Good News: WhatsApp Gets Serious About End To End Encryption

from the good-to-see dept

We recently noted that it was really good news to see companies like Google and Apple finally taking end user encryption seriously, and it appears that's spreading. The super-popular chat messaging app WhatsApp, which was acquired by Facebook not too long ago, just turned on full end-to-end encryption, powered by Open Whisper Systems, the makers of such great tools as TextSecure, which is the basis for the new encryption:
The most recent WhatsApp Android client release includes support for the TextSecure encryption protocol, and billions of encrypted messages are being exchanged daily. The WhatsApp Android client does not yet support encrypted messaging for group chat or media messages, but we’ll be rolling out support for those next, in addition to support for more client platforms. We’ll also be surfacing options for key verification in clients as the protocol integrations are completed.

WhatsApp runs on an incredible number of mobile platforms, so full deployment will be an incremental process as we add TextSecure protocol support into each WhatsApp client platform. We have a ways to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default.
It sounds like this project started prior to the Facebook acquisition, so it's great to see it continue to move forward either way. Just recently, the EFF rated various messaging apps for their security (which resulted in some controversy...), and WhatsApp didn't score all that well, while TextSecure got a perfect score. Making messaging more and more secure is incredibly important, so it's great to see it happening here.

Filed Under: encryption, messaging
Companies: whatsapp, whisper systems


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Shmerl, 18 Nov 2014 @ 3:15pm

    WhatsApp is horrible

    1. It uses non compliant XMPP (you can't use third party clients).
    2. It's not federated (walled garden). So you can't communicate with users from other XMPP networks.
    3. It's security is flawed by design. They consciously made it into an insecure service by dropping the registration process (creating user name + password) like in any normal XMPP, and instead using identification tied to user's device to authenticate. All that to exploit people's laziness (saves 5 minutes of the registration process for the price of constant broken security).

    Such developers are simply doing a huge disservice to their users.

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, 18 Nov 2014 @ 3:27pm

    If they still use US servers then that changes nothing. And even if they didn't it is still Facebook which afaik is a US company so no server would be save from any security agency.

    At least I don't see much of a difference between them listening in somewhere in the middle and you never know about it or if they send a demand to facebook and you never know about it.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 18 Nov 2014 @ 3:59pm

    Re: WhatsApp is horrible

    And:

    4. It's not open-source, therefore it cannot be independently peer-reviewed. And therefore we cannot verify that it isn't loaded with security holes and backdoors.

    (Of course sometimes even open source code has security holes. But since it can be independently peer-reviewed, we have a fighting chance of finding them. With this...we have none.)

    If it's not open-source, it's shit, and NOBODY should trust it.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 18 Nov 2014 @ 4:29pm

    Re:

    Based on the description given in the WhatsApp article the end to end encryption would only store the keys at the end users not in a central server so all they could do with the server in the middle is get a copy of the encrypted stream but not be able to decrypt it so no worries of someone getting the message in real time.

    However since the ID is tied to a device you don't have anonymity so they can still try to get access to the source or destination device. A plus is that perfect forward secrecy is proposed so reading of the message shouldn't be possible except for when the man in the middle knows the long term key on the ends that is used to encrypt the temp key used for the current set of messages.

    Should be interesting to see what happens from this push in the right direction.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 18 Nov 2014 @ 5:25pm

    End to End encryption is great, but only one aspect of security. The fact that the software is proprietary (and thus impossible to publicly verify), WhatsApp has control of chat metadata and address books, and other reasons mentioned above.

    Now rolling out strong crypto on the most used mobile messaging service in the world is an astounding feat. But we must critically weigh the harm that's being caused when we encourage users to stick with interoperable, proprietary, unverifiable options.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 18 Nov 2014 @ 5:27pm

    Re:

    *uninteroperable (siloed)

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 18 Nov 2014 @ 6:56pm

    Re: Re:

    A plus is that perfect forward secrecy is proposed so reading of the message shouldn't be possible except for when the man in the middle knows the long term key on the ends

    Good to know that someone uses PFS but not sure how safe that is in the current form(using mobile devices). Looks like they have to send two security letters now. One to Facebook and one to whoever build the phone i.e. Apple. And if that doesnt work there is always the blackmarket for 0days or if all fails then I bet there will be a new law.

