WeChat's custom encryption protocol under scrutiny
The University of Toronto’s Citizen Lab folks recently investigated WeChat’s encryption and found some possible security flaws. With over a billion users logging in monthly, WeChat runs a customized version of the Transport Layer Security (TLS) 1.3 protocol, which they call MMTLS.
WeChat’s encryption is set up in two layers:
- Business-layer encryption: Encrypts the plaintext content
- MMTLS: Further encrypts the already encrypted content before transmission
Even with these two layers, the researchers ran into a few issues:
- Business-layer encryption leaves important metadata unprotected, like user IDs and request URIs.
- MMTLS uses deterministic initialization vectors (IVs), which goes against recommended cryptographic practices.
- There’s no forward secrecy, which is vital for keeping things secure long-term.
Before 2016, WeChat only used business-layer encryption for its requests. Adding MMTLS was supposed to patch things up. Still, even though it made the app more secure by keeping the internal encryption harder to attack, the researchers say it’s still not entirely up to modern cryptographic standards for an app of this size.
The report points out a bigger issue in China’s tech scene: developers often build their own encryption systems instead of using well-known protocols like TLS 1.3 or QUIC, and these homegrown systems are usually less secure.
Citizen Lab thinks Tencent (WeChat’s parent company) should move to a standard TLS setup or use a TLS and QUIC combo to level up their security.
Are you a techie who knows how to write? Then join our Team! Wanted:
Details here
Source(s)
CitizenLab (in English)