WhatsApp To Offer End-to-End Encryption

L-One-L-One (173461) writes In a surprise move, nine months after being bought by Facebook, WhatsApp has begun rolling out end-to-end encryption for its users. With true end-to-end encryption data becomes unaccessible to admins of WhatsApp or law enforcement authorities. This new feature first proposed on Android only has been developed in cooperation with Open Whisper Systems, based on TextSecure. With hundreds of million users, WhatsApp becomes by far the largest secure messaging application. FBI Director James Comey might not be pleased. Do you have a current favorite for encrypted online chat?

FBI Director James Comey may not care.

[nimbius]

FISA courts, secret warrants and GITMO still exist. If the government wants information on encrypted data being sent from a computer to a server, they'll quietly demand it from the root console. Systems that would seriously secure the user would be over the wire and on disk encryption, with keys dynamically generated and unknown to the provider. This however would also empower the user to seek privacy from facebook itself.

kids dont care but then again they arent allowed on my lawn. Stop using *cloud, *app, *book, *mail. Back in my day we ran our own mail and patronized services like freenode that ensure the security of their users and avoid pavlovian backflips for governments.

Re:FBI Director James Comey may not care.

[Aqualung812]

What root console? If it is really END TO END, then WhatsApp can't see the data either.

Re:FBI Director James Comey may not care.

[arth1]

If it is really END TO END, then WhatsApp can't see the data either.

True, but anyone sniffing the traffic can, if they have access to a decryption key. Not that we know of anyone who would possibly do that...

In my view, this encryption is not to be trusted unless and until it can accept keys that are generated outside the WhatsApp product. Otherwise, how much would you want to bet that the three letter agencies aren't getting a master key under a hush order?

Re:FBI Director James Comey may not care.

[Pi1grim]

The problem with WhatsApp is that it is closed-source, so you can't really check. You'll have to take their word for it. Also, they facilitate key exchange, so the whole "end-to-end" stuff is actually moot, since user is taken out of the loop and server can, at any time re-negotiate the keys and verify that MITM as a person A, that person B is trying to get in contact with. So it's all, once again, a lot of buzzwords, and zero security.

Re:FBI Director James Comey may not care.

[DaMattster]

Furthermore, you can bet the FBI and NSA are going to figure out a way to bruteforce the encryption anyhow.

Re:FBI Director James Comey may not care.

[Pi1grim]

They claimed it's TextSecure's algorithm, but, client is closed-sources, so who's going to check? Also, big question is key handling - if server assigns them or even generates them or at least verifies them - then whole "end-to-end" is just theater. I would believe them if key verification was given into user's hands and client's code was opensourced to check that it won't start black carbon/copying all the messages to some "friendly third parties".

Re:FBI Director James Comey may not care.

[gstoddart]

What root console? If it is really END TO END, then WhatsApp can't see the data either.

You assume that they either competently implemented encryption, or didn't maliciously leave themselves a back door for tracking and commercial purposes, or weren't secretly told by some three letter agency that if they didn't leave a backdoor they'd be in trouble.

Given that it's owned by Facebook, I'm not willing to attribute either competence or good intentions to anything they do.

At this point, I assume Zuckerfuck is a greedy asshole who made sure he's got room for data collection and monetizing, and that this isn't nearly as end-to-end as they claim.

And assuming that the government is in there pulling strings behind the scenes? Well, with the US government and large corporations, you pretty much have to assume that these days.

Re:FBI Director James Comey may not care.

[arth1]

This is the same company that lied about the capabilities of its photo app, as well as stored the photos insecurely.

Why would they have to? All they need to do is present Whatsapp with a hush order to hand over keys.
When Whatsapp generates and maintains the keys, there's no real security here.
I even think it's not unlikely that they have implemented this in cooperation with the three letter agencies, in order to lure people into thinking it is safe. And the great unwashed masses will be fooled, as always.

Re:FBI Director James Comey may not care.

[DigiShaman]

Yeah, pretty much. The power of subpoena to acquire those keys would be trivial.

Re:FBI Director James Comey may not care.

[the_B0fh]

Not just generated externally, but a way to confirm the private key is *NOT* sent to anyone.

Re:FBI Director James Comey may not care.

