🌐 Website Issue | Wire has misleading warning, contacts are not stored in plaintext, chat participants are #949

New Issue

2019-05-26T13:00:16Z

Mikaela commented

2019-05-26 13:00:16 +00:00

(Migrated from github.com)

I read WhatsApp and Wire privacy policies earlier today and I think Wire said that they hash contacts.

I am opening this as a note to self or if someone else takes a look at the linked article and compares this.

I read WhatsApp and Wire privacy policies earlier today and I think Wire said that they hash contacts. I am opening this as a note to self or if someone else takes a look at the linked article and compares this.

Mikaela commented

2019-05-26 13:23:00 +00:00

(Migrated from github.com)

Wire stores metadata such as your contacts in plaintext (= not encrypted).

I think our warning is misleading or misunderstood from the actual problem.

"Hey Wire, why does your database schema include plaintext storage of threads between users?" security researcher Thomas H. Ptáček‏ tweeted on Wednesday, with a link to some of Wire's code (Wire is open source).

https://www.vice.com/en_us/article/gvzw5x/secure-messaging-app-wire-stores-everyone-youve-ever-contacted-in-plain-text

So Wire knows between whom chats are happening, not the actual contacts as their privacy policy says:

If you agree to give Wire access to your address book contacts, only hashed phone numbers will be used to match you with other users. The content of your address book is never uploaded to or stored on our servers.

https://wire.com/en/legal/#privacy

I will leave this open until this is resolved or I can find if this has been fixed.

Edit:

To provide secure chat, calls, and file sharing, and to offer a great user experience, Wire has some data about its users on the server. This data includes things like profile name, username, and profile picture, but also things like user’s list of connections and conversations.

https://medium.com/@wireapp/product-design-decisions-for-secure-messengers-e8a5e7d1a373

I think this could be a good basis for the fixed warning.

> Wire stores metadata such as your contacts in plaintext (= not encrypted). I think our warning is misleading or misunderstood from the actual problem. > "Hey Wire, why does your database schema include plaintext storage of threads between users?" security researcher Thomas H. Ptáček‏ tweeted on Wednesday, with a link to some of Wire's code (Wire is open source). * https://www.vice.com/en_us/article/gvzw5x/secure-messaging-app-wire-stores-everyone-youve-ever-contacted-in-plain-text So Wire knows between whom chats are happening, not the actual contacts as their privacy policy says: > If you agree to give Wire access to your address book contacts, only hashed phone numbers will be used to match you with other users. The content of your address book is never uploaded to or stored on our servers. * https://wire.com/en/legal/#privacy I will leave this open until this is resolved or I can find if this has been fixed. * * * * * Edit: > To provide secure chat, calls, and file sharing, and to offer a great user experience, Wire has some data about its users on the server. This data includes things like profile name, username, and profile picture, but also things like user’s list of connections and conversations. * https://medium.com/@wireapp/product-design-decisions-for-secure-messengers-e8a5e7d1a373 I think this could be a good basis for the fixed warning.

This repo is archived. You cannot comment on issues.

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#949