Slashdot Mirror
Facebook Messenger To Get End-To-End Encryption
Reader wiredmikey writes: Facebook announced Friday it would roll out optional "end to end encryption" for its Messenger application, following a trend aimed at stronger security and protection against snooping. The new feature will be known as "secret conversations" which can be read only by the sender and recipient. Facebook shared technical details about its implementation of the security in a technical white paper (PDF). Facebook earlier this year began implementing this end-to-end encryption on its WhatsApp messaging service.ZDNet's Zack Whittaker, however, warns about a catch in Facebook's effort. He writes: But already the company has faced some criticism for not encrypting messages by default, instead making the service opt-in, like Apple's iMessage, or even Facebook's other chat app, WhatsApp, which recently switched on default end-to-end encryption earlier this year. Cryptographer and Johns Hopkins professor Matthew Green, who reviewed an early version of the system, said in a tweet that though you "have to turn on encryption per thread," he added that providing encryption to almost a billion people makes it hard to "put that genie back in the bottle."
Keeps a copy on fb servers. So this change is cosmetic
It breaks fewer people's shit at once if there's a bug they didn't catch. It's like beta testing a new feature with a small group before deploying it to everyone. It's prudent.
FB has upgraded service to use the Little Orphan Annie secret decoder ring.
This would imply that there is information of value being exchanged on Facebook; a proposition I find difficult to believe.
Just cruising through this digital world at 33 1/3 rpm...
"Only *we* get to keep all that sweet, sweet, saleable data on you, dammit!"
Quo usque tandem abutere, Nimbus, patientia nostra?
Just to point out, Zack Whittacker who wrote the ZDNet article mis-typed, as iMessage and WhatsApp are encrypted by default. His following sentence appears to show he actually meant they were automatically encrypted. The opt-in encryption that Facebook and Google are providing will also be the preferred option of the govts / 3 letter agencies that want to keep everything for future use. Its crazy to have Facebook's app on your smartphone anyways...and tracking bracelet with a microphone and camera.
...said the AC.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why do we need encryption to keep secrets? The Bible teaches us that evil is done in the shadows and in darkness, but bringing it can't operate in the open when light is shined upon it.
- Pastor Mitch
Ok .. whats your full name, DOB, address, SSN and bank account details?
Shine some light on them and you can be sure nothing bad will happen.
I am Slashdot. Are you Slashdot as well?
I might use your channel, but I'll do my own end-to-end encryption over it, thank you.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The biggest technical flaw I think I see is that man-in-the-middle attacks can occur unless both sides manually check a 256-bit hex value - probably above the technical capabilities of most users. (This is unlike SSL/TLS/HTTPS where clients usually automatically verify the ID of the server, and servers often automatically verify the ID of the client.) From TFA:
>> For every secret conversation Messenger exposes in its interface both participants' identity keys (i.e. IKpk). Users may optionally verify these keys in order to ensure no man-in-the-middle attack is compromising their secret conversations. Messenger displays the 256-bit IKpk values in hexadecimal format.
Good try FB, but no, thank you. Maybe if you convinced smartphone makers to use bigger batterries, I'd think about, but not the way things work right now.
How can you have an encrypted message on the desktop web chat without Facebook having the encryption key and defeating the whole point?
We hope your rules and wisdom choke you / Now we are one in everlasting peace
How many more hundred megabytes will this feature add?
Honestly, I've stopped using messenger cause it's the single most inefficient POS I've seen in ages. People used to complain that Microsoft Office was bloated. How about a simple mobile messenger application that consumes hundreds of megabytes?
I'm still having trouble understanding the level of incompetence required to do that to a simple messaging application.
The most laughable thing of all is that Facebook actually wants people to trust them with financial transactions. Yeah, no.
The same way WhatsApp currently does it, your phone has the key and the web app creates an encrypted communication channel between your phone and browser. The phone is actually sending and receiving the messages, then forwarding them to your browser.
They don't enable it by default because it absolves them of legal responsibility where the users are not legally allowed to turn it on, and do so anyway.
It is pretty easy to make a protocol that is tamper evident, and it has already been done with other messaging platforms. https://www.whatsapp.com/faq/e...
End-to-end means user-to-user. Even Facebook will not be able to read the messages.
Do you close the door to the bathroom stall when you take a dump?
Do you have passwords on any of your accounts?
Do you make your SS or CC numbers known to the world?
Privacy is a protection.
My eyes reflect the stars and a smile lights up my face.
That seems to be of limited utility if you don't have access to your phone.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
That's true, but you do need some "anchor" device for this to work or else there is nothing to bind together the many browser you may have across many devices. Without of course just giving Facebook the key like you said. In practice, most people have the phone's on and connected to cellular internet most of the time. I have used WhatsApp a lot and it really isn't an issue.
My guess: advertising.
Facebook probably mines the unencrypted messages to help form an "advertising profile" for you so they can better target ads at you when you're on Facebook.
I'm going to give the AC in this case the benefit of the doubt, and assume he's posting this ironically or sarcastically and actually doesn't believe that drivel.
