WhatsApp is now end-to-end encrypted.
Here's the WhatsApp security page, and here's the technical whitepaper.
EDITED TO ADD: Slashdot thread. HackerNews thread. More news articles.
EDITED TO ADD (4/6): Another article.
Posted on April 5, 2016 at 10:04 AM • 110 Comments
Ali • April 5, 2016 10:35 AM
My question is, how can we verify their claims?
IVBela • April 5, 2016 10:41 AM
My question is, are the previous privacy concerns about WhatsApp already forgotten? I just know I avoid this app like plague ever since.
Meneth • April 5, 2016 10:51 AM
This is a public-key system where WhatsApp's servers hosts the public key ledger. It can be attacked by taking control of the servers, then performing a classic MiTM.
Keith Glass • April 5, 2016 11:02 AM
Any chance a source OTHER than WIRED could be used ? WIRED blocks any of us who use Ad Blocking, yet has been known to serve malvertising. . .
Adrian • April 5, 2016 11:06 AM
Wired.com keeps blocking the articles with overlays that claim you're running an ad blocker, even when you're not running an ad blocker. They really need to fix that.
Dave • April 5, 2016 11:09 AM
WhatsApp: https://www.whatsapp.com/security/
and their White-Paper:
https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
They seem to use the Protocol thats also used by Open Whisper Systems Signal... if i understand it correctly, after you have initialized a session one time their is no chance for future MitM because the Public Keys need to be requested from the Server only for establishing this initial connection!
If its implemented correctly i think its pretty cool considering that skype is very popular in regions of the World where you better not trust your government one bit unless you want to see a torture chamber from the inside.
Jeffs5 • April 5, 2016 11:13 AM
@Keith Glass
I can access Wired fine, by using uMatrix and uBlock Origin on Firefox. No ads, no complaints.
About the article though, does this supposedly mean WhatsApp/Facebook cannot read people's conversations? How's that going to work for a company based on the information gained by reading people's conversations?
Eventually • April 5, 2016 11:36 AM
WhatsApp, unlike iMessage, now has the ability to verify your contact's key by using either a QR code or comparing a long numeric string. This is still the Achilles heel in iMessage and many other encrypted message systems.
I've not had chance to read the whitepaper but I'm guessing that if it's been implemented by Open Whisper Systems then it'll utilise the axolotl ratchet. Anything designed by Marlinspike will be a very high quality implementation so I'll look forward to reading the details.
It's a massive step forward because WhatsApp is by far the most popular messaging app and 'crypto for the masses' shows that privacy is a human right. The flip side of the coin for law enforcement agencies is that now (almost) all communications are encrypted it won't make those people who go out of their way to secure their communications look 'suspicious'.
votation2016 • April 5, 2016 11:41 AM
There's an interesting, disturbing twist in the Wired article, when Marlinspike is asked about search warrant / wiretap (a.k.a. server-side backdoor). His answer is ambiguous, not denying nor confirming anything.
You cannot go against the laws of your country. Nobody should trust their data and privacy to any company that is headquartered or operating in the US.
Switch to ProtonMail and Threema. Switch now. Their technical implementation or threat model may not be as sexy as the Signal Protocol (esp. regarding forward secrecy), but at least they are openly addressing the legal side of the problem - leveraging Swiss democratic procedures to fight for our privacy. None of this would be possible in the US.
Hmmmm • April 5, 2016 11:49 AM
So it's now really clear that they make their money not off message content, but the metadata.
Wonder exactly how that business model works, and what data is captured.
Daniel • April 5, 2016 11:58 AM
You cannot go against the laws of your country. Nobody should trust their data and privacy to any company that is headquartered or operating in the US.
This. I've said it once I'll say it again. If the sender doesn't control the implementation, he doesn't control the message. Anyone who trusts anything sensitive to either Goolge or Facebook is crazy. Encryption is a honeypot.
Not Sure • April 5, 2016 11:59 AM
And now the government has to contend with something much bigger than a locked iPhone: secrecy for a billion people.
