Categories
Security

Why WhatsApp won't DGA

This week, messaging app WhatsApp was shut down by the government in Brazil for 48 hours. It is worrying that a government did this. It is also worrying that they technically could, at least to the point where it was unusable for most people in the country.
Rob Graham suggested WhatsApp should do what botnets have been doing for years to make the individual bots find the command and control server, even in the face of regular take-down by law enforcement and security firms: use domain generating algorithms (DGA).
Rob’s post is worth a read, if only because it shows that there may be things to be learned from how botnets operate, despite the fact that they generally use evil means to do evil things. But much as it is a nice idea, DGAs won’t work for WhatsApp.
Firstly, the pseudorandomly generated domains still need to point to one or more IP addresses. This quickly becomes a single point of failure: a government that wants to block the service can simply block this IP address. WhatsApp can respond by moving its servers somewhere else, but the number of places where it can go are limited. You can’t run WhatsApp from your parents’ basement. A game of whack-a-mole between the company and law enforcement wouldn’t give a great user experience either.
Secondly, DGAs make “sinkholing” very easy. This is the process where someone (typically a security researcher or a law enforcement officer) registers one of the pseudorandom domains used by the service and consequently find the individual nodes (bots or WhatsApp clients) connect to their server. Note that malware researchers regularly crack the DGAs used by botnets (which tend to hide their code far better than WhatsApp would ever want to do) and even if they can’t do that, they could just run the app in a sandbox and see what domains it performs DNS lookups against.
In theory, a service can be setup so that sinkholing can’t do any harm, for instance by using public key cryptography and only communicate to servers that show possession of a public key. In practice, things are more complicated. It turns every security vulnerability that requires a man-in-the-middle position to exploit into one that anyone can exploit at scale (man-in-the-middle scales badly for most attackers). It also provides all kinds of DDoS opportunities, both against WhatsApp and against unrelated third-party services that the domains can be pointed to.
It is often said that if you use a free product on the Internet that you are the product rather than the customer. Generally speaking, this is true. But unlike individual bots, who are rightly often called “zombies”, these product-customers can and will leave if the service becomes unavailable a lot of the time.
Should a service like WhatsApp really be concerned by governments trying to take them down, they will be pleased to know that Tor has become a lot faster in recent years. And while running your infrastructure as a Tor-hidden service won’t prevent a really powerful three-letter agency from taking it down, it should provide ample protection against silly judges with even sillier court orders.