> There was a middle period where the government had a broad ability to surveil, but if you look at human history in total, people evolved and civilizations evolved with private conversations and private speech. If anything, we’re bringing that back to individuals.
I think on the contrary, the surveillance demon is out of the bottle. It's too hard to hide metadata such as ip addresses in communications; in many places Tor is blocked, browsers can be fingerprinted, typing style and writing style can be identified by statistical methods; we depend on auto-updated operating systems that might be backdoored in the future or are already backdoored and even if we have an "untraceable" system, we can't possibly use our old accounts were we logged in with our real name, or using our real IP address in the past. So, anonymous web use is not as social as plain web use. Besides, we already leak too much data through our GSM phones, at least to the carrier and the state agencies that log the user data.
Social network graphs are also a huge surveillance leak. If you use an otherwise anonymous way to talk to all your friends, and someone knows who those friends are, they have a pretty good idea who owns that "anonymous" communication channel.
This is tragic, since the most interesting and private uses of the internet are in interacting with friends, family, and loved ones.
So now WhatsApp is finally on par with iMessage and Signal, and shares the same weakness: public key distribution. Key distribution is controlled by a centralized server that could, for malicious or other reasons, send you new fake keys for people you communicate with. For iMessage, this is explained in this 2015 post by Matthew Green:
You're right. So when you get a notification of a key change (for malicious or other reasons) it is up to you to verify that the user did indeed have a key change — preferably out of band, or at least over another medium.
Is there no UI notifying you that a user's keys have changed in Signal? If so, the central server would need to send compromised keys on day 1, which would be detectable when you check the key signature.
> This includes chats, group chats, attachments, voice notes, and voice calls across Android, iPhone, Windows Phone, Nokia S40, Nokia S60, Blackberry, and BB10.
Wow. I'm genuinely impressed. The Nokia app store closed over two years ago, and they still implemented this for those old, trusty devices. That's some dedication for serving the users!
> WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service
Unless the NSA/FBI/CIA secretly orders WhatApp to release compromised app update with a backdoor.
... A's message is encrypted with Whatsapp's public key, which means that Whatsapp's private key can (and has to) decrypt it on the server side to encrypt it in turn with B's public key.
If the diagram is truthful, the claims the article makes are incorrect.
Why are people downvoting this? While the "public key" is not "WhatsApp's" it is served from their server hence in theory they can provide you with any public key they want, decrypt the message, store it, and re-encrypt it with the "correct" private key and send it off to the user.
With PKI the ability of the user to verify that they received and used the correct public key is critical and while I have to admit that I haven't read that much about WhatsApp's E2EE setup I haven't seen anything that shows how this issue can be mitigated in a way that would be useful for most users.
I see your concern, but I think the issue they're trying to prevent is authorities coming with a court order wanting to decrypt messages after the fact.
If WhatsApp decides to act malicious, yes, this method would make it very easy for them.
That's true, but they provide means to verify the fingerprint of the other party, so you can verify that your app is encrypting messages using legitimate public key and that there's no MITM going on.
Yeah but again there are quite a few questions here (not an WA user).
How foolproof is the verification system, how susceptible is it to downgrade attacks (while E2EE isn't not universally deployed) is there are 3d party verification of signatures, is there a community trust signing, can whats app disable E2EE in it's application without a noticeable UX change to either party, how does this work with multi user messages, how does this work with multiple devices, how does this work with historic messages that were encrypted using different keys etc.
I would say that there are sufficient "unknowns" at this point to take the security of this entire solution with some skepticism especially if you remotely planning to use this for anything that could put your life at any risk.
Downgrade attacks should be difficult. As the article mentions once a client has communicated with another once using encryption all future communications to that client will be encrypted. So a downgrade attack would require either spoofing a new client for a user (eg a phone they didn't have before) which is likely noticeable.
That said, they could push out an update that changes the UI to disable E2EE without notifying the user, and that would be difficult to notice since the app is closed source. For this reason Signal is more secure, despite using the exact same protocol.
"Public key from server" is an ambiguous phrase. I took "from" to denote possession, not source.
After reading the other sources of information, it's clear it is a secure protocol. More so when designed by the Snowden-approved Open Whisper Systems team.
Actually, it's the private key that needs to be kept secret... I'm not sure how that's guaranteed or how we can actually verify that the private key is secure. Knowing that whatsapp is built by spying and uploading all your contacts and phone numbers to their servers, well, do you trust them to not upload the private key also?
it use the public key of the other user, not whatsapp. in effect, whatsapp is just acting as a key server. now they could have that users private key, but that's another matter
the client generates a public/private key pair and only sends the public one to the whatsapp server. the server should never be able to access the private key. but unless the source of the client is available for review, who knows?
My understanding of this situation is that, previously, E2E encryption was enabled between Android clients[1]. Now, it is claimed that all clients, for all media types, do it.
They have released a whitepaper [1] where they go into details of how the encryption works, so using this knowledge in theory one should be able to verify that the encryption is legitimate.
Watch the traffic go by with a packet sniffer? Verifying that it is done securely is a lot harder, but you can at least verify that things are not being sent as plain text/data.
Watching traffic is irrelevant, the encryption of the transport (WhatsUp always used TLS for that) is not in question here, this is about end to end encryption and if WhatsUp can either decrypt the data for users or switch them off E2EE at any point without it being noticeable to either end.
>“The encryption genie is out of the bottle”
...
> There was a middle period where the government had a broad ability to surveil, but if you look at human history in total, people evolved and civilizations evolved with private conversations and private speech. If anything, we’re bringing that back to individuals.
I think on the contrary, the surveillance demon is out of the bottle. It's impossible to hide metadata (ip addresses) in communications, we depend on auto-updated operating systems that might be backdoored in the future or are already backdoored and even if we have an "untraceable" system, we can't possibly use our old accounts were we logged in with our real name, or which can be traced to our IP address.
I'd like to know how backing up data on Google Drive will be done now. Does it remain encrypted, so that when you re-import it to your phone only then it'll be readable?
Bravo to moxie, and the WhatsApp guys actually sound really cool. So, assuming you're using WhatsApp Web, does that mean you have end-to-end encryption there too? I recall the web version used your phone somehow.
Looks great, but I find it a bit weird that there's no Whatsapp announcement - I also wonder if it'll slow down the ability to have the same whatsapp account on multiple devices.
Telegram received quite a backlash from crypto community for rolling out nonsensical throw-a-bunch-of-crypto-algorithms-together homebrew protocol that was designed by Math PhD™ students and having an audacity of conducting a contest to break it.
This OTOH uses peer reviewed, strong, modern crypto that was designed by people who know how to do these things.
The crypto might be superior, but we do not know for sure that Whatsapp/Facebook is not covertly decrypting the messages and funneling through some Prism v2 NSA surveillance operation.
