Comment by ralusek

Comment by ralusek 18 hours ago

9 replies

View on Hacker News

I mean at the very least if their clients can read it then they can at least read it through their clients, right? And if their clients can read it’ll be because of some private key stored on the client device that they must be able to access, so they could always get that. And this is just assuming that they’ve been transparent about how it’s built, they could just have backdoors on their end.

basch 18 hours ago

they can also just .. brute force passwords. the pin to encrypt fb messenger chat is 6 digits for example.

Reply View 8 replies
  • farbklang 17 hours ago

    but that is a pin and can be rate limited / denied, not a cryptograhpic key that can be used to brute force and compare hash generations (?)

    Reply View 7 replies
    • barbazoo 17 hours ago

      They likely wouldn’t rate limit themselves, rate limiting only applies when you access through their cute little enter your pin UI.

      Reply View 5 replies
      • solenoid0937 17 hours ago

        The PIN is used when you're too lazy to set an alphanumeric pin or offload the backup to Apple/Google. Now sure, this is most people, but such are the foibles of E2EE - getting E2EE "right" (eg supporting account recovery) requires people to memorize a complex password.

        The PIN interface is also an HSM on the backend. The HSM performs the rate limiting. So they'd need a backdoor'd HSM.

        Reply View 4 replies
    • [removed] 17 hours ago
      [deleted]
      Reply View 0 replies