0

I used GroupMe on my personal phone on my school WiFi and sent some very private messages. I have confirmed that my school is not performing a MITM attack by comparing grc fingerprints.

However, I’ve read that GroupMe does not provide end-to-end encryption but only standard encryption. What does this mean? Can my school see the exact content of my messages if they wanted to?

Anders
  • 65,052
  • 24
  • 180
  • 218
Mike
  • 101
  • 2
  • 5
  • Unfortunately, "standard encryption" isn't really a term that means anything. "End-to-end encryption" typically means encryption at rest (on your phone's storage, their server storage, etc) _and_ encryption in transit (communications between devices and their servers). In theory, as long as the app has encryption in transit, no outside entities can easily read your conversations. – Mr. Llama Oct 16 '18 at 15:15
  • 2
    @Mr.Llama that's not what e2e encryption means – schroeder Oct 16 '18 at 15:17
  • 2
    @mike if it is encrypted to the GroupMe servers, and your school is not inspecting encrypted traffic, then they cannot see the contents of the traffic. – schroeder Oct 16 '18 at 15:23

2 Answers2

2

If the application performs encryption on the traffic (and you haven't configured your phone in a special way for this net, like adding an extra CA provided by them), your school will not know what you said.

Not to mention that even if they had the technical ability to view the traffic, it could be illegal for them to look at your messages.

On the other hand, you mention that you “confirmed that the school is not performing a MITM attack by comparing grc fingerprints”. I guess you mean that you went to https://www.grc.com/fingerprints.htm and… compared the fingerprints listed there to the ones shown by your browser?

This has a couple of issues:

  • First of all, a MITM that intercepted all traffic might also replace the fingerprints that page shows (they would need to be quite determined, but it'd be possible). It would be better that you compared the fingerprints shown by your browser in the suspected network, with those when you are on a believed-to-be-safe network (eg. your home). Note that by default no client would accept such MITM certificates (the system would need to be configured to trust them). And if GroupME app is properly coded, it won't accept an invalid certificate…

  • That they are not doing MITM on one server doesn't mean they don't on any. They might not MITM pages that are listed as safe in a their proxy solution, but OTOH intercept with their own certificate pages in a different category (eg. social) to perform additional checking.

Even if the connection was not intercepted, GroupMe itself (or anyone with proper access to where it saves the data) could technically access that (it may or may not be legal).

This is in contrast to end-to-end encryption, where only the other device can decrypt the message (and where checking the conversation fingerprint with the other recipient shows that there has been no interception).

Nonetheless, even if the message safely reached the other device, a third party could still know about it, including by being forwarded, shown to another pupil (see what Mike told me!), confiscated, or even from analysis of external factors (a teacher may not know their exact communication during an exam, but if two pupils hold the same answers, he will conclude they cheated).

Ángel
  • 18,188
  • 3
  • 26
  • 63
  • +1 for the last paragraph. Even if the school did MitM the connection, I doubt they have time to look at what every single student is saying on their group chats. Instead the way you are most likely to get in trouble **in all circumstances** is if the person on the other end of the conversation shared with someone else. – Conor Mancone Oct 16 '18 at 16:37
  • @Ángel yes, I used my own data (LTE) to compare the sha1 fingerprint with the grc fingerprints website. Also, while using a school computer, the fingerprints still matched. What does this mean? – Mike Oct 16 '18 at 18:12
1

In the context of instant messaging, I would interpret these terms like this:

  • End-to-end encryption means that messages are encrypted all the way from your phone to the recievers phone. So neither a MITM nor the operator of the service can read the plain text.
  • "Ordinary" encryption means that messages are encrypted to and from the operators servers. So a MITM can not read the plain text, but the operator of the service can.

Assuming GroupMe is using good encryption (I have no idea if they do), your shool shouldn't be able to read your messages. However, GroupMe or anyone with access to their servers (e.g. the police, hackers, etc.) could read them.

I am assuming here that you have not given any control over your phone to the school, and that you have not installed any software or certificates from them. If you have, assume that they can see everything.

Anders
  • 65,052
  • 24
  • 180
  • 218