Security can be a fractious space, withclaim and counterclaim flying as rivalsjockey forpositionand to achieve reputational robustness. Cutting through thenoise can be impossible without outside expertise, which is why it’s so valuable to have an expert auditof a securityproduct.
To wit: encrypted messaging appWire has now published an externalaudit of its crypto protocol, Proteus, and the implementation of theprotocol across its various apps.
It’s a paid audit,conducted for Wire by two security researchers, Jean-PhilippeAumasson from Kudelski Security , and Markus Vervier from X41 D-Sec .
In a Medium post detailing the review, Wirewrites: “The review covers Proteus implementation in all platforms where Wire is available ― iOS, Android, macOS, windows, linux, and Wire for Web that works in modern, webRTC-supported browsers.”
An outside audit is perhaps especially valuable for Wire at this point as it took some flak recently followinga critical blog post which was shared via Twitterand drewthe attention of the security community.
Wire rejected the criticisms and argued it was being unfairly targeted by anonymous accountsposting on social media. TechCrunch contacted thewriter of the original critical post who is named on Medium as Tina Membe , but theperson wouldnot divulge his or heridentity to us― only qualifying themselves as“not really a security researcher”.
That said, the personstood by their criticismof Wire’s code, describing it as “very messy” and specifically criticizing how Wire performs certificate pinning ― arguing their methodisflawed because itcould be bypassed by state-level attackers.
“One example, the code enables ‘pinning’ only if the ‘subject alternative name’ of the certificate matches http://wire.com or ends with http://wire.com,” they told us, pointing to this part of Wire’s code . “But ‘subject alternative name’ is optional in certificates. Attacker would issue a certificate for ‘common name’ of http://wire.com from any CA (China, Tunisia, Turkey, etc) omit ‘subject alternative name’ and this would consider it valid.
“I think this is a very obvious mistake, a real security researcher could verify for you,” they added.
Wire’s security reviewers did identifysome issues with the software ― including a bug allowing invalid public keys to be transmitted and processed without being flagged as an error. But the reviewersalso describe the reviewed components as having “a high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs”.
The review covered Wire’sprotocol specification and protocol implementation. More specifically, the implementation of its Proteus messaging protocol and Cryptobox API and its C wrapper Cryptobox-C . “Cryptobox defines a simple, high-level API to Proteus in order to hide the protocol’s complexity to callers in Wire applications,” is Wire’sexplainer of that component.
The review also included CoffeeScript counterparts of Proteus and cryptobox as implemented in the proteus.js and cryptobox.js .
A third layer of security review ― consideringthe complete solution in the round ― remains ongoing, according to Duric.
In their overview of the audit, the external security reviewers write:
The components reviewed were found to have a high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs. Issues were nonetheless found, with some of them potentially leading to a degraded security level. None of the issues found is critical in terms of security. We for example found that invalid public keys could be transmitted and processed without raising an error. As a consequence, the shared secret negotiated by communicating parties becomes predictable, which in turns weakens security guarantees in terms of “break-in recovery”. The root cause of this issue is a bug in a third-party component (neglect to verify an error code). We recommend that this issue be fixed, and that other security improvements be implemented to address thread-unsafety risks, sensitive data in memory, and other aspects as described in this report.
Wiresays it has fixed all issues identified by the review and deployed the fixes on iOS and Android, and is in the process of deploying on Wire for web and its desktop apps.
It goes without saying thatfor any security productperceptions of insecuritycan do real and lasting damage. So Wirewill clearly be hoping that an externalreview of its crypto helps to dispelsome of the criticisms it has attracted ― and Duric was quick to point us to a sampleearly assessment of the audit from asecurity academic:
Really solid looking audit of the @wire app, by @veorq at Kudelski. We should have more like this. https://t.co/H7fgE1qBKq
― Matthew Green (@matthew_d_green) February 9, 2017
“Kudelski is independent reviewer,” Duricadded, via email, of the firm itpaid to carry out the audit. “Company with long tradition in the field and experts that concluded review are among leading experts in the field.”Katriel Cohn-Gordon, one of the group of academicsecurity researcherswho audited the Signal Protocol ― which powers the eponymous Signal encrypted messaging app ― also welcomed Wire’s move. “It’s good to see companies like Wire being transparent about their security,” he wrotein an email to TechCrunch. “[The audit] seems well-written and Wire’s prompt response is a good sign.”
Signal’s protocol is not the same as Wire’s Proteus protocol howeverWire did use some open source components written by the Signal Protocol’s creator, Open Whisper Systems, and as a result Wire’sProteus protocol code displays a copyright attribution reflectingthis reuse.
Wire says it is committing to regular external security reviews from here on in, as it continues to develop its apps.“Going forward every major development at Wire will also include a security review,” it writes in its blog. “We’ll continue to partner with security experts like Kudels