
WhatsApp encryption is useless - Enindu
http://wccftech.com/does-ss7-render-whatsapp-encryption-pointless/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+MobileWccftech+%28Mobile+%E2%80%93+WCCFtech%29
======
infodroid
There was a fine discussion about it yesterday
[https://news.ycombinator.com/item?id=11668567](https://news.ycombinator.com/item?id=11668567)

------
leecarraher
day late and a dollar short

------
skrebbel
Why are crypto geeks always so black and white? Is there really only "perfect"
or "useless" with nothing in-between?

Notably, a noted goal of WhatsApp encryption was to stop mass surveillance.
I'm no expert but I dont see how these objections make mass surveillance of
messages remotely as easy as it was when WhatsApp was entirely unencrypted

~~~
mikegerwitz
> Is there really only "perfect" or "useless" with nothing in-between?

Are you suggesting that the ability to completely circumvent a system doesn't
make that system broken?

If the goal of WhatsApp encryption is to protect against surveillance, and
there's a way to surveil users using WhatsApp, then it's broken, full stop.
Are you going to place your trust in a home security system that works pretty
well, but only against unskilled burglars? Or what about an authentication
system to a server holding sensitive customer information? Or your banking
information? Or information that might put your life at risk as a dissident in
a repressive state?

~~~
khedoros
> Are you suggesting that the ability to completely circumvent a system
> doesn't make that system broken?

A system can be broken without being useless.

>If the goal of WhatsApp encryption is to protect against surveillance

You skipped an import word from the post you replied to: "mass". Even with a
hole in SS7, it makes it impractical to collect messages from everyone, even
if it's practical to collect messages from specific targets.

~~~
mikegerwitz
> A system can be broken without being useless.

Sure, just as a completely insecure system can be useful. I'm not arguing
that.

But not useful for the purpose of protecting users against surveillance.

> You skipped an import word from the post you replied to: "mass".

skrebbel made a blanket statement, which I was replying to.

~~~
khedoros
>But not useful for the purpose of protecting users against surveillance.

I'd argue that it can be useful for that purpose without being perfect. If it
stops my communication from being caught in a mass dragnet, then it's useful
for protecting me against surveillance even when it's possible to circumvent
the security on the scale of individuals (rather than populations).

> skrebbel made a blanket statement, which I was replying to.

Right, they did. They made the statement that even flawed security makes mass
surveillance much more difficult than an unencrypted system would (or words to
that effect). It seems like "stop mass-scale surveillance" is a separate goal
from "stop individual-scale surveillance". I feel like you set up a strawman,
rather than actually addressing what skrebbel originally said.

~~~
mikegerwitz
> It seems like "stop mass-scale surveillance" is a separate goal from "stop
> individual-scale surveillance". I feel like you set up a strawman, rather
> than actually addressing what skrebbel originally said.

My point was that security is often black-and-white because a crack can turn
out to be a crater, and often is.

With regards to state-sponsored, dragnet surveillance: those are the most
skilled attackers, and they've exploited far more subtle issues than the one
being discussed here; they're the ones that you need to be worried about for
undisclosed vulnerabilities, letalone terribly obvious flaws like this one.

------
Robin_Message
Flagged for misleading headline; if keys are verified WhatsApp is secure
against this attack. If you don't have out of band comms or a pre-shared key,
mitm attacks are provably impossible to prevent.

------
emdd
Can we have weekly whining threads about WhatsApp now? Just make it like an
automated thing; maybe a sticky!

------
tsunamifury
This is offset by two factor authentication: Pin-based or email based. If you
want extra security the encrypt your device and two-factor your phone number
based messenger.

------
thesimon
Don't have the link, but there was a better discussion and source a few days
ago

------
merqurio
If this is true, It's really sad. Whatsapp penetration is so high around me
that not using it's... very impractical. I do use other channels with some
friends, but I don't think people will adopt other channels any time soon.

~~~
alainv
Turn on the setting to warn you when the other party's encryption key changes
and go about your business. This is non-news unless you have unusually good
cause to worry about targeted attacks.

------
mikek
In the case of WhatsApp, your data is only on your device and, optionally, in
iCloud. So even if an attacker is able to take over your WhatsApp account,
your existing data is still private unless the attacker can obtain your device
password (and your device) or your iCloud password.

