Wire currently supports two E2E protocols: Proteus, based on Signal’s Double Ratchet protocol and which is used by default, and MLS, the newly standardized IETF “Messaging Layer Security protocol”, which is still in active development.
We show that a combination of protocol-level and application-level vulnerabilities significantly undermine the confidentiality and authentication guarantees of Proteus E2E channels. These vulnerabilities allow a malicious server to tamper with message order, redirect messages to unintended groups, compromise group confidentiality, and even undermine Forward Secrecy (FS).
Furthemore, we study Post-Compromise Security (PCS) of Proteus, and find that Wire does not achieve PCS against strong adversaries with access to the private keys of the compromised users, nor against weaker adversaries with temporary oracle access to these keys.
Finally, we take a look at Wire’s MLS integration, and find several early design flaws which negate many of the security benefits of MLS, leading to trivial confidentiality violations and not achieving PCS in the presence of a malicious server
No one should use Wire app lol.