HomeОбразованиеRelated VideosMore From: Computerphile

What's Up With Group Messaging? - Computerphile

4719 ratings | 164307 views
Why encrypted group messaging isn't as secure as point to point. Dr Mike Pound explains this ongoing problem. Instant Messaging & the Signal Protocol: https://youtu.be/DXv1boalsDI Double Ratchet Messaging Encryption: https://youtu.be/9sO2qdTci-s Relevant paper: https://eprint.iacr.org/2017/666.pdf https://www.facebook.com/computerphile https://twitter.com/computer_phile This video was filmed and edited by Sean Riley. Computer Science at the University of Nottingham: https://bit.ly/nottscomputer Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
Html code for embedding videos on your blog
Text Comments (325)
avavav1232 (3 hours ago)
press 0 repeatedly thank me later.
EllipticGeometry (5 days ago)
8:05 That’s the key problem indeed.
Kenny McCormic (7 days ago)
Why do you need a server?
Blus cream (7 days ago)
What about telegram groups? Same thing?
Serge Matveenko (12 days ago)
Surprisingly no mention of the open and proven to be secure MTProto and Telegram.
Roger Skagerström (12 days ago)
Apple: - Hold my beer!
vishesh pandita (13 days ago)
That British accent though!
rjlorua (14 days ago)
For perfect forward secrecy you state that if a key is cracked that "Eve" would need to see every message after that one. But since they are doing DH for every message wouldnt Eve need to be an active mitm and not just a passive eavesdropper?
CiVilian (15 days ago)
So basically, don’t use group chat to talk about the Krabby Patty formula
Iliya Iliev (17 days ago)
Dr Mike Pound please generate more material. Everyone loves your videos and the way you explain things,
Iliya Iliev (17 days ago)
Its “Smi” haha
DroidTsuenik9 (17 days ago)
A video explaining how QR codes work would be nice.
luke brenland (18 days ago)
your content is great! you should seriously think bout sharing this on uptrennd! they pay you in crypto for your posts!
KyvannShrike (18 days ago)
Where does Discord fit into this?
dmanc1 (18 days ago)
Excellent performance in "Glass".
Hunter Perrin (19 days ago)
Take a look at Tunnelgram. It supports end to end encrypted group messages. The design is very different from Signal's protocol.
Paul Sander (19 days ago)
What do you think about doing an episode about SCTP, and perhaps issues with using it in combination with TLS?
Dan Dart (20 days ago)
So signal is matrix?
Jo (20 days ago)
thanks, learned a lot
the answer is clear - blockchain or perhaps server
Manick N (20 days ago)
So monogamy is a lot safer than polygamy. More people you add the less safe it becomes. Got it.
EgyGeek (20 days ago)
Smi!
hgfuhgvg (20 days ago)
With 3 party the problem is solved. Check out Joux tripartite key agreement using bilinear pairings. Now we need to solve it for 4, 5, ...
LEGnewTube (20 days ago)
The government secretly reading our messages? hahahahaha *flees country*
Keldor314 (9 days ago)
Doesn't work. All your friends in the group need to flee the country too to have any hope.
Jem (20 days ago)
How does Mike learn the protocol internals of commercial apps? Reverse engineering or via papers, or ... ?
Theo dor (20 days ago)
Why haven't we seen any Computerphile tshirts yet? People will think I'm a dork just wearing Numberphile..
Simon Butcher (20 days ago)
I'm waiting for the computerphile branded green line-printer paper
That government bit, lovely idea. Not!
Some1NamedMe (21 days ago)
I don't understand what the threat mentioned at the end is. If one of the devices receiving messages is compromised, it can leak information whether or not there's perfect forward secrecy. If the server is compromised, it still can't easily decrypt any of the group messages.
Rex Henderson (21 days ago)
Breakdown...like the newly discovered Apple FaceTime eavesdropping bug! lol.
Fraser Coupland (21 days ago)
SME
Steven Cotton (21 days ago)
Yay, Steve!
Eggsr2bcrushed (21 days ago)
Open source code should prevent the government from being added silently to conversations correct?
Stephen Louie (22 days ago)
What if as each participant is added to the group, the sending key is only generated for/by the last participant? This chaining would mean that sending keys are only generated between pairs of participants and thus preserve the self-healing aspects. While this would slow communication, for small groups the message propagation would not be significantly large.
