Slashdot Mirror

← Back to Stories (view on slashdot.org)

Viber Update Brings End-To-End Encryption and Hidden Chats (gsmarena.com)

Posted by BeauHD on from the end-to-end-encryption dept.

An anonymous reader writes: The new hip thing to do if you're a developer of a messaging app is to encrypt everyone's messages -- everyone's doing it! WhatsApp announced earlier this month all messages being sent through the service will now be end-to-end encrypted. Today, Viber has announcd it is doing something similar. All messages being sent through the latest version of the app will be end-to-end encrypted. To confirm messages are being encrypted, a padlock icon will appear in the chat UI. The latest version of the app is already available in the iOS App Store and Android Google Play Store. Viber is one of the largest messaging platforms with over 700 million users. Hidden chats can also be found in the new update. Users can hide select chats with people and access/display them with a PIN or Touch ID.

39 comments

  1. Seems familiar by Verdatum · · Score: 1

    Didn't AOL Instant Messenger add this feature like 15 years ago?

    1. Re:Seems familiar by ShaunC · · Score: 1

      I don't think the official AIM client ever offered secure end-to-end encryption. Pidgin+OTR does, though, and that's a common way to use the AIM network.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    2. Re:Seems familiar by Verdatum · · Score: 1

      I'm pretty sure it did. It was part of the "Direct connect" feature, I thought. I think it even displayed a little key icon when it was in effect...

  2. Is Viber written using the Rust programming lang? by Anonymous Coward · · Score: 2, Funny

    Is Viber written using the Rust programming language? It's getting to the point where the only software I'll trust is software written in Rust. It's like being a vegan in a lot of ways. It's healthier for you, but it can also make life more difficult. For example I've switched to using Servo for all of my web browsing, since it's written in Rust. Servo is still a young project, though, so there are some rough edges. But since it's written in Rust I have a lot more trust for it than I do of other software.

    I would really like to use a realtime mobile chat app written in Rust. I would also like to use a mobile OS that's fully written in Rust, too. I wish that Google would port Android to Rust. I'd really, really like it if I could use a software stack that's 100% rust from the OS up to the apps. I'd feel so much safer using that software because I know that Rust is all about safety and writing code that's pretty much unbreakable.

  3. i must be getting old.. really, really old.. by Anonymous Coward · · Score: 0

    what the hell is a 'viber'? sounds like a porn chat thing, but i dunno. supposedly 'one of the largest messaging platforms' and over 700 million users.. and i have never heard of it until now.

    1. Re:i must be getting old.. really, really old.. by DiSKiLLeR · · Score: 2

      idk why you haven't.

      I started using viber years ago, but switched to fb messenger and whatsapp over time.

      I think a lot of americans haven't heard of these because they are hugely popular overseas which let you text and make phone calls internationally over wifi/data.

      Texting/calling in the US within the US (and sometimes Canada and Mexico too) is essentially free on plans so you have no motivation to use apps like Viber or WhatsApp but that is not the case for the rest of the world. Especially within places like europe.

      --
      You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
  4. How can this be checked? by thesupraman · · Score: 5, Insightful

    I wonder which of them will be the first to open up their implementation to scrutiny?
    Showing us a nice little padlock icon is all very well, but encryption is *hard*, and getting it right is subtle.

    An assurance that they cannot access any of the data themselves would be a start, because it points
    to true end-to-end (rather than end-to-middleman, which is much less useful...)

    If you can access your messages from more than one device, then it is a sign that all is not well in paradise,
    as they may hold the keys themselves (in which case what is the point), but not necessarily.

    If trust is part of security, then do you trust the security? ;)

    1. Re:How can this be checked? by johanw · · Score: 1

      Well, I had to re-authenticate other devices (PC and tablet) by scanning a QR code from the main device (phone). This might be indicating that a key exchange is taking place.

