This post is a direct response to moxie's post, hence the original title "There is a WhatsApp Backdoor", which I have changed now because I find the "Backdoor vs. Vulnerability" discussion uninteresting.
You can argue if we are looking at a vulnerability, so something that is in there by error, or a backdoor, i.e. something that is in there deliberately. But this discussion is not very interesting.
Facebook and moxie do not deny that there is a vulnerability that can be used to 'wiretap' targeted conversations, for example by governments with access to WhatsApp servers. For details on the vulnerability, see my initial blog post, some slides, or my video. In the video, you can also see that the vulnerability can not be avoided by verifying fingerprints or checking a checkbox in the WhatsApp settings.
The UX 'downgrade' we are talking about
Signal does not have this vulnerability, but WhatsApp has it. So how are they different? How more difficult is Signal to use?
Imagine you dump your phone into the ocean and only a month later you get a new phone. Then during this one month time period, some friends might've sent you messages. In WhatsApp, your friends phones are being instructed to automatically re-encrypt and retransmit. But they don't know if they are sending the messages indeed to you or the government. Then, and only if your friends specifically asked WhatsApp to do so, they will see a warning that there could've been something shady going on. Signal on the other hand will tell your friends something like "there might've been something shady going on. Do you want to resend your message?".
First: How often do those situations occur? I'd say not so often, WhatsApp says "millions of messages", which is actually not that much considering they are sending like 42 billion (with a b) messages per day through their servers.
Second: Is it really that much to ask for from the users?
Even with the "give me additional security" setting, WhatsApp retransmits messages
So there is this setting in WhatsApp "Show security features". It basically tells WhatsApp "Hey, I'm especially concerned about my privacy. I know what I am doing. Please give me the best privacy possible". But even with this setting enabled, WhatsApp will automatically re-encrypt and retransmit messages, leaving the sender vulnerable.
Moxie tries to explain why this choice has been made:
The choice to make these notifications "blocking" would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn't, effectively telling the server who it could MITM transparently and who it couldn't; something that WhatsApp considered very carefully.
This claim is false. Those "blocking" clients could instead retransmit a message of the same length that just contains garbage, i.e. instead of "Login with the password d98y289whcma0", they'd send "0000000000000000000000000000000000000" and this message would just not be displayed by the receiver's phone. By the guarantees of encryption, those two messages are indistinguishable in the encrypted form. Hence, this technique would make identifying users with the additional security enabled on a large scale impossible.
Only one message?
There have been claims that only one single message is exposed before the sender notices that something shady might be going on. For technical reasons, only the case with one message can be demonstrated, but there is reason to believe the attack can be extended to a longer conversation. The Signal protocol allows "lost or out-of-order messages". Therefore it should be possible for the WhatsApp server to block all "message has been received" notifications for a long conversation while it still correctly forwards the actual text messages. The "receipt" notifications, if encrypted at all, can be distinguished from the normal text messages because they are the ones sent directly after the receiver receives the message.
The users would then only get displayed one tick for all their messages, but won't bother because it is working. After days, weeks or maybe even month, the described attack can then be launched in order to get a copy of the whole transaction history since that point in time.
File transfers and voice calls affected as well
Not only messages, but also voice calls and file transfers can be intercepted with this vulnerability.
moxie, I do respect all the work you've done to promote widespread encryption. But regarding this topic you're wrong.
Facebook, please just fix this. Here is a personal suggestion what to do.