Toby Fischer (22 days ago)
Do other messaging services like Slack or Discord use the same security methods as those described in this video?
Joonas Kolostov (22 days ago)
Once you hear him saying Alright, you can't unhear it, alright?
zztop3000 (22 days ago)
Fu*k fecesbook, it has caused so many deaths and murders around the world, Suckitberg should be tried for war crimes
Tcll5850 (22 days ago)
why not just have 1 person host the P2P group chat for the clients to join messages would have to be updated through the host connection, and all user verification would be done on the host. only the host would run into bandwidth issues but it's essentially no different from something like Discord other than the fact the host is the server plus you get the ensured benefit of P2P healing encryption since you own the group server also, about bandwidth, regarding a group wit 50 clients if the app is built *well*, it won't iterate through all 50 of it's clients but send out a hierarchical message to immediate clients and pass the load off to the web, where the message gets split-copied to more latent clients (DNS servers don't know what the content is, only who to pass to) basically, think of a 50 client group with only 6 immediate connections you send it out to the first connection which is a DNS, sending that message to lets say 8 *known* clients (in order to maintain security, all connected clients MUST be known)
Irwain Nornossa (22 days ago)
You know what? Let the (UK) government to be in my conversations. At least someone who cares about what am I saying… But not silent. That's pointless. Let's talk.
Shocker99 (23 days ago)
I miss Alice and Bob!
Sina Madani (23 days ago)
GCHQ idea isn't too bad if it would solve the problem. No doubt they'll want to be listening in anyway and assuming that GCHQ is unhackable and the messages are only persisted when, say, an AI system detects suspicious activity, it could work alright.
Dalibor Klobučarić (23 days ago)
ok, so if i'm in a group chat, using FB messenger on my phone, but after a while i switch to my web browser. and i see my whole chat, so by default not only the chat sits on the server but my key also. correct?
Venkat Verma (19 days ago)
FB messenger chats are not E2E encrypted by default unless you're using it in secret mode. If you had used private mode and are still able to see the conversation in the web browser, you have one more reason to sue FaceBook :)
The Inscrutable (23 days ago)
The answer to a secret fourth party in the group chat (govt spy) is a serverless (first message sender becomes the sender for this chat session perhaps) bittorrent style peer-to-peer open source solution. Real organized crime already has secure communication, foreign spies have secure communication, terrorist cells have secure communication, so it's only normal citizens getting spied upon. No thanks! You Yanks have NSA instead of GCHQ so it's the same over there as well.
Ezul Azizi (23 days ago)
this is great topic but i cant really understand about what is his talking about without caption :/
Dyllan (23 days ago)
How do chat rooms work? Like IRC? Can multiple agents just read and write to an immutable Blockchain?
doppler effect (23 days ago)
Great ,I love the way u explain things ,miss Alice and bob.
T Minus (23 days ago)
Your channel has become too niche and technical for me, sorry
Simon Johnson (23 days ago)
Steve is a snitch :p
OrangeC7 (23 days ago)
Man, I missed Alice and Bob today. I hope after their break they'll come back better than ever!
nivolord (23 days ago)
Calm down, Seinfeld.
DagarCoH (23 days ago)
I dunno if Mike reads this, but is there any way to confirm that Whatsapp has implemented the Signal protocol correctly? After all, they are the ones providing the source code our phones use for encryption
TheKoderius (23 days ago)
What's the deal with - those vintage printer pages?!
Noel Goetowski (23 days ago)
Personally, I think the government getting involved is [REDACTED]
AboveEmAllProduction (23 days ago)
Mike Pound is one of my favorite people, could listen to his lectures all day long. <3
Kevin Fontanari (23 days ago)
I spent something like a minute listening to "Smi!"... I think I could have some problem...
Iain Hill (23 days ago)
Oh!, a sense of `deja-vu` listening to this one; Does this perhaps cover a topic that has been broached before; Perhaps some similarity between topics?
Nick Friddell (23 days ago)
Yay a Mike video!
