HomeОбразованиеRelated VideosMore From: Computerphile

What's Up With Group Messaging? - Computerphile

5033 ratings | 181343 views
Why encrypted group messaging isn't as secure as point to point. Dr Mike Pound explains this ongoing problem. Instant Messaging & the Signal Protocol: https://youtu.be/DXv1boalsDI Double Ratchet Messaging Encryption: https://youtu.be/9sO2qdTci-s Relevant paper: https://eprint.iacr.org/2017/666.pdf https://www.facebook.com/computerphile https://twitter.com/computer_phile This video was filmed and edited by Sean Riley. Computer Science at the University of Nottingham: https://bit.ly/nottscomputer Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
Html code for embedding videos on your blog
Text Comments (307)
TrueNorth (15 days ago)
Slack, Mattermost ? I guess they don't have end to end encryption implemented
Anupama Rao (28 days ago)
Dr Mike , Is the same procedure used for encryption of group calls?
Rej 3003 (2 months ago)
If you add the government what's stopping a hacker from impersonating the government and listening to the conversation
Nick Adams (2 months ago)
These videos are excellent and entertaining but it would be nice if after a brief delve into the theoretical there was some brief code. Often times these concepts are extremely simple but are made out to be complex from being so verbose in talk.
avavav1232 (3 months ago)
press 0 repeatedly thank me later.
EllipticGeometry (3 months ago)
8:05 That’s the key problem indeed.
Kenny McCormic (3 months ago)
Why do you need a server?
Sam Sırri (1 month ago)
To store messages for offline recipients, and to coordinate the connectivity when clients are behind NAT or Firewall
Blus cream (3 months ago)
What about telegram groups? Same thing?
Serge Matveenko (3 months ago)
Surprisingly no mention of the open and proven to be secure MTProto and Telegram.
Roger Skagerström (3 months ago)
Apple: - Hold my beer!
Vishesh Pandita (3 months ago)
That British accent though!
rjlorua (3 months ago)
For perfect forward secrecy you state that if a key is cracked that "Eve" would need to see every message after that one. But since they are doing DH for every message wouldnt Eve need to be an active mitm and not just a passive eavesdropper?
CiVilian (3 months ago)
So basically, don’t use group chat to talk about the Krabby Patty formula
Iliya Iliev (3 months ago)
Dr Mike Pound please generate more material. Everyone loves your videos and the way you explain things,
Iliya Iliev (3 months ago)
Its “Smi” haha
DroidTsuenik9 (3 months ago)
A video explaining how QR codes work would be nice.
luke brenland (3 months ago)
your content is great! you should seriously think bout sharing this on uptrennd! they pay you in crypto for your posts!
KyvannShrike (3 months ago)
Where does Discord fit into this?
dmanc1 (3 months ago)
Excellent performance in "Glass".
Hunter Perrin (3 months ago)
Take a look at Tunnelgram. It supports end to end encrypted group messages. The design is very different from Signal's protocol.
Paul Sander (3 months ago)
What do you think about doing an episode about SCTP, and perhaps issues with using it in combination with TLS?
Dan Dart (3 months ago)
So signal is matrix?
Jo (3 months ago)
thanks, learned a lot
the answer is clear - blockchain or perhaps server
Manick N (3 months ago)
So monogamy is a lot safer than polygamy. More people you add the less safe it becomes. Got it.
EgyGeek (3 months ago)
hgfuhgvg (3 months ago)
With 3 party the problem is solved. Check out Joux tripartite key agreement using bilinear pairings. Now we need to solve it for 4, 5, ...
LEGnewTube (3 months ago)
The government secretly reading our messages? hahahahaha *flees country*
Keldor314 (3 months ago)
Doesn't work. All your friends in the group need to flee the country too to have any hope.
Jem (3 months ago)
How does Mike learn the protocol internals of commercial apps? Reverse engineering or via papers, or ... ?
Theo dor (3 months ago)
Why haven't we seen any Computerphile tshirts yet? People will think I'm a dork just wearing Numberphile..
Simon Butcher (3 months ago)
I'm waiting for the computerphile branded green line-printer paper
That government bit, lovely idea. Not!
Some1NamedMe (3 months ago)
I don't understand what the threat mentioned at the end is. If one of the devices receiving messages is compromised, it can leak information whether or not there's perfect forward secrecy. If the server is compromised, it still can't easily decrypt any of the group messages.