If it is really END TO END, then WhatsApp can't see the data either.

True, but anyone sniffing the traffic can, if they have access to a decryption key. Not that we know of anyone who would possibly do that...

In my view, this encryption is not to be trusted unless and until it can accept keys that are generated outside the WhatsApp product. Otherwise, how much would you want to bet that the three letter agencies aren't getting a master key under a hush order?

Facebook is the largest HUMINT database on the planet.

And they own WhatsApp.

On top of all that, they are a corporation within the United States.

Just curious what level of ignorance we have to walk around with here to assume they don't have the decryption key, and haven't had it since day zero.

How many more Snowdens need to come along to paint that picture any clearer?

Fuckety fuck fuck already.

Re:FBI Director James Comey may not care.

[rogoshen1]

would they even need that? vs decompiling the APK?

Re:FBI Director James Comey may not care.

[IamTheRealMike]

it's all, once again, a lot of buzzwords, and zero security.

That's a bit unfair. Yes, any security system that tries to be entirely transparent cannot really be end to end secure, but nobody has ever built a mainstream, successful deployment of end to end encryption that lets you use a service even if you don't trust it. There are many difficult problems to solve here. Forward secure end to end encryption behind the scenes is clearly an important stepping stone, and OWS has said they will expose things like key verification in future updates. Just because they haven't done everything all at once, and solved every hard problem, does not mean it's just a lot of buzzwords.

Re:FBI Director James Comey may not care.

[BradMajors]

While WhatsApp does have a security hole. Using WhatsApp is more secure than using no encryption.

Re:FBI Director James Comey may not care.

[znrt]

What root console? If it is really END TO END, then WhatsApp can't see the data either.

and you verify that it is actually clean and secure end to end encryption on a device like a smartphone (take your pick) ... how?

oh, i'm supposed to trust a random app running on a platform with (or entirely consisting of) proprietary closed software and hardware. har! har!

Re:FBI Director James Comey may not care.

[Jane+Q.+Public]

While WhatsApp does have a security hole. Using WhatsApp is more secure than using no encryption.

This seems to be most reasonable of the responses so far.

EFF has mentioned that when the end-to-end encryption is implemented, and then IF it passes their tests, they will update their Secure Messaging Scorecard for it. Right now its score is rather dismal: 2 of 7.

Currently there are only a few text messaging apps that get full points: TextSecure, Silent Text, OTR (Windows), CryptoCat, and something called ChatSecure which I had not heard of before.

Some people objected to CryptoCat being awarded all points, in that it hadn't been fully audited yet. EFF replied that it passed tests to their satisfaction.

I did not list phone apps such as Redphone because they're primarily voice not text per se.

Re:FBI Director James Comey may not care.

[daniel23]

Indeed.

And note the timing. This news (facebook, whisper systems) comes at the same time that EFF published the Let's Encrypt initative (EFF, Mozilla, Akamai, Cisco) .
I seem to remember there was an appeal to to make encryption the default coming from th3 w3c meeting a fortnight ago.
Is it a coincidence that this comes in time with an open letter by AOL, Apple, Dropbox, Evernote, Facebook, Google, LinkedIn, Microsoft, Twitter und Yahoo to the US senat to vote in favor of the USA Freedom Act (which it did not).

Apparently the big names feel the heat, it is bad for business when it is common knowledge globally that US companies are required by law to betray their customers' data.

And the way the US administration and politicos handled the topic after Edward Snowden showed us the proof of all the old suspicions did not help, it rather aggreviated the problem.

Nor did weasle worded dementi and press releases help. The global mistrust is massive and there is too much of critical expertise watching. And their attention just does not fade away. So the situation may have reached a point where some of the big players realize that feeding digital placebos is not enough to prevent further damage and they need reliable answers they can give their customers, You know, things that run less risk to be exposed by a presentation at Black Hat or CCC conferences some six months after introduction...

I'm not saying WhatsApp has reached this point and tries to do the right thing but I won't rule it out. It does look like a step in the right direction, raising the bar.
(I uninstalled WhatsApp after fb bought them and I use textsecure for my SMS on android)

Re:FBI Director James Comey may not care.

[Teckla]

Yeah, pretty much. The power of subpoena to acquire those keys would be trivial.