    2. Re:How can this be checked? by queazocotal · · Score: 1

      Any form of encryption, even if crackable, if the user reasonably thinks it's secure can cause additional legal protections to kick in.
      'Reasonable eXpectation of privacy'

    3. Re:How can this be checked? by rmdingler · · Score: 1

      You're right, of course, but if the information you are protecting is valuable enough to another, it's really just a question of conviction, budget, and time.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    4. Re: How can this be checked? by Anonymous Coward · · Score: 0

      Good point. They just said "encryption", never said it was good. It could be DES. Or a hardware WEP implementation. Or really anything, maybe a A=5 sort of thing.

    5. Re:How can this be checked? by Anonymous Coward · · Score: 0

      What did the text of the QR code look like? That would be a good clue.

    6. Re:How can this be checked? by wbr1 · · Score: 1

      You're right, of course, but if the information you are protecting is valuable enough to another, it's really just a question of conviction, budget, and time.

      Or a $5 wrench.

      --
      Silence is a state of mime.
    7. Re:How can this be checked? by johanw · · Score: 1

      It didn't show any translations in human readable form (and I didn't make a screenshot).

    8. Re:How can this be checked? by rmdingler · · Score: 1

      Ah! I've been Randalled... did you realize he's 31 years young?

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    9. Re: How can this be checked? by Anonymous Coward · · Score: 0

      You mean like ROT13

  5. can someone explain this to me? by Anonymous Coward · · Score: 3, Insightful

    So geezer here, been online since the early 80's. For a long time, store-and-forward type messaging (usenet) and instant messengers (IRC, when it appeared) alike separated the protocol from the client. There were dozens upon dozens of usenet and IRC clients, so you could pick one with features you wanted, but still communicate with everyone else, because they'd all abide the same underlying communication protocol.

    For some reason, everyone decided that they'd rather have kik that can't talk to viber that can't talk to whatsapp that can't talk that MS one that can't talk to any of the other dozens of competing ones. Fractured little fiefdoms. This confuses me. It seems like a significant loss.

    I can even understand why a company wants to lock people into its messager and only its messenger. What I don't understand is why everyone insists on flocking to those things, and eschews the kind of platform agnostic standards that let the internet succeed so wildly in the first place. You can email someone without caring much about which reader they use! What was wrong with that model, that we had to run as fast as possible away from it?

    1. Re:can someone explain this to me? by DiSKiLLeR · · Score: 1

      I don't know, but having been on the internet since the early 90s I fully agree with you. :(

      --
      You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
    2. Re:can someone explain this to me? by NotInHere · · Score: 1

      Fractured little fiefdoms. This confuses me. It seems like a significant loss.

      What's a loss for the community is a win for the founders and the investors. A big win. Silicon valley wouldn't be as successful as it is if they were opening their doors to competition.

      What was wrong with that model, that we had to run as fast as possible away from it?

      Its easier to build a business model around an app that's closed down and proprietary as much as possible.

    3. Re:can someone explain this to me? by 110010001000 · · Score: 2

      The reason Viber is popular is because it uses your phone number as your address. So you can use it to "SMS" for free internationally. What open standard clients usually forget is that people want something easy to use and attached to an address that they can remember. If someone did Jabber/XMPP using your phone number as the endpoint it would probably be more popular.

    4. Re:can someone explain this to me? by Anonymous Coward · · Score: 0

      The reason Viber is popular is because it uses your phone number as your address.

      Raise your hand if you work in support and have wasted time when a user types @domain.com after their username (of course they won't tell you what they're doing wrong until you painstakingly walk the person through sending you a screenshot of the culprit)
      This is only second worst to the stupid logic move pioneered by Microsoft of allowing people from multiple domains to check email from a single box. Nowadays everyone everywhere is typing the superfluous domain without so much as an educational nag from yahoo or gmail.