Anderson 63 Scooper (23 days ago)
Group Messaging protocol: 1) establish pairwise connections between all group members 2) everyone meets to pairwise verify safety numbers 3) everyone's in the same room so just have your conversation there
Werner Dittmann (23 days ago)
For a customer I implemented a double ratchet library that also supports group chats. This library does not use XMPP but SIP MESSAGE to exchange data. The group chat implementation uses the same ratchets that the one-to-one conversations use. The client does the message fan out, thus the app restrict the number of participants in a group to a reasonable size (maximum is 30 IIRC). The server has no idea about groups. The synchronization between group members to exchange group relevant data (member names, memer avatars, etc) uses a vector-clock protocol, thus all members have eventually the same set of data. Thus it's similar to the way shown at the beginning of the video. You may ask: why use SIP? First of all, the same app also supports encrypted audio and video calls (even before it supported messages) thus the customer already had a working SIP infrastructure. Also SIP uses real ACK to inform the other party if it got a message or not and defines timeouts/repeat mechanisms to deliver a message. XMPP does not have this for its messages and thus you really may lose messages sometimes (when using a mobile device that can disconnected quite often, XMPP was not designed for this sort of use case). The SIP server in this case also stores the encrypted messages and delivers it if a client is online again. The SIP server removes the message for its queue only after the client ACKs the message. Thus it is also well suited for group communication.
Bunny (23 days ago)
Title should be "What's Up With Apple?" lol
I can understand why it is too much traffic with 50 people, but most group chats only have less than five people in them . There should be a secure option available. I am shocked to hear that not even Signal offers that. In general users should have the option to choose even more security, even if that means for traffic or computing time. Most people want their messages immediately, but I wonder, how much more secure they could be made, if we allow one second or even more encryption time for every message. I really would like to be sure that the messages I send and receive today can't be cracked in 30 years from now with much more powerful computers. Instead of "secure enough" I would rather see "as secure as mathematically possible". I would even accept an hour of encryption time for sending a very important document. My fear is that in a few years from now computers could somehow be reinvented and become much more powerful than today. So a message can't be "secure enough". The idea to use the same key for all messages for months or even longer seems quite horrifying to me.
ShadowDivision (23 days ago)
So this problem occurs in applications like discord as well?
Getz Mikalsen (23 days ago)
Discord isnt secure
Dustin Van Tate Testa (23 days ago)
So you're telling me the govt is in my group chats o.o
TheThagenesis (23 days ago)
I guess Whatsapp has the "Feature" to silently turn off encryption for single people when authorities demand it. you won't find out unless you regularly sniff the traffic and look if it's encrypted. I use tcpdump regularly on the job so I'm no stranger to this and I don't think I'd notice. in the end it's all closed source App that regularly poll an outside server which could send any instructions in its data stream
wafflezone (14 days ago)
You probably wouldn't be able to find out by sniffing traffic. They could easily change it so instead of using secure E2E private communication, you're using encrypted traffic that can be decrypted by the server. The app itself could report that everything is still secure.
Finian Blackett (21 days ago)
That's why I run Signal.
Dell Conagher (23 days ago)
@everyone
lotius (23 days ago)
Mike Pound needs his own channel
Louis Cloete (23 days ago)
8:04 "The key problem..." lol
Benjamin Nelson (23 days ago)
What I think about this is that we need a means of detecting if that has happened, because in theory you're two party conversation could be a three one.
bluekeybo (23 days ago)
If you don't trust the app, then you've got nothing. Cause even on a 2-people conversation, the app can always add a third "spy" one and there's nothing you can do about it. Verifying the safety number with that person doesn't really help, cause you're unaware that a third silent party is in your group chat. Is that correct?
Tassle (23 days ago)
If it's open source you don't need to trust it, you can go check for yourself :) (or trust that someone who understands the code would find out if something fishy is going on)
Andrew Walker (23 days ago)
I miss Alice and Bob :(
Yoshii (23 days ago)
Obtaining true privacy is not easy, and the truth of it is that you're down to trusting one of two different parties: the service provider, or yourself.
Pharaoh on LFS (23 days ago)
His perfect this comes out during this iPhone bug fiasco
Matthew Glennon (23 days ago)
Rehire Alice and Bob!
March Winks (23 days ago)
Whatsapp, FMessenger are not that safe and open-source as Telegram, which I found more convenient and trustful. I don't believe whatsapp spyware
Heitor Kovalescki (23 days ago)
Smi
Android480 (23 days ago)
As a frontend developer I feel whole heartedly inadequate. I need to study up.
