Even if you use good cryptographic building blocks, and good libraries that implement the building blocks, you can still make horrible mistakes with protocol design.
The best mechanism we have for preventing weak cryptographic protocols is to use formal methods (proofs, checked by a computer).
* Threema's end-to-end inner protocol, the one used to exchange messages between actual humans, is based on a single X25519 key, used bidirectionally. It has no forward secrecy. Worse, to prevent otherwise-trivial replay attacks made possible by the simplistic structure of the protocol, both sides have to cache every nonce they've seen used to encrypt a message. This breaks down when users change devices, which, due to the structure of the protocol, is trivially detectable.
* The Threema E2E protocol includes enough metadata to ostensibly enforce message ordering, but they don't authenticate it, so attackers can (1) strip the metadata off and (2) hold back and/or reorder messages at their luxury.
* Threema has the hello-world of E2E protocols, but for reasons not made clear has chosen to build their own transport protocol for client-server transactions (ie, login), rather than using TLS or NoiseIK. The C2S handshake has the raw material to do an authenticated DH key exchange, ala 3DH (both sides have long-term and ephemeral secrets), but they freelanced it instead and come up with a proof-of-identity round trip that is trivially replayable, and which destroys the forward secrecy of the C2S protocol.
* One form of Threema backup uses encrypted ZIPs, which reveal the names of files, which files apparently (according to the paper) reveal the identity of counterparties you've been talking to. Also: the ZIP library the client uses didn't verify MACs, and while Threema fixed that, the maintainer of the ZIP library Threema chose hasn't responded, which is :grimace-emoji:.
* You can "lock" your Threema app, but it does so much background processing that attackers can extract your private key if they have access to the device (or, maybe, all its traffic?) --- to wit, Threema does automated backups, the backups are compressed-then-encrypted, Threema processes messages in the background even when locked, one of those messages runs an automatic contact discovery protocol, and attackers can inject contact-discovery messages to do a byte-by-byte CRIME-style recovery of the private key, which is embedded in the same JSON document(!) as contact information in the backup system.
There is a very funny bit in the middle of the paper where they reconstitute the C2S proof-of-identity replay attack, this time minting a new identity proof rather than replaying it. To pull this off, they bounce the C2S protocol off of the E2E protocol: because, and I cannot believe I am saying this, Threema uses PKCS7 padding (ie, "I'm 3 bytes short of my block size, so I'll pad with 03h 03h 03h"), you can trick a Threema client into sending a message which, once encrypted, will have the 01h-delimited format of the identity proof (because 1/254 validly padded messages will happen to end in 01h). I didn't read closely enough to figure out if there was any reason you would go to the trouble of executing this attack variant, and it is entirely possible that they are just showing off. But: that's why you read these kinds of papers! For the stunt cryptography!
A bit of advice: read these papers for the cryptographic design and pitfall ideas, not for verdicts on which messaging systems to use. Maybe there are very good reasons to use Threema besides its flimsy protocol design; the point is: we know how to design better protocols that don't have these problems, and so (1) here are some more examples for the textbooks on why you should domain-separate your keys (for instance, to make it impossible to bounce the C2S protocol off the E2E protocol in the first place), and (2) Threema could drastically improve their system simply by adopting a known-good protocol rather than freelancing their own.
Great stuff.
A lot of those issues fall into the category of warning signs that foretell impending doom beyond the immediate problem being identified. Like looking at a house you're thinking of buying and seeing a giant hole in the wall and looking at a different house with a damp mildew smell in every room. The hole in the wall is a more immediate and obvious problem, but the smell suggests the more significant concern.
Cryptographic systems in particular seem good at generating these kind of warning signs, since there is a significant overlap between "I can't immediately catastrophically break this" and "WTF are you doing?". Arguably, making these kinds of terrible cryptographic choices suggests something fundamentally broken in your design process that isn't fixed by just addressing specific weaknesses. This seems especially true in the secure messaging arena, where if you can't articulate an extremely good reason you can't use an existing protocol, the default position should be to avoid your product.
'A functional, secure E2EE instant messenger with broad public appeal/usability' is just a very convoluted, readily bungle-able project.
Edit: notably, this wouldn't be a problem if (1) Threema required a preconfigured password to encrypt the private key with, or (2) used an identity transfer scheme that was detectable on the target device. But since they're just copying a key, it's entirely undetectable.
https://threema.ch/en/blog/posts/news-alleged-weaknesses-sta... New Paper on Old Threema Protocol
"Good research, and here's how we've addressed those issues and proactively enhanced our security even further" is a decent story to be able to tell about how you're constantly trying to make your customers safer. Being defensive and dismissive sends the exact opposite message...image is more important than security.
It's the company that's promoting its product with "Trust us, we're Swiss", even though it's a stupid argument after Crypto AG (and a few other, similar exploits): https://en.wikipedia.org/wiki/Crypto_AG
What issues are fixable, which are more endemic to the classical architectures?
[0] https://spectator.sme.sk/c/22216551/threema-saga-kocner-repo...
Unfortunately, this is a big dynamic on HN, not just on cryptography threads, but especially on threads rooted in stories with intense technical details. It's time consuming to bring yourself up to speed with what the paper says, but it's easy to have something to say about, say, Signal phone numbers. Which means comments here will be heavily biased towards superficial and tangential stuff.
I do like this feature a lot. I think converting to passphrases (random words) as well could be a good idea (to make it easier to share) -- I think it's a good simple way to make decentralized/secure systems.
Hey, me and the guys are planning a riot at the Capitol. Wanna come? Join my telegram group and we can talk about it in secret thanks to end-to-end encryption! Here's the public link...
That's also why I use Tutanota, one of the very few mail providers that you can use without a phone number.
Threema also allows that.
I think they really nailed that aspect: Tie the primary identity to a key, not a phone number, and then add a discovery layer on top of that.
Tech paper for anyone interested: https://www.olvid.io/assets/documents/2020-12-15_Olvid-speci...
I love Signal and think it is a great problem. I think it is too slow (e.g. username rollouts...) -- especially with Moxie's famous fuck decentralization speech -- and needs to actually adapt to the moving ecosystem, but people complain about it in weird ways. For better or for worse, right now it is the best game in town simply because messaging apps require networks. We'll see if they last though, because they aren't adapting fast enough. I think this would be a shame. But it is also a shame that Signal is failing so hard.
[0] https://community.signalusers.org/t/signal-needs-to-shift-to...
