<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Apr 8, 2016 at 10:29 AM, Trevor Perrin <span dir="ltr"><<a href="mailto:trevp@trevp.net" target="_blank">trevp@trevp.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, Apr 8, 2016 at 6:18 AM, Bill Cox <<a href="mailto:waywardgeek@gmail.com">waywardgeek@gmail.com</a>> wrote:<br>
><br>
> - Users have to verify a 60 digit code rather than a 4 digit code to prove<br>
> there is no MitM<br>
<br>
</span>No, there is a "Scan QR code" option.</blockquote><div><br></div><div>Hi, Trevor. Not that I'm an expert, but what I've seen so far of your Noise Protocol looks good to me. I recommended it as a potential solution to a problem yesterday. Do you know if the Noise Pipes implementation in WhatsApp is open-source? I think several of us on this list would like to take a look and help WhatsApp find any implementation flaws. Also, kudos to the WhatsApp team for enabling end-to-end encryption by default.</div><div><br></div><div>The QR code feature is cool. I doubt many users will use it. I tried it out yesterday with my dad, and it is simple enough to use, if you are in the same location.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
> - Use hash commitments and reduce their code to 4 digits<br>
<br>
</span>That wouldn't work well, here. WhatsApp provides asynchronous text<br>
messaging. Alice can send initial messages to Bob when he is offline,<br>
and he might receive them when Alice is offline.<br>
<br>
Short-auth strings (SAS) require a 3-way handshake before the SAS is<br>
displayed. So in the above case, Alice and Bob would be in an awkward<br>
"pending state", where they have sent or received messages but have no<br>
way of authenticating. Using public-key fingerprints avoids this.<br></blockquote><div><br></div><div>What if you only display the SAS (or something more interesting randomly selected based on the SAS) after sending the second message? I assume the second message is better protected than the first message in any case, since that's when ephemeral secrets are in place.</div><div><br></div><div>Bill</div></div></div></div>