
Why WhatsApp is not secure – while Textsecure may be - fdik
http://pep-project.org/2014-11/s1416375314
======
higherpurpose
> This is just plain wrong. I'm questioning that, because WhatsApp has to add
> a back-door for sure. And Doctorow knows that. This is because of Section
> 215 US Patriot Act – at least there is a legal back door, which can be
> (ab)used by US governmental agencies at any time.

Care to elaborate on that? Because I don't think there's any law right now,
not even CALEA, that _demands_ a backdoor in a chat application. That's not to
say Whatasapp won't _willingly_ add such a backdoor, but I don't think
anything legal forces them to do it. FBI has been lobbying for the past few
years to pass such as a law, though, which is for now unsuccessful,
fortunately.

I'd say wait a year or so after Whatsapp enables this and for iOS, too. If we
won't hear anything from the US, Saudi, Indian or Chinese governments about
how angry they are at Whatsapp's new encryption, then we should start to
become very suspicious about that encryption. Because this should make them
_at least_ as angry as full disk encryption made FBI. Heck, the Saudi gov was
even pissed off at Whatsapp's HTTPS encryption.

------
ericcumbee
"After 9/11, the US intelligence community became so excited by the
possibilities of new technology and the innovations being made in the private
sector, that in 1999 they set up their own venture capital fund"

------
andor
From Wikipedia:

 _" FISA was modified by section 215 (Access to records and other items under
the Foreign Intelligence Surveillance Act) to allow the Director of the FBI
(or an official designated by the Director, so long as that official's rank is
no lower than Assistant Special Agent in Charge) to apply for an order to
produce materials that assist in an investigation undertaken to protect
against international terrorism or clandestine intelligence activities. The
act specifically gives an example to clarify what it means by "tangible
things": it includes "books, records, papers, documents, and other items"._

So yes, they have to provide access to the records they have, which is a big
reason why end-to-end crypto is rolled out in the first place. If the records
don't contain any decryption keys, the _content_ of messages is safe. All
other metadata (sender, receiver, timestamp, message size) is not, since it's
needed for delivery.

------
qznc
Unless they open-source it, I do not consider WhatsApp secure. However, I
still applaud them for integrating encryption. It is one step further in
transforming our society such that everybody expects encryption to be easily
available and on by default. It raises the standard in the eyes of the people
even if this particular app is not really secure.

------
muppetman
This does nothing to prove WhatsApp is insecure, in as much as I could write
the same rambling article citing sources claiming WhatsApp IS secure.

I'm not sure if this article was posted for us to have a chuckle at, or as a
serious thing.

~~~
philtar
I think what he is saying is that if Whatsapp wants us to truly believe it is
secure then it needs to publish it's source code.

Nothing proprietary can be considered truly secure because the government can
just force its way into it.

At least that's what I think he's saying.

