This post illustrates one of the many reasons the solution is less effective than I would like it to be. Specifically, when the system spits out weird results (changing safety numbers, mismatched numbers) it tends to be hard to diagnose the problem in a way that lets you verify, let alone prove to third parties, that there really was an attack. Since changes and mismatches "just happen", people tend to take warnings less seriously than they would if there was a path to diagnosing the problem. Moreover, from a hypothetical attacker's perspective there isn't much disincentive when most users will just shrug at these problems. I'm not sure there's a perfect solution to this, but I think it would be interesting to make these systems more robust.
Ideally we'd all use an append-only merkle log ala certificate transparency to lookup public keys. This is much harder to MITM, and you can do lookups over onion routing to make it even harder. Of course, if your identifiers have PII (like phone numbers in Signal and Whatsapp) this is not going to fly, but that's the bed they made for themselves.
I'd love to hear what you think about a log a few colleagues and I have designed. We've tried to get to the essence of transparency logging. It's a minimalistic design, and it doesn't require trusting the log operator.
www.sigsum.org
This is by no means fool-proof, but it would at least work against the problem now where they are basically training users to ignore these dialogs.
I doubt it was nefarious. Anyone know why something like this would happen? Is there some internal calibration going on or maybe a bug? I disabled WhatsApp's camera permission immediately afterwards.
I imagine for that to work it needed my camera to always be permitted by WhatsApp, and now with Android's latest version where it shows what's using your live mic or camera, FB didn't bother updating the above feature.
Just my hypothesis!
Given they're a Facebook company, I'm not sure why you'd doubt it was nefarious
It's a bit annoying because it undermines the value of the security notification. People get used to it (the boy that cried wolf). I used to get people asking if things were ok if I moved to a new device. This won't happen anymore when people get ten of these a day
This is a problem that is as old as public key cryptography and nobody really solved it since… uhhh the 90s? I don’t know
Also see "Why Johnny Still Can't Encrypt", 2015: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.22...
Also see "Why Johnny Still, Still Can't Encrypt", 2016: https://arxiv.org/abs/1510.08555
It is kind of depressing that so many years have passed and we are still confusing people with impossible to understand stuff as per the current WhatApp example.
