Slashdot Mirror

← Back to Stories (view on slashdot.org)

Viber Update Brings End-To-End Encryption and Hidden Chats (gsmarena.com)

Posted by BeauHD on from the end-to-end-encryption dept.

An anonymous reader writes: The new hip thing to do if you're a developer of a messaging app is to encrypt everyone's messages -- everyone's doing it! WhatsApp announced earlier this month all messages being sent through the service will now be end-to-end encrypted. Today, Viber has announcd it is doing something similar. All messages being sent through the latest version of the app will be end-to-end encrypted. To confirm messages are being encrypted, a padlock icon will appear in the chat UI. The latest version of the app is already available in the iOS App Store and Android Google Play Store. Viber is one of the largest messaging platforms with over 700 million users. Hidden chats can also be found in the new update. Users can hide select chats with people and access/display them with a PIN or Touch ID.

28 of 39 comments (clear)

  1. Seems familiar by Verdatum · · Score: 1

    Didn't AOL Instant Messenger add this feature like 15 years ago?

    1. Re:Seems familiar by ShaunC · · Score: 1

      I don't think the official AIM client ever offered secure end-to-end encryption. Pidgin+OTR does, though, and that's a common way to use the AIM network.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    2. Re:Seems familiar by Verdatum · · Score: 1

      I'm pretty sure it did. It was part of the "Direct connect" feature, I thought. I think it even displayed a little key icon when it was in effect...

  2. Is Viber written using the Rust programming lang? by Anonymous Coward · · Score: 2, Funny

    Is Viber written using the Rust programming language? It's getting to the point where the only software I'll trust is software written in Rust. It's like being a vegan in a lot of ways. It's healthier for you, but it can also make life more difficult. For example I've switched to using Servo for all of my web browsing, since it's written in Rust. Servo is still a young project, though, so there are some rough edges. But since it's written in Rust I have a lot more trust for it than I do of other software.

    I would really like to use a realtime mobile chat app written in Rust. I would also like to use a mobile OS that's fully written in Rust, too. I wish that Google would port Android to Rust. I'd really, really like it if I could use a software stack that's 100% rust from the OS up to the apps. I'd feel so much safer using that software because I know that Rust is all about safety and writing code that's pretty much unbreakable.

  3. How can this be checked? by thesupraman · · Score: 5, Insightful

    I wonder which of them will be the first to open up their implementation to scrutiny?
    Showing us a nice little padlock icon is all very well, but encryption is *hard*, and getting it right is subtle.

    An assurance that they cannot access any of the data themselves would be a start, because it points
    to true end-to-end (rather than end-to-middleman, which is much less useful...)

    If you can access your messages from more than one device, then it is a sign that all is not well in paradise,
    as they may hold the keys themselves (in which case what is the point), but not necessarily.

    If trust is part of security, then do you trust the security? ;)

    1. Re:How can this be checked? by johanw · · Score: 1

      Well, I had to re-authenticate other devices (PC and tablet) by scanning a QR code from the main device (phone). This might be indicating that a key exchange is taking place.

    2. Re:How can this be checked? by queazocotal · · Score: 1

      Any form of encryption, even if crackable, if the user reasonably thinks it's secure can cause additional legal protections to kick in.
      'Reasonable eXpectation of privacy'

    3. Re:How can this be checked? by rmdingler · · Score: 1

      You're right, of course, but if the information you are protecting is valuable enough to another, it's really just a question of conviction, budget, and time.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    4. Re:How can this be checked? by wbr1 · · Score: 1

      You're right, of course, but if the information you are protecting is valuable enough to another, it's really just a question of conviction, budget, and time.

      Or a $5 wrench.

      --
      Silence is a state of mime.
    5. Re:How can this be checked? by johanw · · Score: 1

      It didn't show any translations in human readable form (and I didn't make a screenshot).

    6. Re:How can this be checked? by rmdingler · · Score: 1

      Ah! I've been Randalled... did you realize he's 31 years young?