      For the phone numbers, AFAIK WhatsApp pioneered the stupid username choice (lately their daddy Facebook has taken to replacing people's email address username with their number, too). It only makes users confused and more stupid^Wdifficult to re-train in the long run. Voice service versus data isn't easy to explain. The phone "username" design makes people think a voice or video "call" uses the real phone network. The older folk invariably end up asking you if they can "call" you long distance for free from their POTS phone or vice-versa.

    5. Re:can someone explain this to me? by radarskiy · · Score: 1

      Users have correctly determined that most casual conversation is not worth the effort of configuring a complicated client,

    6. Re:can someone explain this to me? by Anonymous Coward · · Score: 0

      Every one of the protocols you mentioned was unencrypted. Many of them have adopted standards for encryption, sometimes multiple standards, but those add-ons have all been optional. The complexity involved in implementing and actually deploying that encryption in a standards-compliant way has typically been high. In fact it was so high that it was worse than implementing a proprietary protocol with encryption baked in and a few extras that were not present in the original (based upon new technology) while stripping some of the unused or rarely used requirements in the standard. Sometimes this encryption is poorly implemented, but it is still something. And when a flaw is found the entire ecosystem is proprietary so it can be addressed as issues are found.

    7. Re:can someone explain this to me? by Voyager529 · · Score: 1

      I completely agree and share your preference. However, the fiefdom method unfortunately has its benefits, too.

      First, let's address the fact that XMPP, while a good IM standard protocol, is not the simplest thing to manually configure - you have to know what you're doing, and the core demographic for many of these folks consist of people who can't tell a search bar from an address bar in a web browser. You also need a server...somewhere...that someone owns. If Viber makes an XMPP client that can talk to Whatsapp's servers to send messages to Kik users, it's just a money pit for anyone to run the server, unless they're actively capturing and monetizing that traffic. To make it an analog to the Usenet days, the telcos would run the XMPP servers in the same way that ISPs ran the Usenet servers - somewhat-viable, but it would have to be 'out of the goodness of their heart' at this point, since they already run the servers for SMS and MMS; XMPP would be redundant. Then there's the classic "it's the server...it's the client..." finger pointing game if a messenger isn't configured properly.

      Next, let's deal with extensions and encryption. All the listed messengers give sent/delivered/read notifications, which XMPP doesn't (I don't believe). So, each client would have to come up with some way of replicating that functionality, so we end up once again with the fiefdom of 'use whatsapp so you'll know if I read your message', to which we then say, "so let's add it to the XMPP standard". Makes sense, but then you need cooperation from everyone at once to implement it and abandon their proprietary extensions.

      For such an open standard, you'll once again need to deal with the spam problem. As much as I love e-mail and usenet, both of them had a massive amount of spam, It's somewhat-tolerated on e-mail because spam filtering has gotten quite good, and it's somewhat-tolerated on usenet because there's much less of it than there used to be...but Viber and Whatsapp have been pretty good about keeping the spam levels down (Kik, less so). No one is going to be happy with a system that allows spam on their cell phone, especially with push notifications involved.

      Finally, the fiefdoms are a bit better suited toward monetization. Viber makes money through sticker purchases. BBM has sponsored groups and promotional notifications. Whatsapp used to sell their service, but now sugar daddy Facebook has deprecated that, so they're a bit messier to point to a monetization system. One could possibly sell the client directly; Outlook, Eudora, and eM Client have done well on the e-mail side of this, with Agent and Newsman Pro both having sold their clients as well. Doing that in the mobile world is a bit more challenging, and one can argue that selling stickers works well-enough to keep Viber afloat and can apply to XMPP as well, but then we're back to the compatibility problem, as GroupMe has a vested interest in ensuring that Viber stickers don't display right. Selling the client for $5 a pop in the App Store is the most direct method, but when the client abstracts away the gimmick, you'll need to have an amazing UI and perfect support to get money for something that LibreChat will do for free next month. ...And this, good sir/madam, is why we can't have nice things.