Read: WhatsApp have just bitch slapped the FBI.
The obvious problem is iCloud and Google Drive... if a user backs up their WhatsApp message history to the cloud then their communications can still be compromised. Apple are busy preparing their own retaliatory pimp slap by developing a zero-knowledge iCloud.
I'd like to see WhatsApp integrate ephemeral messaging (like Snapchat) which will delete messages after pre-defined period of time irrespective of the recipient's settings. It should also allow the sender to stipulate that the message(s) shouldn't be backed up to the cloud (obviously the recipient could screenshot it).
Bytopia • April 5, 2016 12:03 PM
@Jeffs5
They have lots of other valuable data at hand. Perhaps the alleged loss of access to messages' content is negligible.
Not Sure • April 5, 2016 12:03 PM
@votation2016, @Daniel
You cannot go against the laws of your country. Nobody should trust their data and privacy to any company that is headquartered or operating in the US.
A valid point but I believe that WhatsApp are open-sourcing their encryption.
Meneth has a good observation:
This is a public-key system where WhatsApp's servers hosts the public key ledger. It can be attacked by taking control of the servers, then performing a classic MiTM.
What it means in reality is that targets will have to be targeted - it'll vastly reduce the 'attack surface' that currently exists with bulk surveillance.
@votation2016
ProtonMail has its own problems* and Threema is neither free nor open source.
* http://www.wired.com/2015/10/mr-robot-uses-protonmail-still-isnt-fully-secure/
GrowingUpUnderSurrvailence • April 5, 2016 12:07 PM
Use all the encryption you want, what about metadata! We have said over and over how dangerous metadata is.
Not Sure • April 5, 2016 12:14 PM
@Meneth, @All
WhatsApp actually has a setting in the 'Security' menu called 'Show Security Notifications'. Beneath it reads:
"Turn on this setting to receive notifications when a contact's security code has changed. The messages you send and your calls are encrypted regardless of this setting, when possible."
Providing you verify your contact's fingerprint, and the implementation is open source, then this provides excellent protection against your suggested method of attack.
Every little helps and I agree that nothing is perfect.
@GrowingUpUnderSurrvailence
Metadata is very useful but the majority of people are more concerned about their personal communications (and not the metadata) being insecure - e.g. their 'dick pics'.
Somebody who wants to hide their metadata would be best advised not to use messaging apps.
Vocation2016 • April 5, 2016 12:20 PM
@Hmmmm "So it's now really clear that they make their money not off message content, but the metadata."
@Daniel "Encryption is a honeypot."
Former CIA director Michael Hayden said: 'We kill people based on metadata'.
=> I think you guys nailed it. Metadata is the name of the game, and e2e encryption the honeypot. FBI/NSA *will* get their metadata (if they haven't already - they probably have).
MrC • April 5, 2016 12:34 PM
A few thoughts:
1. Re MITM: It looks like they've "solved" their MITM problem by adding out-of-band key verification, i.e., read the key fingerprint out face-to-face, over the phone, etc. This is clunky and inconvenient, but AFAIK no one has ever invented a better method for key distribution.
2. Ratcheting a symmetric key forever and ever doesn't solve the MITM problem, but it does add a timing restriction -- the attacker must MITM the first communication between the parties or lose the chance. However, this raises a question for me. When I previously read the description of the protocol, I thought session keys were being ratcheted for a nice, but probably unnecessary, forward secrecy from message to message within the session. Accordingly, I didn't really care if it worked, so I gave it little thought. Now, however, I see that the ratcheting mechanism has to bear a ton of weight, since the first session a pair of parties shares stays with them forever (as mutated by ratcheting). I'm also of the impression -- possibly misinformed -- that this ratcheting mechanism is a completely new invention by Moxie Marlinspike. So, has anyone with real crypotography chops taken a serious look at the ratcheting mechanism.
3. My prime concern is whether repeated one-sided ratcheting (invoking the hash-based version of the ratchet ratchet over and over) might reduce the entropy of the session key too far. (I'm envisioning a scenario where an attacker could manipulate one client into sending thousands of unanswered housekeeping messages (heartbeats or something like that)). I'm sure there may be other considerations I'm simple to uneducated to even perceive.