    The whole security thing confuses me a bit atm. Should I be happy they don't want new laws but that might mean they have other ways (e.g. 0days) to access the data or should I be for new laws which would mean they cant access the data at the moment?

    reply to this | link to this | view in thread ]

  8. identicon
    Matrix.org, 19 Nov 2014 @ 2:55am

    Secure Messaging

    It's great that Whatsapp are going ahead with end to end encryption but you should be able to choose whatever app you like to communicate securely with someone. Matrix.org's (http://matrix.org/) goal is to make real-time communication over IP as seamless, secure and interoperable as email by providing the world with a new open standard which allows communication services themselves to interoperate. For the end consumer this will mean they can choose to use their favourite app because they get the most value from it and trust the provider with their data, and still be able to communicate with friends using competing apps and services.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 19 Nov 2014 @ 5:00am

    Sure Google have *announced* it, but when will they deliver? 5.0 does not bring encryption by default, not even on their own devices. You still have to manually encrypt your disk.

    reply to this | link to this | view in thread ]

  10. icon
    KoD (profile), 19 Nov 2014 @ 6:31am

    TextSecure

    I downloaded and started using TextSecure after my wife sent me a link to the EFF article rating different chat apps. I have since managed to convince a dozen or so of my closest contacts to start using it as well. It really is an excellent program. Very slick and clean. I just got the Android 5.0 update yesterday, which now has always-on VPN :):):)

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, 19 Nov 2014 @ 8:29am

    surely the main things for these apps/programs are that:

    a)they work
    b)there are some instructions on how to use them/set them up
    c)they are simple to set up/use. no good if it takes a degree in I.T. to get it running
    d)there is no chance of them being broken/hacked

    reply to this | link to this | view in thread ]

  12. identicon
    Anonymous Coward, 19 Nov 2014 @ 10:22am

    TD fail.

    User Data is the life blood of facebook and googles' existence- their business models are antithetical to privacy/security and ANY tech that would "honestly" enable them. 'Kind Fox offer's protection plan for it's fleet of hen houses' articles like this are disgraceful and ruinous of TD's reputation. This is yet another example of TD's generous propaganda passes to silicon valley- probably pays much better then subscribers and click ad's.

    reply to this | link to this | view in thread ]

  13. identicon
    بلادى عاجل, 22 Nov 2014 @ 4:24am

    Thank you for a beautiful article, which I have benefited greatly from it will come back even gave a renewed look at more of the articles in your site

    reply to this | link to this | view in thread ]

  14. identicon
    Naomi, 13 Feb 2015 @ 3:19am

    End to End encryption is great, but only one aspect of security. The fact that the software is proprietary (and thus impossible to publicly verify), WhatsApp has control of chat metadata and address books, and other reasons mentioned above.

    Now rolling out strong crypto on the most used mobile messaging service in the world is an astounding feat. But we must critically weigh the harm that's being caused when we encourage users to stick with interoperable, proprietary, unverifiable options.
    WhatsApp Hacken

    reply to this | link to this | view in thread ]

  15. identicon
    Panneer, 5 May 2015 @ 11:01pm

    Works

    Finally it works for me!!! Status for WhatsApp in English

    reply to this | link to this | view in thread ]

  16. identicon
    Alex, 30 Jun 2015 @ 7:16am

    issue

    Please, can you tell me, such an application on this site https://sites.google.com/site/handyspionageapps/ will not be able to transmit data?

    reply to this | link to this | view in thread ]

  17. identicon
    Bob, 13 Jan 2017 @ 5:11am

    help! real or not?

    Can anyone tell me if this web page fake is or a real one - WhatsApp Hacken
    p.s. sorry it is in German

    reply to this | link to this | view in thread ]

  18. identicon
    Bob, 13 Jan 2017 @ 5:13am

    Re: help! real or not?

    update. here is the website http://whatsapphacken.pro/

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.