Rex Henderson (3 months ago)
Breakdown...like the newly discovered Apple FaceTime eavesdropping bug! lol.
Fraser Coupland (3 months ago)
Steven Cotton (3 months ago)
Yay, Steve!
Eggsr2bcrushed (3 months ago)
Open source code should prevent the government from being added silently to conversations correct?
Stephen Louie (3 months ago)
What if as each participant is added to the group, the sending key is only generated for/by the last participant? This chaining would mean that sending keys are only generated between pairs of participants and thus preserve the self-healing aspects. While this would slow communication, for small groups the message propagation would not be significantly large.
Toby Fischer (3 months ago)
Do other messaging services like Slack or Discord use the same security methods as those described in this video?
Joonas Kolostov (3 months ago)
Once you hear him saying Alright, you can't unhear it, alright?
zztop3000 (3 months ago)
Fu*k fecesbook, it has caused so many deaths and murders around the world, Suckitberg should be tried for war crimes
Tcll5850 (3 months ago)
why not just have 1 person host the P2P group chat for the clients to join messages would have to be updated through the host connection, and all user verification would be done on the host. only the host would run into bandwidth issues but it's essentially no different from something like Discord other than the fact the host is the server plus you get the ensured benefit of P2P healing encryption since you own the group server also, about bandwidth, regarding a group wit 50 clients if the app is built *well*, it won't iterate through all 50 of it's clients but send out a hierarchical message to immediate clients and pass the load off to the web, where the message gets split-copied to more latent clients (DNS servers don't know what the content is, only who to pass to) basically, think of a 50 client group with only 6 immediate connections you send it out to the first connection which is a DNS, sending that message to lets say 8 *known* clients (in order to maintain security, all connected clients MUST be known)
Irwain Nornossa (3 months ago)
You know what? Let the (UK) government to be in my conversations. At least someone who cares about what am I saying… But not silent. That's pointless. Let's talk.
Shocker99 (3 months ago)
I miss Alice and Bob!
Sina Madani (3 months ago)
GCHQ idea isn't too bad if it would solve the problem. No doubt they'll want to be listening in anyway and assuming that GCHQ is unhackable and the messages are only persisted when, say, an AI system detects suspicious activity, it could work alright.
Dalibor Klobučarić (3 months ago)
ok, so if i'm in a group chat, using FB messenger on my phone, but after a while i switch to my web browser. and i see my whole chat, so by default not only the chat sits on the server but my key also. correct?
Venkat Verma (3 months ago)
FB messenger chats are not E2E encrypted by default unless you're using it in secret mode. If you had used private mode and are still able to see the conversation in the web browser, you have one more reason to sue FaceBook :)
The Inscrutable (3 months ago)
The answer to a secret fourth party in the group chat (govt spy) is a serverless (first message sender becomes the sender for this chat session perhaps) bittorrent style peer-to-peer open source solution. Real organized crime already has secure communication, foreign spies have secure communication, terrorist cells have secure communication, so it's only normal citizens getting spied upon. No thanks! You Yanks have NSA instead of GCHQ so it's the same over there as well.
koko krunch (3 months ago)
this is great topic but i cant really understand about what is his talking about without caption :/
Raccoon (3 months ago)
How do chat rooms work? Like IRC? Can multiple agents just read and write to an immutable Blockchain?
doppler effect (3 months ago)
Great ,I love the way u explain things ,miss Alice and bob.
Simon Johnson (3 months ago)
Steve is a snitch :p
OrangeC7 (3 months ago)
Man, I missed Alice and Bob today. I hope after their break they'll come back better than ever!
nivolord (3 months ago)
Calm down, Seinfeld.
DagarCoH (3 months ago)
I dunno if Mike reads this, but is there any way to confirm that Whatsapp has implemented the Signal protocol correctly? After all, they are the ones providing the source code our phones use for encryption
TheKoderius (3 months ago)
What's the deal with - those vintage printer pages?!
Noel Goetowski (3 months ago)
Personally, I think the government getting involved is [REDACTED]
AboveEmAllProduction (3 months ago)
Mike Pound is one of my favorite people, could listen to his lectures all day long. <3
Kevin Fontanari (3 months ago)
I spent something like a minute listening to "Smi!"... I think I could have some problem...