4. Without source code for the client, the whole thing is pointless because we cannot trust that the binary actually does what the whitepaper says.
5. @Keith Glass: Like Jeffs5, I have no trouble with Wired. Firefox with NoScript, UMatrix, UBlock Origin, RefControl, and other extensions that are likely not relevant here.
If whatsapp is now e2e have they deprecated non upgraded versions?
Can functionality just be rolled back?
Not Sure • April 5, 2016 12:57 PM
@MrC
1. I agree - I don't think that any better system has been found.
2. Here's the history of the ratchet: https://en.wikipedia.org/wiki/Double_ratchet
Bruce, whom I'm sure you'll agree has "real crypotography chops", speaks highly of Marlinspike and his products. I can't remember if Bruce has done any independent research on the protocol, however. Matthew Green, a Professor of Cryptography, who led the research in breaking iMessage has said this:
"In the long term, Apple should drop iMessage like a hot rock and move to Signal/Axolotl."
http://blog.cryptographyengineering.com/
4. Here's the official blog post confirming that the algorithm is open source. I'm sure if somebody wanted to decompile the binary they could and would. Having at least some of the source code (i.e. the encryption engine) is a good start.
https://whispersystems.org/blog/whatsapp-complete/
@r
They haven't deprecated old versions but there is an alert which warns users that their communications aren't encrypted. In groups chats WhatsApp will publicly name and shame (in that chat) those who haven't got an up-to-date version and blame them for making the message unencrypted.
Once WhatsApp have a critical mass of users who have upgraded (e.g. 80%) then I would hope they will bar 'downgrading' (removing not activating encryption for the message) by forcing people to update their app.
Jesse Thompson • April 5, 2016 1:26 PM
> I think you guys nailed it. Metadata is the name of the game, and e2e encryption the honeypot. FBI/NSA *will* get their metadata (if they haven't already - they probably have).
@Vocation2016
To me, this sounds like a fine time to add an onion-message-router plugin to whatsapp.
1: it initiates housekeeping messages or whatever (cannot discern message intent from outside, but inside user never even really gets bothered by the traffic) to literally as many people as it can while idle. Especially to all other users of the plugin it can reach. That by itself should fark up metadata pretty badly. Sure it uses up some more bandwidth, but we're talking about text messages here for heaven's sake.. thousands of those don't take up more than a few megs traffic.
2: When you want to send an onion message, it gets onion encrypted and sent to 3 different first hops running the plugin, then each of their plugins silently (without *having* to bother the user) decrypts first layer of onion and forwards result to 2 more hops, that step is repeated perhaps 1 more time and then perhaps a few rounds of only forwarding to one hop, until finally the final encrypted nugget is forwarded (by up to a dozen different clueless people, probably hours or days apart) to the real intended destination whose client reacts to the first copy and silently discards the sprinkle of duplicates that naturally follow.
To me, that sounds like a fine rough-draft answer to metadata collection once e2e is under your belt. :D
tj williams • April 5, 2016 1:29 PM
Does not protect metadata and is not open source either but garanteed "backdoor free" by the authors:
https://play.google.com/store/apps/details?id=com.embarcadero.TextoCrypt&hl=en
No servers involved, PGP like key management with proprietary certs using Ed255-19.
Delo • April 5, 2016 1:33 PM
My concern is the same as Ali's; we have nothing to go on besides their word. They are owned by a company with an appalling reputation for privacy, and a habit of changing their security standards on the sly
Chris • April 5, 2016 1:47 PM
4. Having the source code also does not guarantee the algorithm was actually implemented in the specified way. The only way to do that is to reverse the app.
herman • April 5, 2016 2:09 PM
Broadcasting can kill the usefulness of metadata. If everybody is keyed, then send all messages to everybody. Only the real recipient will be able to read it and the three letter agencies will be left scratching their heads.
