Slashdot Mirror

← Back to Stories (view on slashdot.org)

WhatsApp Enables End-To-End Encryption For All Forms of Communications By Default

Posted by msmash on from the setting-precedent-for-everyone-else dept.

Popular instant messaging app WhatsApp, on Tuesday, announced that it is turning on end-to-end encryption for all its users by default. The company says that every call a user makes, every text message they send, all photos and videos they share will now be more secure. Furthermore, the encryption status of any chat is visible under the chat's preferences screen. The announcement comes a little over a year after the Facebook-owned company partnered with Open Whisper Systems, a nonprofit software group that develops collaborative open source projects with a mission to "make private communication simple." The end-to-end encryption feature is available on the latest version of the app. In a blog post, Open Whisper Systems further explains the feature: Once a client recognizes a contact as being fully e2e capable, it will not permit transmitting plaintext to that contact, even if that contact were to downgrade to a version of the software that is not fully e2e capable. This prevents the server or a network attacker from being able to perform a downgrade attack. In a blog post, WhatsApp writes: While WhatsApp is among the few communication platforms to build full end-to-end encryption that is on by default for everything you do, we expect that it will ultimately represent the future of personal communication. WhatsApp has also made available the technical details about how the two companies implemented this feature (PDF). For those of you who haven't heard of WhatsApp, it's an instant messaging and voice calling app. The free service, which is available across all popular platforms, is used by more than a billion people worldwide every month. A report on Wired says that a team of only 15 engineers enabled this security feature for over a billion users. Privacy researcher and activist Christopher Soghoian rightfully adds, "Google has no excuse."

8 of 76 comments (clear)

  1. Re:Weasel words by rahultyagi · · Score: 3, Informative

    Nope, in this case it really does look like the other "end" is the other party and not WhatsApp's servers. So, unless they are lying about it, it really does seem like user-to-user encryption (and hence, as you point out, no data mining for facebook).

  2. Re:Weasel words by Anonymous Coward · · Score: 4, Informative

    The message content is opaque to them, but the meta-data of who talks to who, when, for how long and how often is not. Last I checked you still need a real phone number to sign up, so they can tie nearly all of their users to their real world identities. Considering that they are owned by facebook, all that meta-data gets fed in to facebook's behemoth databases of personal info.

    So it seems likely that even full-blown e2e is still revenue positive for them.

    That said, going full e2e, even with all the facebookian compromises is still an improvement in the baseline. This is a war of inches, so every inch matters, even when there is still a long road ahead.

  3. WhatsApp is free, buddy by Anonymous Coward · · Score: 2, Informative

    Straight from the horses mouth:

    https://blog.whatsapp.com/615/Making-WhatsApp-free-and-more-useful

    Tell me more about this business model you know so much about.

  4. Re:I don't trust this and simply wonder WHY? by rainwalker · · Score: 4, Informative

    As I'm not a cryptographer, I have to trust what experts tell me (source code doesn't really help with this). Given that the people at Open Whisper Systems, who are fanatical privacy and security researchers and advocates, and who built the protocol that's being used and helped WhatsApp implement it, are giving this their stamp of approval, I'm just going to have to trust them. At some point, you have to pick that trust point, and Open Whisper Systems seems like a good point.

  5. Re:Does the User Control the Keys? by Meneth · · Score: 4, Informative

    The user's device generates the private key, but only under the control of WhatsApp's closed-source app.

    The key exchange is done through WhatsApp's server, much like message exchange. There is no revokation, though I imagine a user who loses his private key could generate and register a new one. There are no certificates except for the connection to the server.

    An attacker would have to take control of WhatsApp's server, but once that is done, they could run classic MiTM attacks on all WhatsApp users.

  6. intellectually dishonest. by Anonymous Coward · · Score: 4, Informative

    The user's device generates the private key, but only under the control of WhatsApp's closed-source app.

    The key exchange is done through WhatsApp's server, much like message exchange. There is no revokation, though I imagine a user who loses his private key could generate and register a new one. There are no certificates except for the connection to the server.

    An attacker would have to take control of WhatsApp's server, but once that is done, they could run classic MiTM attacks on all WhatsApp users.

    This is intellectually dishonest. Whatsapp allows you to verify the key signature either via barcode or via hash comparison.

  7. EFF Secure Messaging Scorecard by uassholes · · Score: 3, Informative

    https://www.eff.org/secure-messaging-scorecard

  8. Re:I don't trust this and simply wonder WHY? by Pseudonymus+Bosch · · Score: 4, Informative

    In the words of Edward Snowden, "Use programs like Redphone, like Silent Circle â" anything by Moxie Marlinspike and Open Whisper System."

    --
    __
    Men with no respect for life must never be allowed to control the ultimate instruments of death.
    GW Bu