Good News: WhatsApp Gets Serious About End To End Encryption

from the good-to-see dept

We recently noted that it was really good news to see companies like Google and Apple finally taking end user encryption seriously, and it appears that’s spreading. The super-popular chat messaging app WhatsApp, which was acquired by Facebook not too long ago, just turned on full end-to-end encryption, powered by Open Whisper Systems, the makers of such great tools as TextSecure, which is the basis for the new encryption:

The most recent WhatsApp Android client release includes support for the TextSecure encryption protocol, and billions of encrypted messages are being exchanged daily. The WhatsApp Android client does not yet support encrypted messaging for group chat or media messages, but we?ll be rolling out support for those next, in addition to support for more client platforms. We?ll also be surfacing options for key verification in clients as the protocol integrations are completed.

WhatsApp runs on an incredible number of mobile platforms, so full deployment will be an incremental process as we add TextSecure protocol support into each WhatsApp client platform. We have a ways to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default.

It sounds like this project started prior to the Facebook acquisition, so it’s great to see it continue to move forward either way. Just recently, the EFF rated various messaging apps for their security (which resulted in some controversy…), and WhatsApp didn’t score all that well, while TextSecure got a perfect score. Making messaging more and more secure is incredibly important, so it’s great to see it happening here.

Filed Under: ,
Companies: whatsapp, whisper systems

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Good News: WhatsApp Gets Serious About End To End Encryption”

Subscribe: RSS Leave a comment
19 Comments
Shmerl says:

WhatsApp is horrible

1. It uses non compliant XMPP (you can’t use third party clients).
2. It’s not federated (walled garden). So you can’t communicate with users from other XMPP networks.
3. It’s security is flawed by design. They consciously made it into an insecure service by dropping the registration process (creating user name + password) like in any normal XMPP, and instead using identification tied to user’s device to authenticate. All that to exploit people’s laziness (saves 5 minutes of the registration process for the price of constant broken security).

Such developers are simply doing a huge disservice to their users.

Anonymous Coward says:

Re: WhatsApp is horrible

And:

4. It’s not open-source, therefore it cannot be independently peer-reviewed. And therefore we cannot verify that it isn’t loaded with security holes and backdoors.

(Of course sometimes even open source code has security holes. But since it can be independently peer-reviewed, we have a fighting chance of finding them. With this…we have none.)

If it’s not open-source, it’s shit, and NOBODY should trust it.

Anonymous Coward says:

If they still use US servers then that changes nothing. And even if they didn’t it is still Facebook which afaik is a US company so no server would be save from any security agency.

At least I don’t see much of a difference between them listening in somewhere in the middle and you never know about it or if they send a demand to facebook and you never know about it.

Anonymous Coward says:

Re: Re:

Based on the description given in the WhatsApp article the end to end encryption would only store the keys at the end users not in a central server so all they could do with the server in the middle is get a copy of the encrypted stream but not be able to decrypt it so no worries of someone getting the message in real time.

However since the ID is tied to a device you don’t have anonymity so they can still try to get access to the source or destination device. A plus is that perfect forward secrecy is proposed so reading of the message shouldn’t be possible except for when the man in the middle knows the long term key on the ends that is used to encrypt the temp key used for the current set of messages.

Should be interesting to see what happens from this push in the right direction.

Anonymous Coward says:

Re: Re: Re:

A plus is that perfect forward secrecy is proposed so reading of the message shouldn’t be possible except for when the man in the middle knows the long term key on the ends

Good to know that someone uses PFS but not sure how safe that is in the current form(using mobile devices). Looks like they have to send two security letters now. One to Facebook and one to whoever build the phone i.e. Apple. And if that doesnt work there is always the blackmarket for 0days or if all fails then I bet there will be a new law.

The whole security thing confuses me a bit atm. Should I be happy they don’t want new laws but that might mean they have other ways (e.g. 0days) to access the data or should I be for new laws which would mean they cant access the data at the moment?

Anonymous Coward says:

End to End encryption is great, but only one aspect of security. The fact that the software is proprietary (and thus impossible to publicly verify), WhatsApp has control of chat metadata and address books, and other reasons mentioned above.

Now rolling out strong crypto on the most used mobile messaging service in the world is an astounding feat. But we must critically weigh the harm that’s being caused when we encourage users to stick with interoperable, proprietary, unverifiable options.

Matrix.org (user link) says:

Secure Messaging

It’s great that Whatsapp are going ahead with end to end encryption but you should be able to choose whatever app you like to communicate securely with someone. Matrix.org’s (http://matrix.org/) goal is to make real-time communication over IP as seamless, secure and interoperable as email by providing the world with a new open standard which allows communication services themselves to interoperate. For the end consumer this will mean they can choose to use their favourite app because they get the most value from it and trust the provider with their data, and still be able to communicate with friends using competing apps and services.

KoD (profile) says:

TextSecure

I downloaded and started using TextSecure after my wife sent me a link to the EFF article rating different chat apps. I have since managed to convince a dozen or so of my closest contacts to start using it as well. It really is an excellent program. Very slick and clean. I just got the Android 5.0 update yesterday, which now has always-on VPN :):):)

Anonymous Coward says:

TD fail.

User Data is the life blood of facebook and googles’ existence- their business models are antithetical to privacy/security and ANY tech that would “honestly” enable them. ‘Kind Fox offer’s protection plan for it’s fleet of hen houses’ articles like this are disgraceful and ruinous of TD’s reputation. This is yet another example of TD’s generous propaganda passes to silicon valley- probably pays much better then subscribers and click ad’s.

Naomi (profile) says:

End to End encryption is great, but only one aspect of security. The fact that the software is proprietary (and thus impossible to publicly verify), WhatsApp has control of chat metadata and address books, and other reasons mentioned above.

Now rolling out strong crypto on the most used mobile messaging service in the world is an astounding feat. But we must critically weigh the harm that’s being caused when we encourage users to stick with interoperable, proprietary, unverifiable options.
WhatsApp Hacken

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...