I agree with where you’re coming from. really. it just raises the larger common question of who can you really trust – we’re all trying to identify the lesser of, well, all evils. which i think proves intriguing for many privacy enthusiasts since the question provokes creativity in finding a solution.
this isn’t exactly what i was going for. it’s like the difference between “hacking” someone’s root pw (which was set to
password), vs. finding something like… well, here’s the segue:
right, and looking from afar, it looks whatsapp is basically secure as signal then, right? does this mean NGO Group also owned all Signal users with CVE-2019-3568? i mean…
WhatsApp implemented their own implementation of the complex SRTCP protocol, and it is implemented in native code, i.e. C/C++ and not Java. During our patch analysis of CVE-2019-3568, we found two newly added size checks that are explicitly described as sanitation checks against memory overflows when parsing and handling the network packets in memory.
As the entire SRTCP module is pretty big, there could be additional patches that we’ve missed. In addition, judging by the nature of the fixed vulnerabilities and by the complexity of the mentioned module, there is also a probable chance that there are still additional unknown parsing vulnerabilities in this module.
…and we can definitely shame Telegram for not open sourcing their ways, but the opening line of the conclusion above doesn’t instill much confidence in the alternatives.