I think that's one of the problems Perfect Forward Secrecy is supposed to solve. If I understand it correctly, upon connection, the two connecting systems that support PFS generate brand new and ephemeral public/private key pairs for bootstrapping the encrypted connection.

Since those keys are ephemeral, even if some entity collected all the data between the two connecting systems, it would never be able to decrypt that data, even with subpoena in hand: those keys are long gone, as they only existed for a few seconds before being wiped from memory.

Great

[slashmydots]

I know next to nothing about whatsapp but from what wikipedia says, it's basically a bypass for texting and media-data sending fees for cell phone companies. Every one I've ever heard of has been banned by Apple at least and sometimes Android after pressure from carriers. What the heck let this one stick around? The same goes for VOIP services over data preventing people from going over their minutes. Those got banned the day they rolled out of the last 10 years. Now that it's encrypted it's superior to direct cellular sending of texts and pictures but since the NSA can't spy on it, get ready for some fake claims that it's costing the cell companies money in lost overages.

Re:Great

[Pi1grim]

Well, hello there friend. It must have been very uncomfortable to sit in a cryo cam for all these years, but while you were gone messaging apps have become more relevant than SMS-es and any carrier trying to ban them is to have a fecal storm on the matter, with billions of users for WhatsApp, FacebookMessenger, Hangouts, Viber, Line and whatnot.

Telegram

[tom229]

Do you have a current favorite for encrypted online chat?

Telegram. It's open source, uses end to end encryption, and, unlike whatsapp, supports multiple connected clients at a time - including desktop clients for all platforms.

Of course you'll be hard pressed to find anyone on telegram expect my wife and I. Kids don't care about security, or source code.

Re:Telegram

[DigiShaman]

Singing Klingon opera telegram. You can't out hack a Klingon with a bat'leth!

Re:Telegram

[arth1]

Telegram. It's open source, uses end to end encryption, and, unlike whatsapp, supports multiple connected clients at a time - including desktop clients for all platforms.

It's public domain, not open source.
End-to-end encryption is easy - you just need to send a courier with a one time pad.
And yes, there are telegraphs supporting multiple concurrent connections by using pitch shifting and filters so the receiver will only hear one set of beeps. But not more than a few.
Sure, there are desktop clients for all platforms - wooden, metal and marble top desktop can have clients, and there are even keys that mount on tilted desktops.

Of course you'll be hard pressed to find anyone on telegram

Indeed. Even Her Majesty The Queen stopped sending telegrams a few years ago. A shame, really.

Re:Telegram

[perryizgr8]

How can something in the public domain NOT be open source? If the source is free to look at, it is open source.

Re:Telegram

[arth1]

How can something in the public domain NOT be open source?

Open Source depends on copyrights.
Public domain depends on there being no copyrights.

Re:Telegram

[lennier]

Indeed. Even Her Majesty The Queen stopped sending telegrams a few years ago. A shame, really.

Your Monarch has, with great reluctance but a lingering sense of optimism, embraced modern communications, as it is nowadays one of a great many passing diversions into which the grandchildren seem to be. With this in mind the formal 'Queen's Telegram' has been revised to a streamlined, responsive format which I'm sure will meet with approval from the majority of citizens.

Now the day you turn 100 you get a single tweet from @HerMajLiz: 'lol u 2 old'

Re:Not really secure

[arth1]

This is the same company that lied about the capabilities of its photo app, as well as stored the photos insecurely.

Don't forget storing conversation logs unencrypted.
Or requiring a personally identifiable marker (a phone number) in order to work, even when everything goes over IP and supporting anonymous users would be trivial.

The problem is always the client

[MobyDisk]

This really only works if the client is open source. Otherwise, you don't know that the client doesn't send the keys through a side channel or store them somewhere.

Re:The problem is always the client

This really only works if the client is open source. Otherwise, you don't know that the client doesn't send the keys through a side channel or store them somewhere.

Perfect is the enemy of the good.

Taking passive surveillance out of the picture is a step in the right direction. If the code saves the keys so that it can be fetched in an "active" attack (e.g., warrant) that kind of sucks, but it's better than having everything in cleart-text to be vacuumed up without any kind of over site.