Jouke (23 days ago)
Where's Alice? And...and..where is Bob?
Alex Bestoso (23 days ago)
go to 7:40 in the video XD
Dlagonmastel (23 days ago)
Wouldn't the app considering the additionto the group as the formation of a new group plus this one person be enough? Or to keep the same conversation, a special message that indicates that you need to make a new sender key for the new portion, your app would remmeber that the old key is for the messages prior, but the new person would only have access to the newer messages, seems like a good tradeoff to me? Am I missing something?
Loppy2345 (23 days ago)
Based on Facebook's plan with Whatsapp and Instagram, they will get rid of encryption altogether and start selling our private conversations to advertisers and the highest bidders.
PropsOnBrainOff FPV (23 days ago)
bitcoin network as backbne.xD solved scaling group messaging. kinda
You guys should offer consultancy as a way to fund the channel.
smokin Joe (23 days ago)
what if someone breaks into steves phone and makes screenshots instead of encrypting keys?
Noah Wolton (23 days ago)
So what does it mean to break the sender key? Is that just to find out what it is (and if so why then can’t someone who knows it impersonate the sender)? Or is the sender key an asymmetric key?
David Hampson (23 days ago)
Very timely considering the Facetime Group chat was shut down today!
Marci124 (23 days ago)
Another related and confirmed method for government spying in E2EE messaging is them intercepting a confirmation SMS and registering a new device to your account, most of which are tied to a phone number. This of course (legally) requires a warrant on at least the phone number, and if they have that you're probably screwed anyway.
GoatzAreEpic Maokai (23 days ago)
I love Dr Mike's videos, he just explains it so clearly for me personally and is so entertaining to listen to
Photelegy (23 days ago)
6:12 Can they really bend the fabric of spacetime itself? 😯
Shaun Cymru (23 days ago)
Sean has his name encrypted...it should be S h a u n.
Steve Cooper (23 days ago)
Sorry everyone, I didn't mean to
Jonathan Crowder (23 days ago)
It's about time we stopped sharing private information about Alice and Bob.. #StopDoxingAliceNBob
Barney Laurance (23 days ago)
I don't think avoiding the naive pair-wise messaging and instead having the server distribute the messages is just a performance optimisation. It presumably also stops a dishonest participant from sending different messages to different members of the group. If I was just doing pairwise messaging but in a system that looked like a group chat, I could send Steve a message "Fancy a diet cola", and send Sean a message "Fancy a coffee". They'd both say yes and think they were in a group of people unanimous in its preference for a particular caffeinated drink.
Barney Laurance (23 days ago)
+Android480 Yes, but if the messages were end-to-end encrypted in a pairwise way then the server would have no way to check whether the content matched up or not.
Android480 (23 days ago)
I totally don't have a grasp on this, but I'm just curious, wouldn't the server be in charge of distributing these messages and forwarding these keys, meaning the only way to send a different message to different people would involve the server code being complicit? I'm sure its hackable somehow but generally no one group member should be able to send different messages.
AndOgre (23 days ago)
I think it's all Steve's fault. Don'h allow him in your group conversations.
Fabrizio Lungo (23 days ago)
Charlie thought this would finally be his time to shine.
mjbirdClavdivs (24 days ago)
This sounds alot like PGP, except that in PGP the "sender key" is sent with each message using the public key of all the recipients. This makes the package marginally bigger and more cumbersome, but it's self-healing and asynchronous.
sogerc1 (24 days ago)
No wonder Alice and Bob did not join this group conversation, it's not secure!
Joz Ra (24 days ago)
I hope Alice and Bob will come back soon to send some encrypted data.
The Real Maxis (24 days ago)
Smi, Mario!
Android480 (23 days ago)
Smiiii
aFailure InCode (24 days ago)
ₛₘᵢ
AndreaZzzXXX (24 days ago)
unfortunately I miss some part of your speech, I am from Italy and my english are not good enough for your accent. English subtitles would be a help for not 'mother tongue' viewers ... tnx
Tim Anderson (24 days ago)
Why can't the sender keys just be updated periodically?
6beat (24 days ago)
I thought Signal did not use server side fan out. Did they recently change that?

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.