Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report

Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."

Link to actual letter

http://technosociology.org/?page_id=1687

Rather than recursive links to other slashdot articles on the subject

Remember

[GeekWithAKnife]

WhatsApp is big money...and combined with the fact it's hard to prove that a vulnerability was intentional and thus a "back door" it's hard for Joe Average to tell who's right.

Don't worry about this stuff. Just keep using WhatsApp. It's just as secure as everything else, honest.

Telling people not to use WhatsApp is apparently "endangering people"...as it is a "crucial issue".

Summary; do not use Signal, ChatSecure, OTR or Telegram. Use WhatsApp, it's clearly safer #because_danger (??).


Personally I never thought WhatsApp was secure even after this (maybe backdoor-ed) end to end encryption - Consider many people use WhatsApp? it's the number one target IM. If it ever was secure it won't be so tomorrow.

Re:Take a note of who is doing the requesting

[Opportunist]

Dude, take a look at what's happening here.

The "security hole" in question here is basically the same deal as you have with every other service where you can transfer your service to a new device. You know, you buy a new phone, then want to continue using your IM or whatever on the new phone... but with the new phone you'd also get to negotiate new encryption keys. And that means that all messages still in the queue would be lost, because they have been encrypted with your old key.

That's the whole "exploit" here.

There's plenty of reasons to distrust WhatsApp and even more reasons to avoid it like the plague, not the least of which being that it hands all data over to FB despite first claiming and vowing that it would never do that.

If THIS is your reason to distrust WhatsApp, you have bigger problems.