Wickr - is it secure?
After Signal’s recent “PIN scandal”, I have started to look for an alternative to Signal.
I find it easiest to assess a software project’s security by assuming it is perfect, and then find the errors within.
Everything written in this article is therefore security-related criticism of something about Wickr - I do not need to state what Wickr does correctly, since that is the default position.
“What is Wickr”, you ask?
From Wikipedia:
Wickr is an American software company based in San Francisco.[1] The company is best known for its instant messenger application of the same name.
The Wickr instant messaging app allows users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments. The software is available for the iOS, Android, Mac, Windows, and Linux operating systems.
Feel free to contribute to this article by reaching out, or call me out for stating something which contradicts better evidence, via email on:
wickr-security@winther.games
Let us begin!
The licenses
All licenses are proprietary.
While a proprietary license can be considered immoral, it has almost no impact on the security considerations in the context of a user using a service. The only concern is the aspect of business continuity, for when the service is shut down or changed in a negative way.
I can find no plans for Wickr to migrate to a free license.
Source and implementation analysis
Wickr is FIPS 140-2 certified.
Wickr is by and large closed source.
Trust is earned by either trusting other people, or personally observing events.
While having a full implementation out in the open does not prevent security issues by itself, it is a fundamental requirement for earning the user’s trust, if the user does not place their trust in other people.
The part Wickr has chosen to “open source”, called “Wickr Secure Messaging Protocol in C”, is found on GitHub. I am not an expert in cryptology, and cannot directly comment on the quality of the code. However, the quality is a moot point. Having only the “security part” of a complete system open to inspection does almost nothing for real world security implications, since security in the real world hinges on its implementation details. As an allegory, think about this: You have expensive secure doors in your office building, nobody can hack or break them, but one day the CEO gets her keycard stolen, and the thief uses that keycard to enter the building through the doors, as one normally would. In this scenario the company would have been better off with either cheap doors or a complete security approach to physical security.
Since we cannot examine Wickr ourselves, we would have to trust other people’s judgement, if we want to trust Wickr. This is something Wickr is painfully aware of, and they therefore base their marketing around ethos and pathos.
Cryptography
While my peers and I are “in the camp” of Daniel J. Bernstein and Tanja Lange et al, due to their track record of being objectively superior many times, we are open to dissenting opinions. I am not a cryptographer, and I will gladly put well reasoned dissenting arguments in section.
Quotes in this section are paraphrased from anonymous commentaters by default, so please verify them yourself. IANAC.
P-521, and the other NIST curves, are a poor choice. NIST curves are hard to use correctly with no good technical benefit over Curve25519. While NIST curves are chosen, probably, due to FIPS 140-2 certification (Curve25519 is not on the approved list), it should be noted that it is a suboptimal choice, from a technical perspective. This means that the cryptography of Wickr is not state of the art.
Basing the implementation of their crypto engine on the EVP interface from OpenSSL 1.1.0 is problematic due to the quality of OpenSSL.
The support for multiple ciphers makes a security analysis significantly more complex, which is the antithesis of good cryptography.
Having only a partial portion of the system open sourced, regardless of actual implementation quality, shows that it is the wrong people running the show. Closed source is not a requirement for FIPS 140-2 certification. Since the full implementation of Wickr is not open source, the worry for attacks like the downgrade attack is a real threat. Third party audits, while better than nothing, is not equal to having academics look over the implementation on their own time.
Audits
While this section is supposedly central to the trust of Wickr’s implementation, the difficulty in finding and interpreting the results, whilst startling in and of itself, has left me unable to finish it, due to time constrains. It is my hope that I get to finish this part another time. Wickr lists their audits on their “Customer Security Promises” site.
Bishop Fox
Need to look at this in the future:
- https://know.bishopfox.com/customer-stories/how-bishop-fox-enables-wickrs-security-assurance
- https://know.bishopfox.com/news/2018/09/wickr-wickr-bishop-fox-report-on-customer-security-promises
NCC Group
NCC Group is known in the industry for having a wide and deep pool of technical experts spanning the whole world.
On Wickr’s “promises” page, we see NCC Group listed as an external auditor, and following the story on their own site we find a third party news outlet mentioning the NCC Group/Wickr relationship. NCC Group has an internal reference to that news story on their own site, but the page itself returns an HTTP status code 404 (content missing from the site). The WayBack Machine has no reference to the story on NCC Group’s site either.
It seems like Wickr supposedly started their “Customer Security Promises” program with NCC Group.
Having so much trust tied into such a well known and recognized company, with so little public information backing the claim is… Troublesome.