Re:The problem is always the client

[NonUniqueNickname]

If an open source client were all it took to establish secure communications between two phones it would have been done a long time ago. There are other hurdles besides the client. It's rare for two phones to be able to communicate directly because phones don't usually get public IP addresses. When a phone gets a public IP address it's likely to have most if not all incoming ports blocked, and even if both phones happen to have public IP addresses with unblocked incoming ports they still need to find each other via some sort of directory server. So at the very least, the IP address and identity of both parties goes through a server that you do not control. But more likely, all data exchange between the two parties (including keys) goes through a server that you do not control.

Re:The problem is always the client

[chihowa]

Of course it sends the keys to WhatsApp! If you install the client on a second phone, it just works, right?

So they're either:
1) generating a new key on each device and encrypting all incoming messages to every client's public key (or just encrypting the session key, a la PGP. -- While this isn't sending the key back to the mothership, new keys can be added at will, so copying traffic is easy.)

2) generating one key per account and shuffling it to newly installed clients through their server (possibly encrypted with the user's password... which they already know)

3) generating a key from the user's password directly with PBKDF2 or the like (a la SpiderOak, but (like SpiderOak) the client is closed source and they already know your password or could get it easily).

4) randomly assigning a symmetric key to each session and communicating it in-band to the clients involved in the chat.

Personally, I think 3 or 4 are the most likely because the infrastructure is the easiest and it still carries "end-to-end encryption" buzzword compliance.

The single hardest part of properly using encryption is key management. It's also the most vulnerable aspect of even weak crypto. Anything that simplifies this for end users, without requiring anything of them, is likely making serious security/convenience compromises.

[I'm still a big fan of hardware tokens for key storage and decryption. It greatly simplifies user key management while giving the user something familiar to associate their "key" with. It's not perfectly secure, but having to compromise a smartcard secure element requires more of the adversary.]

Re:The problem is always the client

[MobyDisk]

Bingo!

I worked for a company that had secure online backup software, and these kinds of things are exactly what they did. The original software really honestly didn't have the key. They even sent it to an escrow service whose contract said they could never ever give us the key. But later, features were added to the system: The server could transcode mp3 files and stream them to your phone - how could it decrypt the mp3 files to transcode them for streaming, if they didn't have the key? And the install.exe had the secret key embedded in it, because customers didn't like having to type it themselves. And the web site would give you your files inside a password-protected ZIP. The password on the ZIP file was the key. How could it decrypt the file, then ZIP it up, then set the password on the ZIP file if the server didn't know the key?

Well, the WhatsApp guy has good motive

[fustakrakich]

I sure hope he hasn't been compromised, by green paper 'malware', or *an offer he can't refuse*.

Re:Well, the WhatsApp guy has good motive

[perryizgr8]

Considering he sold out for $19B, there is not much left to be compromised.

This idea...

[MitchDev]

needs to be implemented at all levels of the internet, hopefully it gives the American Stasi like the NSA, CIA, and FBI major headaches...

I have been wondering about WhatsApp

[EmperorOfCanada]

Literally the first time I heard about WhatsApp was when they were sold for 19 billion. This made no sense to me. So I asked my teenage daughters about WhatsApp and they had never heard of it. So I chalked WhatsApp to being the ultimate in hype.

But to stand out and offer end to end encryption where WhatsApp can't read your stuff will be interesting. The question is: "Do we trust them."

Re:I have been wondering about WhatsApp

[ledow]

I've heard of WhatsApp for ages.

Most of my contacts are on Whatsapp.

But I didn't start using it until my Italian girlfriend introduced me to it - because texting internationally via WhatsApp costs you 63p a year as opposed to nearly that per text!

All the ex-pats and foreigners that I know seem to be the biggest users of it.

Wikr

[lazarus]

Wikr is what I use. Right now it's only available as an iOS and Android app. You specify how long you want your messages to exist for and the countdown starts when the receiving party views the message. Slightly clunky, but very very secure:

From the website:

App:
  ID and device info are cryptographically hashed with multiple rounds of salted cryptographic hashing using SHA256.
  Data at rest and in transit is encrypted with AES256.
  No password or Password hashes leave device.
  Messages and media are forensically wiped after they expire.