Iain Hill (3 months ago)
Oh!, a sense of `deja-vu` listening to this one; Does this perhaps cover a topic that has been broached before; Perhaps some similarity between topics?
Nick Friddell (3 months ago)
Yay a Mike video!
Anderson 63 Scooper (3 months ago)
Group Messaging protocol: 1) establish pairwise connections between all group members 2) everyone meets to pairwise verify safety numbers 3) everyone's in the same room so just have your conversation there
Werner Dittmann (3 months ago)
For a customer I implemented a double ratchet library that also supports group chats. This library does not use XMPP but SIP MESSAGE to exchange data. The group chat implementation uses the same ratchets that the one-to-one conversations use. The client does the message fan out, thus the app restrict the number of participants in a group to a reasonable size (maximum is 30 IIRC). The server has no idea about groups. The synchronization between group members to exchange group relevant data (member names, memer avatars, etc) uses a vector-clock protocol, thus all members have eventually the same set of data. Thus it's similar to the way shown at the beginning of the video. You may ask: why use SIP? First of all, the same app also supports encrypted audio and video calls (even before it supported messages) thus the customer already had a working SIP infrastructure. Also SIP uses real ACK to inform the other party if it got a message or not and defines timeouts/repeat mechanisms to deliver a message. XMPP does not have this for its messages and thus you really may lose messages sometimes (when using a mobile device that can disconnected quite often, XMPP was not designed for this sort of use case). The SIP server in this case also stores the encrypted messages and delivers it if a client is online again. The SIP server removes the message for its queue only after the client ACKs the message. Thus it is also well suited for group communication.
Bunny (3 months ago)
Title should be "What's Up With Apple?" lol
I can understand why it is too much traffic with 50 people, but most group chats only have less than five people in them . There should be a secure option available. I am shocked to hear that not even Signal offers that. In general users should have the option to choose even more security, even if that means for traffic or computing time. Most people want their messages immediately, but I wonder, how much more secure they could be made, if we allow one second or even more encryption time for every message. I really would like to be sure that the messages I send and receive today can't be cracked in 30 years from now with much more powerful computers. Instead of "secure enough" I would rather see "as secure as mathematically possible". I would even accept an hour of encryption time for sending a very important document. My fear is that in a few years from now computers could somehow be reinvented and become much more powerful than today. So a message can't be "secure enough". The idea to use the same key for all messages for months or even longer seems quite horrifying to me.
Nightstlkr (3 months ago)
So this problem occurs in applications like discord as well?
Getz Mikalsen (3 months ago)
Discord isnt secure
Dustin Van Tate Testa (3 months ago)
So you're telling me the govt is in my group chats o.o
TheThagenesis (3 months ago)
I guess Whatsapp has the "Feature" to silently turn off encryption for single people when authorities demand it. you won't find out unless you regularly sniff the traffic and look if it's encrypted. I use tcpdump regularly on the job so I'm no stranger to this and I don't think I'd notice. in the end it's all closed source App that regularly poll an outside server which could send any instructions in its data stream
ุุ ุ (1 month ago)
+wafflezone 👍Exactly. They would switcheroo their encryption instead of yours. If the government wants to spy on you, they wouldn't let enemy spyes spying along with it. Unless they're incompetent.
wafflezone (3 months ago)
You probably wouldn't be able to find out by sniffing traffic. They could easily change it so instead of using secure E2E private communication, you're using encrypted traffic that can be decrypted by the server. The app itself could report that everything is still secure.
Finian Blackett (3 months ago)
That's why I run Signal.
Dell Conagher (3 months ago)
lotius (3 months ago)
Mike Pound needs his own channel
Louis Cloete (3 months ago)
8:04 "The key problem..." lol
Benjamin Nelson (3 months ago)
What I think about this is that we need a means of detecting if that has happened, because in theory you're two party conversation could be a three one.
bluekeybo (3 months ago)
If you don't trust the app, then you've got nothing. Cause even on a 2-people conversation, the app can always add a third "spy" one and there's nothing you can do about it. Verifying the safety number with that person doesn't really help, cause you're unaware that a third silent party is in your group chat. Is that correct?
Tassle (3 months ago)
If it's open source you don't need to trust it, you can go check for yourself :) (or trust that someone who understands the code would find out if something fishy is going on)
Andrew Walker (3 months ago)
I miss Alice and Bob :(
Yoshii (3 months ago)
Obtaining true privacy is not easy, and the truth of it is that you're down to trusting one of two different parties: the service provider, or yourself.
