No warning when getting a call from contact with new key

[agrajaghh]

I'm not familiar with the redphone internals, so correct me if I misunderstood something...

I have two devices running Signal 3.0.2. They were exchanging messages and where having some calls. Now device A reinstalled Signal (resulting in a new identity key) and called device B. The call was established without problems, no warning was given. Writing a message from A to B lead to a warning ("Receives message with unknown identity key..."). Shouldn't be there a warning during the call as well? This allows to impersonate someone else, no?

[peterpanondrugs]

Thats how Redphone works.
I guess you will recognize your partner from the call!

[jocelynthode]

@peterpanondrugs But I think you wouldn't know if someone was doing some man in the middle stuff. Though from what I remember Redphone was displaying words that you could exchange to be sure nobody could man in the middle your conversation.

[xmikos]

RedPhone/Signal uses ZRTP protocol. And ZRTP provides second layer of authentication in the form of key continuity (TOFU - Trust On First Use). So if they called themselves before reinstall, RedPhone/Signal should warn them in following calls if the key has been changed. If it doesn't warn them, there must be some error in RedPhone/Signal implementation of ZRTP.

[xmikos]

And indeed, key continuity has been supported in old RedPhone: https://github.com/WhisperSystems/RedPhone/commit/2435af9a2a651b5eb269bd891f0788180b8ebed4

But if you look at same files in new Signal, there are many places where this stuff has been commented out, see ZRTPSocket.java from old RedPhone here:
https://github.com/WhisperSystems/RedPhone/blob/master/src/org/thoughtcrime/redphone/crypto/zrtp/ZRTPSocket.java

And compare it to ZRTPSocket.java from new Signal here:
https://github.com/WhisperSystems/TextSecure/blob/master/src/org/thoughtcrime/redphone/crypto/zrtp/ZRTPSocket.java

Maybe Signal is doing things differently and checking key continuity somewhere else, I don't have now time to check it more thoroughly, but at first look this seems rather fishy (seems like key continuity has been discontinued ;-)).

Please can someone from Open Whisper Systems comment on this?

[moxie0]

yes you have to verify the sas every time

[rmueller83]

I assume this is temporarily deactivated during the TextSecure+RedPhone-->Signal migration. AFAIK Android Apps are not allowed to acces data from other apps, so TextSecure cannot import the RedPhone keys and therefore has to generate new ones. The new keys would lead to warnings which confuse the users and bring a lot of issue tickets here. ;-)

[xmikos]

@rmueller83 Yes, after migration you would lose old cached key continuity secrets. But both sides will lose them, so you shouldn't see any warnings - only first call with Signal would have to be verified (with SAS) again, that's all.

This is similar like if someone has removed known_hosts check from SSH, key continuity is basic security feature of ZRTP. I really don't understand why Moxie did it (without at least big warning in README) and really hope that it is only temporary when Signal is in beta. It would be madness to left key continuity checks commented out even in stable/production version...

[rmueller83]

When I understand you correctly, your first paragraph assumes that both sides will upgrade to Signal at the same time. This is normally not the case, as some people upgrade at release day, and others a few days/weeks/months later.

[xmikos]

@rmueller83 If the other side still has old RedPhone, there still should be warning on that side (because RedPhone doesn't have this key continuity code commented out).

[droopy]

Moxie is adding more backdoors on the platform. Come on...moxie.