The stength of a public audit claim is only as strong as the transparency and social links it exudes.
Marketing
Wickr tries to communicate objective dominance and “being the best” due to their ceritification and being used by trusted entities.
Appeal to authority
The main marketing strategy is appeal to authority.
While I have only given one example so far, I expect to pile on in the future.
US Air Force
It seems like Wickr was FIPS certified so the USAF (and probably other military sectors) could make use of them in their regulated environments.
However, it is important to note that the certification does not imply quality, only compliance with legal regulations. Being compliant means that an organization has a lawfully necessary business process or business practice in place. If having certain business processes/practices in place was a strong indicator of quality, no serious business would fail, which obviously is not the case.
Also, worth pointing out, is that the US military has a history and vested interest in popularizing security only they can break.
Anything backed by them will, due to healthy skepticism, depending on the context, be worrisome.
If your threat model does not contain state actors, or maybe specifically the US, then fine, this point does not matter for you.
Lies and omissions
I do not think Wickr lies directly.
I do, however, think that Wickr’s marketing does not match the product they are selling.
While I have only given a few examples so far, I expect to pile on in the future.
Secure Messaging Protocols blogpost
Here is a single example of how I do not think Wickr fairly represents the state of the art, and oversell themself in a disingenuous way.
On Wickr’s Secure Messaging Protocols (SMP) blogposts (1/2):
On the one hand, PGP allows for asynchronous communication but lacks forward secrecy, while OTR provides forward secrecy but doesn’t support asynchronousity. Thus, a new milestone was reached in 2013 with the public release of the new Wickr SMP, which combined all 3 of these properties into a single protocol. To the best of my knowledge, this makes Wickr the first publicly available SMP meeting today’s basic standard of security, now commonly expected of any SMPs.
While “Wickr Staff” makes the disclaimer of “To the best of my knowledge, [..]”, Whisper Systems and Open Whisper Systems were widely known in the community back then, and solved this problem in parallel. This is one of many places where Wickr oversell their importance. It is also important to note that Wickr is actively involved with the Double Ratchet Algorithm today, acknowledging that it has been a superior protocol: “[..] which had never been achieved in combination by prior messaging protocols.”.
The author does address Open Whisper Systems and Signal in the very next chapter:
However, in other ways, these two types of SMPs [Wickr and Signal] are simply incomparable.
And then the author compares them anyway:
First, by talking about how Wickr can do multiparty chats, ignoring the Sesame Algorithm in Signal.
Secondly, talking about repudiation (deniability of having send a message) where Wickr argues that it also has the property of repudiation.
Thirdly, talking about Post Compromise Security (PCS) and how Signal and Wickr have different advantages and disadvantages. While Signal has the highest security against long-term eavesdroppers (completely heals), Wickr has higher security in an ongoing compromised situation (less privileges for the attacker, specifically unable to read outgoing messages, unable to remove group participants, unable to forge incoming messages, what heals is confusingly described).
Linking to a whitepaper in a blogpost with no source
On “The Untrusted Server: The Real-World Impact of a Wickr Server Compromise” Wickr tries to make a technical argument for their security, by linking to a whitepaper in:
[..] This level of protection means server-side attacks against user identity keys are infeasible against all but the weakest accounts. See Wickr’s White Paper on Password Protection.
However, if you follow the link you do not actually get a technical whitepaper. You get redirected to the site https://wickr.com/resources/, which contains more marketing. If you try to download a “whitepaper” e.g. Toward a Zero Trust Future you need to fill out a personal form. I have not tried to fill out the form to check that I actually get to download a whitepaper. Also, where is the whitepaper on password protection?
If someone successfully makes use of their site to gather technical information, it is not because of a good user interface experience.
Future updates to this article
I would like to cover:
- The company and their business model
- The people running the company and their ties to Cult of the Dead Cow (see ISBN-13: 978-1541762381)
- How to use the program and potential dark patterns in relation to security
- The installation process and if we can trust the software we install
- How credentials are handled in regards to pseudonymity/anonymity and metadata leaks
- How easy the program is to use securely for non-tech-savvy users
- If there are any insane defaults in the settings of the program
- How contact discovery works and if there are any security or privacy implications from that
- List of trade-offs versus Signal
Conclusion
My current understanding:
Wickr is not state of the art, but maybe Good Enough™, if you trust the audits.
Wickr is potentially vulnerable to attacks by the US.
While we have no hard evidence suggesting this, we have a historical record of intentional weaknesses introduced into state-endorsed cryptography which lacks trusted numbers. Wickr is forced to use cryptography that falls into this category, due to their FIPS 140-2 certification process.