Next, there is no 'god', but of course no two people will ever agree on that point, so I'll let it go for now.
Now, if this 'Pastor Mitch' character really believes this crap, how about he posts his credit card numbers, bank account numbers, PIN numbers drivers license and social security numbers, and all his other identity-related information on the Internet for anyone to use. Then how about he installs cameras and microphones in every room of his house, including the bathroom, connected to the Internet 24/7/365, never turned off ever, so we can witness what a clean, pious, sanctified, honest life he's living, with nothing to hide. If he won't do all that then I guess we have to assume he's got some Deep Dark Secrets he needs to hide from us all and is going to Hell when he dies! He must be having sex with his wife in a non-missionary position only for procreation purposes or some horrible Sin like that, LOL! These types would make me laugh if they weren't so completely and utterly idiotic -- and so full of shit and hypocritical.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
If the user really will have to enable encryption per thread, that will be a very useful flag to anybody who cares that the conversation is worth decrypting.
Facebook announced Friday it would roll out optional "end to end encryption" for its Messenger application, following a trend aimed at stronger security and protection against snooping. The new feature will be known as "secret conversations" which can be read only by the sender and recipient.
That's great except that I don't actually trust Facebook so I'm not sure what this would get me. How can I be sure the message remained secure?
End-to-end means user-to-user. Even Facebook will not be able to read the messages.
In principle yes but do you really trust Facebook? Seems like a HUGE opportunity for man in the middle attacks here. Unless you control the encryption keys you really have no assurance that it will be secure and doing encryption and key exchange properly is actually pretty darn hard to do right.
That's cute that some people believe that a service that makes money from harvesting your information keeps your data private. That's very cute.
I don't respond to AC's.
You don't have to trust them. They publish the protocol, people will audit it.
How do you propose to audit the implementation of the protocol? It's kind of like how it doesn't matter who votes - what matters is who counts the votes. I don't really see any way I could realistically trust Facebook to be a trusted intermediary. It doesn't matter what the protocol is if we can't be certain they are following it.
...that crappy App that Facebook pulled out of their existing App and which I refuse to install because I shouldn't need a separate app or still another chat client.
In other news, when did people become so lazy that everyone uses chat because clicking on an email app is just too big a hassle?
I'm pretty sure you can use the FB messenger app without having a FB account now. They want you to use it as a standard SMS and phone callinging app. This is why it's a standalone app.
It's a good thing you can disable those.
I fail to see how any 'ecryption' matters when Facebook is spying on everything you do, both on an off Facebook.
If it is Facebook (singular) you are in a better perhaps more secure space.
Unencrypted anyone near or far that can tap into the stream could read it.
Even if FB archived messages and kept them behind a "legal" wall there
should be an audit trail to show abuse when abuse happened.
I fear the naive structures put in place today by honest well intentioned
individuals. Should that individual retire, change companies or be promoted
there is no mechanism to guarantee another honest replacement.
To pick on one chain of authority. ... ... ... ... ...
Google reminded me and would let you find my source:
"While it's true that no one is perfect, the seven corrupt popes below were exceptionally unholy:
"Pope Clement VII (Pope from 1523 to 1534)
"Pope Leo X (1513 to 1521)
"Pope Julius II (1503 to 1513)
"Pope Alexander VI (1492 to 1503)
"Pope Benedict IX (1032 and 1048)
"Pope John XII (955 to 964)
"Pope Stephen VI (896 to 897)"
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
That's cute that some people believe that a service that makes money from harvesting your information keeps your data private. That's very cute.
It's adorably naive. It makes me want to print out cryptizard's post and put it in a pink frame with lots of little hearts and kittens and stuff.
Just cruising through this digital world at 33 1/3 rpm...
You can get Swipe on Android and it restores the FB+Messaging by repacking the webpage version of Facebook into something nice for use on mobile. You might have to fiddle with an option in the settings and the author feels that eventually there will be no more workarounds for FB+Messaging functionality but so far it's a great piece of software if you need to access your messages from a phone.
On the Oregon Cost born and raised, On the beach is where I spent most of my days
You don't have to trust anything, it is cryptographically verifiable. But whatever, just keep posting your memes. Very constructive to the conversation.
I'm not a cryptographer, so I just have to use common sense. Common sense says that for-profit companies exist to generate income.
I don't respond to AC's.
Sure but that is not mutually exclusive with providing an end-to-end encrypted messaging service. Do you really think they are mining your instant messages for data anyway? They get what they want from your profile/news feed. It was an easy place they could provide security to entice people to use their platform, without losing them anything.
Sorry, I don't believe Facebook will store it encrypted and have no backdoors. And with closed-source apps and mysterious back-end stuff, who will ever know for sure, regardless of what they might claim.
More provably than probably. For awhile, anytime you mentioned a company's name in a private message (like "man it's hot out today, just drank 3 Cokes after cutting the grass"), Facebook would automatically like that company's profile page on your behalf. They were sued over this practice.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!