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

  4. can someone explain this to me? by Anonymous Coward · · Score: 3, Insightful

    So geezer here, been online since the early 80's. For a long time, store-and-forward type messaging (usenet) and instant messengers (IRC, when it appeared) alike separated the protocol from the client. There were dozens upon dozens of usenet and IRC clients, so you could pick one with features you wanted, but still communicate with everyone else, because they'd all abide the same underlying communication protocol.

    For some reason, everyone decided that they'd rather have kik that can't talk to viber that can't talk to whatsapp that can't talk that MS one that can't talk to any of the other dozens of competing ones. Fractured little fiefdoms. This confuses me. It seems like a significant loss.

    I can even understand why a company wants to lock people into its messager and only its messenger. What I don't understand is why everyone insists on flocking to those things, and eschews the kind of platform agnostic standards that let the internet succeed so wildly in the first place. You can email someone without caring much about which reader they use! What was wrong with that model, that we had to run as fast as possible away from it?

    1. Re:can someone explain this to me? by DiSKiLLeR · · Score: 1

      I don't know, but having been on the internet since the early 90s I fully agree with you. :(

      --
      You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
    2. Re:can someone explain this to me? by NotInHere · · Score: 1

      Fractured little fiefdoms. This confuses me. It seems like a significant loss.

      What's a loss for the community is a win for the founders and the investors. A big win. Silicon valley wouldn't be as successful as it is if they were opening their doors to competition.

      What was wrong with that model, that we had to run as fast as possible away from it?

      Its easier to build a business model around an app that's closed down and proprietary as much as possible.

    3. Re:can someone explain this to me? by 110010001000 · · Score: 2

      The reason Viber is popular is because it uses your phone number as your address. So you can use it to "SMS" for free internationally. What open standard clients usually forget is that people want something easy to use and attached to an address that they can remember. If someone did Jabber/XMPP using your phone number as the endpoint it would probably be more popular.

    4. Re:can someone explain this to me? by radarskiy · · Score: 1

      Users have correctly determined that most casual conversation is not worth the effort of configuring a complicated client,

    5. Re:can someone explain this to me? by Voyager529 · · Score: 1

      I completely agree and share your preference. However, the fiefdom method unfortunately has its benefits, too.

      First, let's address the fact that XMPP, while a good IM standard protocol, is not the simplest thing to manually configure - you have to know what you're doing, and the core demographic for many of these folks consist of people who can't tell a search bar from an address bar in a web browser. You also need a server...somewhere...that someone owns. If Viber makes an XMPP client that can talk to Whatsapp's servers to send messages to Kik users, it's just a money pit for anyone to run the server, unless they're actively capturing and monetizing that traffic. To make it an analog to the Usenet days, the telcos would run the XMPP servers in the same way that ISPs ran the Usenet servers - somewhat-viable, but it would have to be 'out of the goodness of their heart' at this point, since they already run the servers for SMS and MMS; XMPP would be redundant. Then there's the classic "it's the server...it's the client..." finger pointing game if a messenger isn't configured properly.

      Next, let's deal with extensions and encryption. All the listed messengers give sent/delivered/read notifications, which XMPP doesn't (I don't believe). So, each client would have to come up with some way of replicating that functionality, so we end up once again with the fiefdom of 'use whatsapp so you'll know if I read your message', to which we then say, "so let's add it to the XMPP standard". Makes sense, but then you need cooperation from everyone at once to implement it and abandon their proprietary extensions.

      For such an open standard, you'll once again need to deal with the spam problem. As much as I love e-mail and usenet, both of them had a massive amount of spam, It's somewhat-tolerated on e-mail because spam filtering has gotten quite good, and it's somewhat-tolerated on usenet because there's much less of it than there used to be...but Viber and Whatsapp have been pretty good about keeping the spam levels down (Kik, less so). No one is going to be happy with a system that allows spam on their cell phone, especially with push notifications involved.

