/@wireapp/we-have-always-been-open-about-how-end-to-end-calling-on-wire-works-70b6a6f03cae

The code for the pinning on Android was fixed days before the blogpost:
wireapp/wire-android-sync-engine#47

To be clear about the pinning: It was never possible to perform a MITM attack with self-signed certificates. The threat model in the blogpost is quite misleading.

[raphaelrobert]

Hi @notnsane,

As @someoneEsle mentined, some misleading blog posts were written about Wire's security and were quickly debunked by the community (https://twitter.com/tqbf/status/830126993156997120).

Wire addressed the calling:
https://medium.com/@wireapp/we-have-always-been-open-about-how-end-to-end-calling-on-wire-works-70b6a6f03cae

The code for the pinning on Android was fixed days before the blogpost:
wireapp/wire-android-sync-engine#47

To be clear about the pinning: It was never possible to perform a MITM attack with self-signed certificates. The threat model in the blogpost is quite misleading.

[darkbluelight]

@someoneEsle It's very nice to see that Wire had its Proteus messaging protocol implementation reviewed by Kudelski Security and X41D-Sec but they didn't review audio and video calls (yet).

You mentioned a wider review of the code that is coming, I'm very much looking forward to it. @raphaelrobert good to see that a new improved version of calling is coming and the code for the pinning was fixed.

I also can't wait for the server code to be released (end Q1 2017), this will be a big advantage over Signal etc.

[darkbluelight]

@someoneEsle It's very nice to see that Wire had its Proteus messaging protocol implementation reviewed by Kudelski Security and X41D-Sec but they didn't review audio and video calls (yet).

You mentioned a wider review of the code that is coming, I'm very much looking forward to it. @raphaelrobert good to see that a new improved version of calling is coming and the code for the pinning was fixed.

I also can't wait for the server code to be released (end Q1 2017), this will be a big advantage over Signal etc.

[notnsane]

Awesome! Thanks to all who contributed to this thread 😃 It will help a lot to clarify Wire's security in the future. I'm going to close it this issue.

[notnsane]

Awesome! Thanks to all who contributed to this thread 😃 It will help a lot to clarify Wire's security in the future. I'm going to close it this issue.

[jawz101]

It's odd you all are calling someone a troll while claiming fixes for the security issues you say he cited were either fixed within days of an article or say are about to be fixed.

That's like quitting a 10 year drug habit yesterday and claiming you are drug free today... except for the paint you're still huffing, that is.

I just saw a link to this post on Reddit and it reads like you all use the words "myth" and "debunked" incorrectly.

[jawz101]

It's odd you all are calling someone a troll while claiming fixes for the security issues you say he cited were either fixed within days of an article or say are about to be fixed.

That's like quitting a 10 year drug habit yesterday and claiming you are drug free today... except for the paint you're still huffing, that is.

I just saw a link to this post on Reddit and it reads like you all use the words "myth" and "debunked" incorrectly.

[teller]

@jawz101 Troll in the sense that their Twitter and Medium have been set up with a singular goal of attacking Wire. They did not disclose discovered bug in a responsible manner that is the norm in the infosec community, instead made it public without prior warning (we got the fix live in 8 days).

[teller]

@jawz101 Troll in the sense that their Twitter and Medium have been set up with a singular goal of attacking Wire. They did not disclose discovered bug in a responsible manner that is the norm in the infosec community, instead made it public without prior warning (we got the fix live in 8 days).

[noahcodez]

I followed a link here and skimmed through this discussion until I read @jawz101's comment, which made me go back and review everything more closely.

Looking at the timeline, I am stunned by Wire's response. Reading everything carefully and looking at the commit timeline:

a) Everything Tina documented was accurate

b) Wire denied having problems with certificate pinning. Wire wrote a blog post saying there was nothing wrong, and implied that the claims were in some way not accurate.

c) During the period Wire told us that nothing was wrong, Wire was aware that the reported problems were accurate. Wire let an active vulnerability exist for 8 days and did not notify us.

d) After fixing (I hope?) the certificate pinning vulnerability, Wire still did not notify us that we had been vulnerable for years, and in this thread Wire is still implying that these reports were "misleading," "debunked," and using other ad-hominem attacks like "troll."

@teller I get the feeling you don't like the person who reported these security vulnerabilities, but that is between you and her. Your responsibility to us is to be honest, to notify us when we are in danger and to take precautions to prevent these types of problems from occurring.

I work in IT so I know that software mistakes happen. It is bad that you had a security vulnerability, but your response to it is what has convinced me to stop using Wire and to recommend that my friends also stop.

[noahcodez]

I followed a link here and skimmed through this discussion until I read @jawz101's comment, which made me go back and review everything more closely.

Looking at the timeline, I am stunned by Wire's response. Reading everything carefully and looking at the commit timeline:

a) Everything Tina documented was accurate

b) Wire denied having problems with certificate pinning. Wire wrote a blog post saying there was nothing wrong, and implied that the claims were in some way not accurate.

c) During the period Wire told us that nothing was wrong, Wire was aware that the reported problems were accurate. Wire let an active vulnerability exist for 8 days and did not notify us.

d) After fixing (I hope?) the certificate pinning vulnerability, Wire still did not notify us that we had been vulnerable for years, and in this thread Wire is still implying that these reports were "misleading," "debunked," and using other ad-hominem attacks like "troll."

@teller I get the feeling you don't like the person who reported these security vulnerabilities, but that is between you and her. Your responsibility to us is to be honest, to notify us when we are in danger and to take precautions to prevent these types of problems from occurring.

I work in IT so I know that software mistakes happen. It is bad that you had a security vulnerability, but your response to it is what has convinced me to stop using Wire and to recommend that my friends also stop.