La risposta del ricercatore che ha scoperto la falla di sicurezza
direttamente sul guardian.
Spiega dettagliatamente tutti i problemi e risponde al creatore di signal mostrando che ha commesso un errore nel difendere whatsapp nel suo blog.
Creatore protocollo Signal:
“The choice to make these notifications ‘blocking’ would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn’t, effectively telling the server who it could man-in-the-middle transparently and who it couldn’t; something that WhatsApp considered very carefully.”
Scopritore falla:
"This claim is false. Those “blocking” clients could instead retransmit a message of the same length that just contains garbage and this message would just not be displayed by the receiver’s phone. Encryption guarantees the garbage or real messages are indistinguishable in the encrypted form. Hence, this technique would make identifying users with the additional security enabled on a large scale impossible."
Inoltre, saggiamente, afferma:
"What Facebook should do is fix the issue, and release the source code of its apps so that the public can verify the integrity of its messaging apps. Facebook’s business asset is not the source code of the app; the source code of many apps with many of the same features is freely available already to competitors. Its real business asset is its massive, almost 2 billion-person user base. The source code of its highly scalable server infrastructure is also a true business asset but that part doesn’t need to be open sourced."
Mi sembra la soluzione migliore per whatsapp per riacquistare un minimo di credibilità (telegram ha seguito la stessa strada: app open source e server closed source).
Personalmente dopo l'annuncio di scambio dati con facebook intorno settembre (
poi bloccato dopo aver scambiato i dati), ho cancellato il mio contatto whatsapp e raccomando di usare signal, wire o telegram.