Curious • April 5, 2016 2:13 PM
Pardon my ignorance, but would there be any way to prove that some connection is really encrypted end to end, with no backdoor implemented, and without there being some feature implemented that could turn off end-to-end encryption at the whim of a software maker?
Dr. I. Needtob Athe • April 5, 2016 2:45 PM
@Adrian:
I just verified that. I opened Microsoft Edge, which I've never bothered to modify in any way because I don't use it, and sure enough, while I was in the middle of reading the article about WhatsApp it very rudely hid the article with a complaint about ad blockers. It was downright infuriating.
Arthur • April 5, 2016 2:58 PM
In the WhatsApp white paper : https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf the last sentence is :
"The Signal protocol library used by WhatsApp is Open Source, available here: https://github.com/whispersystems/libsignal-protocol-java "
This means they use whispersystems' Signal algo : https://whispersystems.org/blog/advanced-ratcheting/
C library is here : https://github.com/WhisperSystems/libsignal-protocol-c
used in Signal app : https://www.whispersystems.org/
WhatsApp has dragged feet during years to integrate TextSecure (Signal encryption protocol).
2014 article :
https://www.theguardian.com/technology/2014/nov/19/whatsapp-messaging-encryption-android-ios
But now it seems they did it. Good news.
But unlike Signal ( https://github.com/WhisperSystems ), WhatsApp or Threema does not publish their source code.
Is there a backdoor ?
We don't know.
Facebook bought WhatsApp in 2014 : https://blog.whatsapp.com/499/Facebook?
Clive Robinson • April 5, 2016 3:56 PM
For those moaning about Wired's Ad-block nonsense, there is someyhing else you can add,
If some one as poor at the niceties of the written word as I am can not just spot it but be annoyed at it, then it must be bad for an article to have come from a traditional press background.
It maybe they have sacked the Sub's etc, in which case I would not subscribe to them. As not only are you not getting your monies-worth, the chances are they are not going to be in existance much longer. As it appears that the directors etc at the parent wield the financial axe, in the poitless pursuit of ever more profit from the printed media.
For those that do not get it the profit in the printed word is very much in the decline. New or increased profit from the printed word is only likely to happen from "captured audiences" that "are required to buy" for various reasons. General Magazines and Newspapers are waking up to this as their demographic audience heads towards retirment if not it's century and online media has hurt their business model. Similar things have happened in the general fiction etc where traditional outlets such as bookshops are getting undercut by supermarket checkout displays, not just the likes of Amazon...
Any way Wired appears to be having lot's of troubles one way or the other, so maybe their anti ad-blocking, will go the way of the dinosaur along with them fairly soon.
Arthur • April 5, 2016 4:23 PM
A funny comment on RT :
> They finally finished the backdoor!!!
> What do they think we are? Re-tards?
https://www.rt.com/usa/338561-whatsapp-encryption-billion-users
Wickr talk also about "security dna"
https://wickr.com/
Without publishing source code.
Obscurity not security.
Clive Robinson • April 5, 2016 4:40 PM
One thing that is not quite right in the Wired story is about people using Open Source Software to develop their own authority avoiding crypto.
Whilst in theory you can develop your own code, it will only work on Open Platforms... For those to young to remember or possibly even know, the early mega expensive days of computing were all "tied systems" which we know call "walled gardens". It was the entry in the mid to late 1970's of 8bit single chip CPUs like the 6502, 6800, 8080 and Z80 that enabled "Personal Computing" to start. Apple with the Apple ][ set a trend for Open Hardware with it's I/O Peripheral Bus by publishing the specification (which got Microsft going with their Z80 CPM card).
Whilst the OS's were quite primative CP/M set a standard cross platform software interface. This ended up as an almost direct copy for 16bit Ia86 processors and formed what became MS-Dos from Microsoft. Since then little by little the commercial OS's even though looking open have been moving back towards the closed model.
This is one of the battles going on you don't tend to hear as much about when we talk of Privacy, in fact some people have tried selling "walled gardens" as a positive for privacy... Through the likes of TPM controled by not the system owner but Software companies and Digital Media companies.
