Good News: WhatsApp Gets Serious About End To End Encryption
from the good-to-see dept
We recently noted that it was really good news to see companies like Google and Apple finally taking end user encryption seriously, and it appears that’s spreading. The super-popular chat messaging app WhatsApp, which was acquired by Facebook not too long ago, just turned on full end-to-end encryption, powered by Open Whisper Systems, the makers of such great tools as TextSecure, which is the basis for the new encryption:
The most recent WhatsApp Android client release includes support for the TextSecure encryption protocol, and billions of encrypted messages are being exchanged daily. The WhatsApp Android client does not yet support encrypted messaging for group chat or media messages, but we?ll be rolling out support for those next, in addition to support for more client platforms. We?ll also be surfacing options for key verification in clients as the protocol integrations are completed.
WhatsApp runs on an incredible number of mobile platforms, so full deployment will be an incremental process as we add TextSecure protocol support into each WhatsApp client platform. We have a ways to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default.
It sounds like this project started prior to the Facebook acquisition, so it’s great to see it continue to move forward either way. Just recently, the EFF rated various messaging apps for their security (which resulted in some controversy…), and WhatsApp didn’t score all that well, while TextSecure got a perfect score. Making messaging more and more secure is incredibly important, so it’s great to see it happening here.
Filed Under: encryption, messaging
Companies: whatsapp, whisper systems
Comments on “Good News: WhatsApp Gets Serious About End To End Encryption”
WhatsApp is horrible
1. It uses non compliant XMPP (you can’t use third party clients).
2. It’s not federated (walled garden). So you can’t communicate with users from other XMPP networks.
3. It’s security is flawed by design. They consciously made it into an insecure service by dropping the registration process (creating user name + password) like in any normal XMPP, and instead using identification tied to user’s device to authenticate. All that to exploit people’s laziness (saves 5 minutes of the registration process for the price of constant broken security).
Such developers are simply doing a huge disservice to their users.
Re: WhatsApp is horrible
And:
4. It’s not open-source, therefore it cannot be independently peer-reviewed. And therefore we cannot verify that it isn’t loaded with security holes and backdoors.
(Of course sometimes even open source code has security holes. But since it can be independently peer-reviewed, we have a fighting chance of finding them. With this…we have none.)
If it’s not open-source, it’s shit, and NOBODY should trust it.
If they still use US servers then that changes nothing. And even if they didn’t it is still Facebook which afaik is a US company so no server would be save from any security agency.
At least I don’t see much of a difference between them listening in somewhere in the middle and you never know about it or if they send a demand to facebook and you never know about it.
Re: Re:
Based on the description given in the WhatsApp article the end to end encryption would only store the keys at the end users not in a central server so all they could do with the server in the middle is get a copy of the encrypted stream but not be able to decrypt it so no worries of someone getting the message in real time.
However since the ID is tied to a device you don’t have anonymity so they can still try to get access to the source or destination device. A plus is that perfect forward secrecy is proposed so reading of the message shouldn’t be possible except for when the man in the middle knows the long term key on the ends that is used to encrypt the temp key used for the current set of messages.
Should be interesting to see what happens from this push in the right direction.
Re: Re: Re:
Good to know that someone uses PFS but not sure how safe that is in the current form(using mobile devices). Looks like they have to send two security letters now. One to Facebook and one to whoever build the phone i.e. Apple. And if that doesnt work there is always the blackmarket for 0days or if all fails then I bet there will be a new law.
The whole security thing confuses me a bit atm. Should I be happy they don’t want new laws but that might mean they have other ways (e.g. 0days) to access the data or should I be for new laws which would mean they cant access the data at the moment?
End to End encryption is great, but only one aspect of security. The fact that the software is proprietary (and thus impossible to publicly verify), WhatsApp has control of chat metadata and address books, and other reasons mentioned above.
Now rolling out strong crypto on the most used mobile messaging service in the world is an astounding feat. But we must critically weigh the harm that’s being caused when we encourage users to stick with interoperable, proprietary, unverifiable options.
Re: Re:
*uninteroperable (siloed)
Secure Messaging
It’s great that Whatsapp are going ahead with end to end encryption but you should be able to choose whatever app you like to communicate securely with someone. Matrix.org’s (http://matrix.org/) goal is to make real-time communication over IP as seamless, secure and interoperable as email by providing the world with a new open standard which allows communication services themselves to interoperate. For the end consumer this will mean they can choose to use their favourite app because they get the most value from it and trust the provider with their data, and still be able to communicate with friends using competing apps and services.
Sure Google have *announced* it, but when will they deliver? 5.0 does not bring encryption by default, not even on their own devices. You still have to manually encrypt your disk.
TextSecure
I downloaded and started using TextSecure after my wife sent me a link to the EFF article rating different chat apps. I have since managed to convince a dozen or so of my closest contacts to start using it as well. It really is an excellent program. Very slick and clean. I just got the Android 5.0 update yesterday, which now has always-on VPN :):):)
surely the main things for these apps/programs are that:
a)they work
b)there are some instructions on how to use them/set them up
c)they are simple to set up/use. no good if it takes a degree in I.T. to get it running
d)there is no chance of them being broken/hacked
TD fail.
User Data is the life blood of facebook and googles’ existence- their business models are antithetical to privacy/security and ANY tech that would “honestly” enable them. ‘Kind Fox offer’s protection plan for it’s fleet of hen houses’ articles like this are disgraceful and ruinous of TD’s reputation. This is yet another example of TD’s generous propaganda passes to silicon valley- probably pays much better then subscribers and click ad’s.
Thank you for a beautiful article, which I have benefited greatly from it will come back even gave a renewed look at more of the articles in your site
End to End encryption is great, but only one aspect of security. The fact that the software is proprietary (and thus impossible to publicly verify), WhatsApp has control of chat metadata and address books, and other reasons mentioned above.
Now rolling out strong crypto on the most used mobile messaging service in the world is an astounding feat. But we must critically weigh the harm that’s being caused when we encourage users to stick with interoperable, proprietary, unverifiable options.
WhatsApp Hacken
Works
Finally it works for me!!! Status for WhatsApp in English
issue
Please, can you tell me, such an application on this site https://sites.google.com/site/handyspionageapps/ will not be able to transmit data?
help! real or not?
Can anyone tell me if this web page fake is or a real one – WhatsApp Hacken
p.s. sorry it is in German
Re: help! real or not?
update. here is the website http://whatsapphacken.pro/
Need your help
Hi guys, I need also your help, please!!!!
Want to protect my daughter from her boyfriend, have read that with spy apps i can read all her whatsapp messages….is it true??? https://iortly.com/whatsapp-spy/