    8. Re:can someone explain this to me? by Anonymous Coward · · Score: 0

      Yes, servers are a money pit, with no way to monetize them. However, the servers are already in place in a lot of circumstances. At least XMPP/IRC. The only reason I can think that they would not be used is a simple lack of marketing. As I mentioned, the infrastructure is already in place. But it's only been abandoned because something that makes less sense is trendy. That's the type of thing that irritates me. XMPP does have sent/received messages, it even has typing/stopped typing messages. It's a reasonably capable chat protocol, that is capable of crossing domains. The only downfall in XMPP is that the most widely used "XMPP" servers are things like google hangouts that use the protocol as an "API" and never implement the cross domain stuff that would make life a lot simpler. Honestly, who has a jabber account? I got tired of maintaining multiple accounts to keep in touch with all my friends back in the 90s, at this point I've given up. If I want to send you a message, you're getting an email whether you like it or not.

  6. Re:Is Viber written using the Rust programming lan by 110010001000 · · Score: 1

    No. Viber is an application that people actually use. Therefore it isn't written in hipster Rust.

  7. Should be standard by Anonymous Coward · · Score: 0

    It's not just a hip thing, it should be standard for all US internet traffic.

  8. Trendy by Cyphase · · Score: 1

    Looks like it's hip to encryp'; that's a trip!

    --
    by Cyphase ( 907627 )
  9. But is the space between finger and app secure? by dsmatthews9379 · · Score: 1

    Will all of these secure apps just cause the rest of the system to be targeted so that all of my interactions with my devices are tapped into directly thereby making encryption pointless?

  10. Great! by kamapuaa · · Score: 1

    I'm sorry for the inevitable racist responses this will get, but if end-to-end security is your thing I have my suspicions that you don't want to deal with a company whose founder and CEO's last job was CIO of the Israeli Defense Force.

    --
    Slashdot: providing anti-social weirdos a soapbox, since 1997.
  11. where is the source? by Anonymous Coward · · Score: 0

    Where is the source? Can we verify that there are no backdoors? No? Then it's useless. Assume this has an escrow key or something.

  12. Signal? by plazman30 · · Score: 1

    Are they also using the Signal protocol, or did they come up with something unique?

    1. Re:Signal? by chihowa · · Score: 4, Funny

      Pssh, all of the important details are in the summary: "To confirm messages are being encrypted, a padlock icon will appear in the chat UI."

      What more do you need to know?

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    2. Re:Signal? by Anonymous Coward · · Score: 0

      Score:4, Interesting? Sad day for Slashdot :(

  13. Encryption is hot shit by Opportunist · · Score: 1

    Everyone does it. Even the malware flavor of the month deals with encrypting all your data.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Nice try, NSA... by ctrl-alt-canc · · Score: 1

    ...what's next ? A better, free https client ?

  15. Hidden chats, what else is hidden... by mackermacker · · Score: 2

    Viber shares a founder with one of those Israeli shitware companies from Download Valley and has ties to several others https://en.wikipedia.org/wiki/...

    Also, they have questionable security and/or sold people contacts in the past http://haydenjames.io/i-refuse...

    On November 4, 2014, Viber scored 1 out of 7 points on the Electronic Frontier Foundation's "Secure Messaging Scorecard". Viber received a point for encryption during transit but lost points because communications were not encrypted with keys that the provider didn't have access to (i.e. the communications were not end-to-end encrypted), users could not verify contacts' identities, past messages were not secure if the encryption keys were stolen (i.e. the service did not provide forward secrecy), the code was not open to independent review (i.e. the code was not open-source), the security design was not properly documented, and there had not been a recent independent security audit.

  16. Re:Is Viber written using the Rust programming lan by ilsaloving · · Score: 1

    All joking aside, is Rust really that compelling of a language? I haven't actually used it, so I'm wondering if it lives up to all the hype it's generating.

  17. e2e geolcation crippled = owned by Anonymous Coward · · Score: 0

    Someone noticed that the e2e functionality is coded with a geolocation check, disabling it for some regions. Now if someone could just list which regions that the crippling occurs in...