      Finally, the fiefdoms are a bit better suited toward monetization. Viber makes money through sticker purchases. BBM has sponsored groups and promotional notifications. Whatsapp used to sell their service, but now sugar daddy Facebook has deprecated that, so they're a bit messier to point to a monetization system. One could possibly sell the client directly; Outlook, Eudora, and eM Client have done well on the e-mail side of this, with Agent and Newsman Pro both having sold their clients as well. Doing that in the mobile world is a bit more challenging, and one can argue that selling stickers works well-enough to keep Viber afloat and can apply to XMPP as well, but then we're back to the compatibility problem, as GroupMe has a vested interest in ensuring that Viber stickers don't display right. Selling the client for $5 a pop in the App Store is the most direct method, but when the client abstracts away the gimmick, you'll need to have an amazing UI and perfect support to get money for something that LibreChat will do for free next month. ...And this, good sir/madam, is why we can't have nice things.

  5. Re:i must be getting old.. really, really old.. by DiSKiLLeR · · Score: 2

    idk why you haven't.

    I started using viber years ago, but switched to fb messenger and whatsapp over time.

    I think a lot of americans haven't heard of these because they are hugely popular overseas which let you text and make phone calls internationally over wifi/data.

    Texting/calling in the US within the US (and sometimes Canada and Mexico too) is essentially free on plans so you have no motivation to use apps like Viber or WhatsApp but that is not the case for the rest of the world. Especially within places like europe.

    --
    You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
  6. Re:Is Viber written using the Rust programming lan by 110010001000 · · Score: 1

    No. Viber is an application that people actually use. Therefore it isn't written in hipster Rust.

  7. Trendy by Cyphase · · Score: 1

    Looks like it's hip to encryp'; that's a trip!

    --
    by Cyphase ( 907627 )
  8. But is the space between finger and app secure? by dsmatthews9379 · · Score: 1

    Will all of these secure apps just cause the rest of the system to be targeted so that all of my interactions with my devices are tapped into directly thereby making encryption pointless?

  9. Great! by kamapuaa · · Score: 1

    I'm sorry for the inevitable racist responses this will get, but if end-to-end security is your thing I have my suspicions that you don't want to deal with a company whose founder and CEO's last job was CIO of the Israeli Defense Force.

    --
    Slashdot: providing anti-social weirdos a soapbox, since 1997.
  10. Signal? by plazman30 · · Score: 1

    Are they also using the Signal protocol, or did they come up with something unique?

    1. Re:Signal? by chihowa · · Score: 4, Funny

      Pssh, all of the important details are in the summary: "To confirm messages are being encrypted, a padlock icon will appear in the chat UI."

      What more do you need to know?

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  11. Encryption is hot shit by Opportunist · · Score: 1

    Everyone does it. Even the malware flavor of the month deals with encrypting all your data.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. Nice try, NSA... by ctrl-alt-canc · · Score: 1

    ...what's next ? A better, free https client ?

  13. Hidden chats, what else is hidden... by mackermacker · · Score: 2

    Viber shares a founder with one of those Israeli shitware companies from Download Valley and has ties to several others https://en.wikipedia.org/wiki/...

    Also, they have questionable security and/or sold people contacts in the past http://haydenjames.io/i-refuse...

    On November 4, 2014, Viber scored 1 out of 7 points on the Electronic Frontier Foundation's "Secure Messaging Scorecard". Viber received a point for encryption during transit but lost points because communications were not encrypted with keys that the provider didn't have access to (i.e. the communications were not end-to-end encrypted), users could not verify contacts' identities, past messages were not secure if the encryption keys were stolen (i.e. the service did not provide forward secrecy), the code was not open to independent review (i.e. the code was not open-source), the security design was not properly documented, and there had not been a recent independent security audit.

  14. Re:Is Viber written using the Rust programming lan by ilsaloving · · Score: 1

    All joking aside, is Rust really that compelling of a language? I haven't actually used it, so I'm wondering if it lives up to all the hype it's generating.