I can see a time when "Open Platforms" are effectively dead for the majority of people. We can already see this with Smart Phones and Pads and quite a few named brand computers and their motherboards.
So having "walled gardens" might have be great up till now for the OS owners... As they are now finding they arein fact bad news for those who want some kind of Privacy, but also the OS owners when the FEDs and their shabby ilk come calling demanding considerably more than the law alows via their NSLs FISA court warrants etc etc.
There is a saying that "Security is hard" well trust me it's a "walk in the park" compared to where Privacy is rather rapidly heading.
It's clear from the Wired Article that even "technical journalists" working in a technology press just don't get it yet... The question is do the actual technical people designing systems "get it" well to be honest I realy don't think they do either... Which has left a large window of opportunity for the various IC and LEA organisations to put preasure onto the elected legislators and career civil servants working in the formation of legislation. Thus whilst the future is actually looking bright for the IC and LEAs the future for the rest of us is rather rapidly "going dark".
Arthur • April 5, 2016 5:20 PM
"The programmer (Marlinspike from Open Whisper Systems ) said he plans to help other apps add his encryption in the future, though he declined to state who he may or may not be working with."
Dirk Praet • April 5, 2016 5:56 PM
@ Jesse Thompson
To me, this sounds like a fine time to add an onion-message-router plugin to whatsapp.
I like the idea. There are some Tor-enabled Jabber/XMPP servers out there like DukGo (wlcpmruglhxp6quz.onion), Securejabber.me (giyvshdnojeivkom.onion), CCC (okj7xc6j2szr2y75.onion) and Calyx Institute (ijeeynrc6x2uy5ob.onion). However much younger folks may be into iMessage, SnapChat, WhatsApp and the like, I'm sticking to old-school Tor + XMPP + OTR + server based in country with strong privacy legislation. And for which there are clients on any major platform (Pidgin, Adium, ChatSecure). Ricochet is an IM over Tor that claims to be metadata-resistant.
As to WhatsApp, I'm not touching any product or service delivered by a known PRISM partner for anything even remotely sensitive, whatever the vendor is claiming about its privacy or security.
@ jfgunter
Some of the acronyms used rather frequently over here:
IC = Intelligence Community
LEA = Law Enforcement Agency
LEO = Law Enforcement Officer
TLA = Three Letter Agency
POTUS = President of the USA
SCOTUS = Supreme Court of the USA
$DEITY = Placeholder for God, Allah, Jehovah etc.
@Clive = Inexhaustible source of knowledge and wisdom
@Rolf Weber = Lone but belligerent German voice in the wilderness
Parker • April 5, 2016 6:08 PM
So strange....6 months ago, any negative comments about OW systems or WA were promptly deleted. Now, I see many. Is it because of FB? Central servers? Metadata? Maybe it's because of the Apple vs FBI thing. I also notice comments from OW system people.
Clive Robinson • April 5, 2016 6:19 PM
There are many technical layers to Privacy in Communications.
Some are thousands of years old some from as late as the end of the twentieth century.
One that is as old as the earliest of codes and just gets harder with time is what we now call Key Managment (KeyMan) it is still an unsolved problem and may never be properly solved. Whilst much has been done as others have noted above there is the remaining issue of "First Contact" where the initial secret is exchanged. If an attacker can get in on this channel then it's effectively game over.
However a problem from more recent times that arguably is the result of the "mobile generation" is "finding end points".
Back in the days of the Plain Old Telephone System (POTS) and Radio Broadcasts, communications were either full duplex Circuit Switched through network nodes (POTS exchanges / Central Officed) or effectivly nodless with wide area half duplex broadcast to any radio that was tuned in to the transmiters frequency. Thus end point location was either fixed and known (networked) or not known and did not need to be fixed, just in range (broadcast).
The advent of the internet did not actually change the end point issue, just the way traffic was carried. That is it went from circuit switching of known fixed end points to packet switching of known fixed end points, with a fiddle in the "physical layer" to alow limited broadcasting to solve the "discovery issue", and that's pretty much the way it's stayed in the IPv4 and 6 world.
