Breaking Cryptography in the Wild: The Loose Ends of the Wire App

Wire currently supports two E2E protocols: Proteus, based on Signal’s Double Ratchet protocol and which is used by default, and MLS, the newly standardized IETF “Messaging Layer Security protocol”, which is still in active development.

We show that a combination of protocol-level and application-level vulnerabilities significantly undermine the confidentiality and authentication guarantees of Proteus E2E channels. These vulnerabilities allow a malicious server to tamper with message order, redirect messages to unintended groups, compromise group confidentiality, and even undermine Forward Secrecy (FS).

Furthemore, we study Post-Compromise Security (PCS) of Proteus, and find that Wire does not achieve PCS against strong adversaries with access to the private keys of the compromised users, nor against weaker adversaries with temporary oracle access to these keys.

Finally, we take a look at Wire’s MLS integration, and find several early design flaws which negate many of the security benefits of MLS, leading to trivial confidentiality violations and not achieving PCS in the presence of a malicious server

No one should use Wire app lol.

1 Like

No comments here? I’ve been looking into Wire

it is terrible as the research paper shows and discussed in other threads.

Maybe it’s better now, or will be, but anyway, there’s not reason for private users to use it. Yes, it has some nice features, doesn’t requre phone number, but if you already have a group of people agreed to use something unsusual, matrix, simplex, session, briar, jami, xmpp… might be a better option.

1 Like