Pharaoh on LFS (3 months ago)
His perfect this comes out during this iPhone bug fiasco
Matthew Glennon (3 months ago)
Rehire Alice and Bob!
March Winks (3 months ago)
Whatsapp, FMessenger are not that safe and open-source as Telegram, which I found more convenient and trustful. I don't believe whatsapp spyware
Heitor Kovalescki (3 months ago)
Android480 (3 months ago)
As a frontend developer I feel whole heartedly inadequate. I need to study up.
Jouke (3 months ago)
Where's Alice? And...and..where is Bob?
Alex Bestoso (3 months ago)
go to 7:40 in the video XD
Dlagonmastel (3 months ago)
Wouldn't the app considering the additionto the group as the formation of a new group plus this one person be enough? Or to keep the same conversation, a special message that indicates that you need to make a new sender key for the new portion, your app would remmeber that the old key is for the messages prior, but the new person would only have access to the newer messages, seems like a good tradeoff to me? Am I missing something?
Loppy2345 (3 months ago)
Based on Facebook's plan with Whatsapp and Instagram, they will get rid of encryption altogether and start selling our private conversations to advertisers and the highest bidders.
PropsOnBrainOff FPV (3 months ago)
bitcoin network as backbne.xD solved scaling group messaging. kinda
You guys should offer consultancy as a way to fund the channel.
smokin Joe (3 months ago)
what if someone breaks into steves phone and makes screenshots instead of encrypting keys?
Noah Wolton (3 months ago)
So what does it mean to break the sender key? Is that just to find out what it is (and if so why then can’t someone who knows it impersonate the sender)? Or is the sender key an asymmetric key?
David Hampson (3 months ago)
Very timely considering the Facetime Group chat was shut down today!
Marci124 (3 months ago)
Another related and confirmed method for government spying in E2EE messaging is them intercepting a confirmation SMS and registering a new device to your account, most of which are tied to a phone number. This of course (legally) requires a warrant on at least the phone number, and if they have that you're probably screwed anyway.
GoatzAreEpic Maokai (3 months ago)
I love Dr Mike's videos, he just explains it so clearly for me personally and is so entertaining to listen to
Photelegy (3 months ago)
6:12 Can they really bend the fabric of spacetime itself? 😯
Shaun Cymru (3 months ago)
Sean has his name encrypted...it should be S h a u n.
Steve Cooper (3 months ago)
Sorry everyone, I didn't mean to
Jonathan Crowder (3 months ago)
It's about time we stopped sharing private information about Alice and Bob.. #StopDoxingAliceNBob
Barney Laurance (3 months ago)
I don't think avoiding the naive pair-wise messaging and instead having the server distribute the messages is just a performance optimisation. It presumably also stops a dishonest participant from sending different messages to different members of the group. If I was just doing pairwise messaging but in a system that looked like a group chat, I could send Steve a message "Fancy a diet cola", and send Sean a message "Fancy a coffee". They'd both say yes and think they were in a group of people unanimous in its preference for a particular caffeinated drink.
Barney Laurance (3 months ago)
+Android480 Yes, but if the messages were end-to-end encrypted in a pairwise way then the server would have no way to check whether the content matched up or not.
Android480 (3 months ago)
I totally don't have a grasp on this, but I'm just curious, wouldn't the server be in charge of distributing these messages and forwarding these keys, meaning the only way to send a different message to different people would involve the server code being complicit? I'm sure its hackable somehow but generally no one group member should be able to send different messages.
AndOgre (3 months ago)
I think it's all Steve's fault. Don'h allow him in your group conversations.
Fabrizio Lungo (3 months ago)
Charlie thought this would finally be his time to shine.
mjbirdClavdivs (3 months ago)
This sounds alot like PGP, except that in PGP the "sender key" is sent with each message using the public key of all the recipients. This makes the package marginally bigger and more cumbersome, but it's self-healing and asynchronous.
sogerc1 (3 months ago)
No wonder Alice and Bob did not join this group conversation, it's not secure!
Joz Ra (3 months ago)
I hope Alice and Bob will come back soon to send some encrypted data.
The Real Maxis (3 months ago)
Smi, Mario!
Android480 (3 months ago)
aFailure InCode (3 months ago)

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.