The advent of the later "Mobile Phone" networks brought with it a major change that is still being sorted out today, which is how to manage fully mobile end points that can attach to any of the fixed network leaf nodes and in fact move from leaf node to leaf node.
The world of Internet of Things (IoT) is going to make this mobile end point problem even harder, as it will not just be the end points hanging off of fixed leaf nodes, but end points hanging of mobile node points in an unfixed thus ever changing network topologies.
All mobile end point systems suffer from the various "discovery problems" from the simple issue of how the endpoints find out where they are to the complex and possibly unsolvable issue of end points discovering where other end points are reliably and sufficiently quickly.
The currently favourd way for end points to discover each other is for an end point to discover where it is and report that back to a fixed central database which can be queried by other end points. Whilst it works to a certain extent it is quite fragile and is a security nightmare even on --supposadly-- trusted networks. It also generates a huge amount of administration traffic, which can quickly grow beyond channel capacity required for data traffic.
Mobile Phone networks have a "half way house cludge" to partialy solve the problems by having regionaly distributed databases. In essence when you turn your mobile on it then "registers" with the network at that leaf node and this gets passed up from database to database up the intervening nodes to the central database. When you move however your position information is only changed in the leaf node databases not the central database, the further you move the further up the regional hierarchy your movment data is reported. Thus when another end point wishes to communicate, just like the DNS system it works it's way up the hierarchy looking for the location and if it gets to the central or root database it then works it's way down untill the location information is resolved. Unless of course the end point has moved or become out of range etc, in which case local regional tree spanning may resolve the new location. However due to traffic issues the tree spanning only happens for first class traffic (calls) and will fail if the end point has moved to far.
The admin traffic and spanning issues get worse the smaller the coverage area of any leaf node and become impractical below a certain area size and rate of node change metric. These problems become exponentialy worse as the routing nodes become mobile...
From a surveillance point of view be it for advertising revenue or bulk interception the discovery mechanism is the most vital part of obtaining meta data. Thus they do not want any end point movment or end point to end point communication to go unnoticed, which means that either the level of admin traffic to the central root database has to rise or they have to monitor at smaller regional points and carry the traffic themselves to their tracking databases. Either way "collect it all" becomes an avalanch of data descending onto their heads.
But the fundemental issue of networks becoming "discovery limited" still arises at some point even for fixed networks. How discovery will work with partialy or fully unfixed routing nodes is one of those "open questions" that wake some of those who's job it is to solve the problem in a cold sweat. And that's before you start considering the trust and resulting security issues...
The thing is that currently WhatsApp and similar services are using a fixed network central or large regional database model that will neither scale or cope with an unfixed network. They will if meta-data collection is their game, not want to change that model unless they can also change the revenue model... But whatever they do the system will still become both fragile and unwelcome to carriers that have to carry the admin traffic, and increasingly prey to attackers of various forms.
tyr • April 5, 2016 7:36 PM
That fixed central network is just exactly what they want
to promote for collect it all strategies. If you're going
p2p with your own encryption then the collection of everyone
becomes a nightmare for the limited human assets in the
IC. Contary to popular opinions comp systems are not magic
and they do not always work reliably when flooded with a
task that is highly difficult like "collect everything".
If FB is involved you better keep your hand over your rear
portal, their track record is less than stellar when your
privacy is at stake.
@Dirk that's the best characterization of @Clive around.
Personally I don't think that global scaling with a network
designed to communicate with the surviving nodes after a
nuclear weapons exchange is the optimum communications
design. But then I also dislike the idea of wandering in
a fog with my minicomp phoney pressed to my face.
@Clive
There's an interesting thread on Charlie Stross about some
of the older developer workings, SCO, IBM etc from some
folk who were involved (mixed with the usual SF chaff).
@all
Good to know that WhatsApp have finally took a step forward to publishing a security whitepaper regarding their end-to-end crypto being a variant of the Signal crypto.
Good time to compare between WhatsApp crypto and it's parent version - Signal crypto and see where are the differences between Signal and it's variant - WhatsApp crypto.