Server:
  In contact with encrypted messages/media only.
  Never in contact with passwords of private encryption keys.
  Deletes messages on delivery.
  Interacts with only hashed ID and device info.

Re:Wikr

[Xylantiel]

If you think this is secure against the FBI you are kidding yourself. Since it is a closed-source app, wickr has control of your private key and they only CHOOSE not to copy it off the device. They can simply be served with a NSL to pull that info from your device. Now if you're only trying to keep things private from criminals and corporations, you're probably good.

Re:Wikr

[lazarus]

Re: FBI. That may be true (albeit difficult to do). However, that would be the end of their business, so it would be somewhat pointless to ever agree to that (they have already declined such a request). For reference here is their guidelines for law enforcement requests:

https://wickr.com/wp-content/u...

And the report of them denying an FBI request:

http://www.slashgear.com/wickr...

Here's a question

[koan]

Do you trust the people behind this? If so why?

Re:end-to-end doesn't mean they can't read it

[JimFive]

I would add that WhatsApp is already at both ends of the communication as well. So, even without a stolen key or MITM, WhatsApp can read any message at either user's end and do something with that information. (Simple idea, scan messages for references to pop culture event and send that information to the ad servers). So, sure, the message is encrypted end to end, but so what.
--
JimFive

Telegram is better

[nightfire-unique]

Telegram offers every feature of WhatsApp, plus end-to-end encryption with visual signatures, arbitrary file sharing, multi-device support (including PC), is open source and the API is published.

They claim to have 40M+ users, so they're a substantial amount of the way to displacing WhatsApp already.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Still subject to traffic analysis.

[tlambert]

Still subject to traffic analysis.

Most of the information they want in the first place is "who is talking to who when and for how long", which is still in the clear, even if there is end to end encryption. So most of the important data, what government agencies in the news have called "Just Metadata", is still capable of being intercepted (and is).

Once they have an associative pattern that they think indicates a crony in an illegal activity, *THEN* they target the content of the conversation. In this particular case, it should be possible to MITM the conversation as well, with a combined order for keys and gag order, the same as is done to compromise SSL conversations right now, by forcing the CA to sign new certs for the requesting agency, and using them to proxy the conversation.

In other words, this is not a magic "big win" for privacy.

Re: Still subject to traffic analysis.

[p43751]

Mod parent up! He is right. This is a huge step forward. Especially with those new encrypted phones(android lollipop & iPhone 6)

All these years..

[_hAZE_]

And here I thought my solution of attaching matching pretzels to each cup, and then tying the string to the pretzels, ensured our communication was private. The only difficult part was trying to add a third party after you had already eaten the bag of pretzels, as finding a third matching pretzel at that point was sometimes quite difficult.

Whatever their friends use

[ByTor-2112]

What encrypted messaging app do I use? None. My friends don't use it. I had *one* friend I could talk into installing Telegram. But it's really not "secure" because it saves things on your device, and the desktop version saves things in the clear, so anyone with access to your computer can ready them.

Like another poster said, the other end is your weak link. An open source app might even be worse, because someone could modify their app to say a message was deleted when it wasn't. Or rather, their device could be hacked and a modified app installed.

If WhatsApp really does do E2E encryption, more power to them, but don't assume it's very secure.

One time pad

[Keith+Henson]

"End-to-end encryption is easy - you just need to send a courier with a one time pad."

Key management is a PITA. Still, making pairs of DVDs filled with random noise isn't that hard. If you seal them with glitter nail polish and send a picture of the sealing back, then you and the recipient can be fairly sure it wasn't intercepted and copied.

USB sticks are larger, but you need to completely erase the USB or DVD after copying to disk. Then the program needs to enforce that used blocks on the disk are erased.

Phil Z and one other name in the crypto biz thinks this is unneeded.

It doesn't work well for encrypting pirated movies, but for most stuff it's really secure.

Wickr - has this and time-expiry messages

[FloydMarinescu]

End to end encyryption is just one side of it, Wickr app also implements a number of UI paradigms and particularly the per-message user-set time-expiry feature that no on else has right now. This for me is the most important feature because who will own my chat data 20 years from now (be it encrypted or not)? I'd rather it be deleted when I want it, so conversations can be more ephemeral like real life.