Side-channel via delivery receipt timing on Signal and WhatsApp (Careless Whisper research)
研究揭示Signal和WhatsApp使用Signal协议实现端到端加密时存在的侧信道漏洞:尽管加密本身安全,但未加密的交付回执通过RTT特性泄露用户行为模式(如通信时间、地点)。攻击者可利用此信息推断用户活动。Signal通过架构设计缓解部分风险但无法完全消除;WhatsApp则面临更大威胁。当前主要缓解措施为速率限制,尚无实质性协议修复。此研究强调元数据信号在安全评估中的重要性。 2026-1-9 05:58:22 Author: www.reddit.com(查看原文) 阅读量:12 收藏

Following up on the Careless Whisper research from University of Vienna / SBA Research (published late 2024, proof-of-concept public as of December 2025):

Protocol-level vulnerability:

Both Signal and WhatsApp use the Signal Protocol for E2EE, which is cryptographically sound. Both platforms, however, emit unencrypted delivery receipts—protocol-level acknowledgements of message delivery.

The research demonstrates a side-channel where RTT characteristics of delivery receipts leak recipient behavioural patterns. This is not a cryptographic issue. This is an information-leakage issue where an auxiliary channel (delivery receipt timing) reveals what the primary channel (encrypted messages) is supposed to conceal: who's communicating, when, and from where.

Attack surface:

  • Delivery receipts are unencrypted, per-message acknowledgements

  • RTT measurements (even with jitter) remain correlated with device state

  • Repeated probing builds statistical fingerprints of behavioural patterns

  • Victims experience no notifications or evidence of probing

Platform architectures:

  • Signal: Sealed sender + metadata encryption makes this harder but not impossible. Server doesn't know sender identity, but receipt timing still correlates with recipient availability.

  • WhatsApp: Server-side metadata handling more permissive. Receipt timing correlates with both sender and recipient state.

Signal's architecture mitigates this better but doesn't eliminate it. WhatsApp's architecture provides less protection.

Current mitigation status:

  • Rate limiting: Signal implemented (Dec 2025), WhatsApp has not

  • Protocol fixes: Neither platform has implemented substantive changes

  • User-level controls: Disabling receipts helps, but attacks work at lower frequencies

Why this matters for protocol design:

This is a good case study in why you can't evaluate messaging security through encryption alone. You need to think about:

  • What metadata signals does the system emit?

  • Can those signals be correlated to reveal patterns?

  • What does the threat model assume about these signals?

For detailed technical analysis, research citations, mitigation strategies, and threat model implications.


文章来源: https://www.reddit.com/r/netsec/comments/1q80cwj/sidechannel_via_delivery_receipt_timing_on_signal/
如有侵权请联系:admin#unsafe.sh