Messaging app Wire now has an external audit of its e2e crypto

Security can be a fractious space, with claim and counterclaim flying as rivals jockey for position and to achieve reputational robustness. Cutting through the noise can be impossible without outside expertise, which is why it’s so valuable to have an expert audit of a security product.

To wit: encrypted messaging app Wire has now published an external audit of its crypto protocol, Proteus, and the implementation of the protocol across its various apps.

It’s a paid audit, conducted for Wire by two security researchers, Jean-Philippe Aumasson from Kudelski Security, and Markus Vervier from X41 D-Sec.

In a Medium post detailing the review, Wire writes: “The review covers Proteus implementation in all platforms where Wire is available  —  iOS, Android, macOS, Windows, Linux, and Wire for Web that works in modern, webRTC-supported browsers.”

An outside audit is perhaps especially valuable for Wire at this point as it took some flak recently following a critical blog post which was shared via Twitter and drew the attention of the security community.

Wire rejected the criticisms and argued it was being unfairly targeted by anonymous accounts posting on social media. TechCrunch contacted the writer of the original critical post who is named on Medium as Tina Membe, but the person would not divulge his or her identity to us — only qualifying themselves as “not really a security researcher”.

That said, the person stood by their criticism of Wire’s code, describing it as “very messy” and specifically criticizing how Wire performs certificate pinning — arguing their method is flawed because it could be bypassed by state-level attackers.

“One example, the code enables ‘pinning’ only if the ‘subject alternative name’ of the certificate matches http://wire.com or ends with http://wire.com,” they told us, pointing to this part of Wire’s code. “But ‘subject alternative name’ is optional in certificates. Attacker would issue a certificate for ‘common name’ of http://wire.com from any CA (China, Tunisia, Turkey, etc) omit ‘subject alternative name’ and this would consider it valid.

“I think this is a very obvious mistake, a real security researcher could verify for you,” they added. (Following this conversation, Membe wrote another blog detailing the certification validation vulnerability — which can be found here.)

Update: Wire says it had fixed the certificate pinning issue identified by Membe by January 27. “The scope of this flaw was very limited, it only affected Android, and it only affected transport encryption. Wire’s end-to-end-encryption using Proteus was not affected by this,” says Duric. He adds that the security reviewers were also asked to check the approach of the fix before it was deployed. (For more details of the fix see here. The part of the code where the fix was deployed can be found here.)

Wire’s security reviewers did identify some other issues with the software — including a bug allowing invalid public keys to be transmitted and processed without being flagged as an error. But the reviewers also describe the reviewed components as having “a high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs”.

The review covered Wire’s protocol specification and protocol implementation. More specifically, the implementation of its Proteus messaging protocol and Cryptobox API and its C wrapper Cryptobox-C. “Cryptobox defines a simple, high-level API to Proteus in order to hide the protocol’s complexity to callers in Wire applications,” is Wire’s explainer of that component.

The review also included CoffeeScript counterparts of Proteus and cryptobox as implemented in the proteus.js and cryptobox.js.

A third layer of security review — considering the complete solution in the round — remains ongoing, according to Wire co-founder and CTO Alan Duric.

In their overview of the audit, the external security reviewers write:

The components reviewed were found to have a high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs. Issues were nonetheless found, with some of them potentially leading to a degraded security level. None of the issues found is critical in terms of security. We for example found that invalid public keys could be transmitted and processed without raising an error. As a consequence, the shared secret negotiated by communicating parties becomes predictable, which in turns weakens security guarantees in terms of “break-in recovery”. The root cause of this issue is a bug in a third-party component (neglect to verify an error code). We recommend that this issue be fixed, and that other security improvements be implemented to address thread-unsafety risks, sensitive data in memory, and other aspects as described in this report.

Wire says it has fixed all issues identified by the review and deployed the fixes on iOS and Android, and is in the process of deploying on Wire for web and its desktop apps.

It goes without saying that for any security product perceptions of insecurity can do real and lasting damage. So Wire will clearly be hoping that an external review of its crypto helps to dispel some of the criticisms it has attracted — and Duric was quick to point us to a sample early assessment of the audit from a security academic:

“Kudelski is independent reviewer,” Duric added, via email, of the firm paid to carry out the audit. “Company with long tradition in the field and experts that concluded review are among leading experts in the field.”

Katriel Cohn-Gordon, one of the group of academic security researchers who audited the Signal Protocol — which powers the eponymous Signal encrypted messaging app — also welcomed Wire’s move. “It’s good to see companies like Wire being transparent about their security,” he wrote in an email to TechCrunch. “[The audit] seems well-written and Wire’s prompt response is a good sign.”

It’s worth noting that while Signal’s protocol is not the same as Wire’s Proteus protocol, Wire did use some open source components written by the Signal Protocol’s creator, Open Whisper Systems — and as a result its Proteus protocol code displays a copyright attribution reflecting this reuse.

Wire, which was founded in 2012 and is based in Switzerland, is backed by Skype co-founder Janus Friis. Although it started with more of a general communications focus, it has since shifted to billing itself as a “private messenger” with a “focus on privacy” — expanding end-to-end encryption across all messaging types on its platform (not just calls) in March last year.

Last December it also added a username option, meaning privacy-conscious users do not need to share their phone number or email in order to communicate with other Wire users. And while the app remains free Wire says it will be introducing paid services this year.

It also says it is committing to regular external security reviews from here on in, as it continues to develop its apps.

“Going forward every major development at Wire will also include a security review,” it writes. “We’ll continue to partner with security experts like Kudelski Security and X41 D-Sec to work on a complete solution review.

“All Wire client code is on GitHub and the server code will be open sourced by the end of Q1, 2017.”