Dan • April 5, 2016 10:02 PM
@Curious,
Google "The Underhanded C contest". Visit their official website. It can be very hard too prove that a program works as described even if someone has access to the source code. It is almost impossible to defend against malicious intent from the designer of a protocol or program, if they try hard enough.
Obvious Enough • April 5, 2016 11:30 PM
@tj
No servers involved, PGP like key management with proprietary ...blablabla
Please (really) explain to me how any kind of encrypted communications are done over the internet with no servers involved? This actually does matter in a significant way as most ISPs that people use technically forbid the operation of servers at their access point. I think the situation is actually a dark conspiracy, but maybe I've fundamentally misunderstood the internet (i doubt it, but please do help out if you can)
Not Obvious Enough • April 5, 2016 11:50 PM
@Obvious Enough
You encrypt it locally, on your machine... then you copy that into a message to someone, send it... then they receive it, and decrypt it locally, on their machine. Note that whether the sending happens through a server or via some kind of P2P network doesn't matter too much, you're still doing the encryption and decryption without a server involved to "help" you do it (or "help themselves" if they choose to break it).
Or did you want a more detailed description of how to use PGP?
Not Obvious Enough • April 6, 2016 12:06 AM
@Obvious Enough
With regards to the conspiracy of ISPs not allowing servers... All the ones I've used so far since 1995 don't technically block servers, just reserve the right to terminate your service if you use too much bandwidth and they find it's because you're running a server. This means, as long as it's for personal use only, and you are careful not to attract much public traffic or anything (i.e. don't attract their attention by costing them any money), then they generally don't bother you if you run one. Of course I've heard of some that do technically block, so your mileage may vary on this from one ISP to the next...
Nick • April 6, 2016 1:22 AM
Of course this is good news.
But if you really want to be secure, you shouldn't run your applications under any proprietary operating system like Microsoft's Windows or Apple's OS X; they can capture everything you type and send it anywhere. Windows probably has NSA backdoors to enable exactly that.
You also shouldn't run confidential applications on any device that contains an enabled cellphone modem, because they all (as far as I know - correct me if I'm wrong) contain proprietary firmware that can install snooping hooks.
Boris • April 6, 2016 2:48 AM
If you purchase an Apple iDevice in Saudi Arabia, it's delivered without iMessage or Facetime installed. On the other hand, WhatsApp is heavily promoted by the local state-owned mobile operators as a quota-free service.
One reason could be that WhatsApp traffic (without the new E2E encryption) can be read by the Saudi security services while iMessage & Facetime can't.
Now that WhatsApp has 'gone dark' it will be interesting to see how they respond. Will they ban WhatsApp too?
Rolf Weber • April 6, 2016 3:06 AM
@Dirk Praet
Thanks for the nice introduction of me.
As to WhatsApp, I'm not touching any product or service delivered by a known PRISM partner for anything even remotely sensitive, whatever the vendor is claiming about its privacy or security.
I agree in big parts. Not about the "PRISM partner". Facebook isn't and never was a "PRISM partner". PRISM is and always was an all-internal NSA program.
But I agree there is no reason to "trust" WhatsApp. First, because the software is closed-source, a "backdoor" could be present or could be implemented anytime, with little chances that someone will notice. And second because the key-change alert is not set by default, it's an opt-in. And I bet virtually nobody will enable it. As well as virtually nobody will use the key verification feature.
This means that WhatsApp is still capable of reading messages with a MITM. And unlike as in the Apple case, WhatsApp is for sure the only one who can perform it, so the All Writs Act almost certainly applies.
Mark • April 6, 2016 4:17 AM
@Rolf Weber
https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29. Facebook is -- well, was at least -- involved with the PRISM programme. However, I suspect that you're not happy with the word "partner"; you believe that the NSA acted alone in their mass surveillance, something we know simply is not true. Believing that corporate America were not / are not complicit in handing over data is pre-Snowden thinking.
In any case, I wouldn't trust anything from Facebook as far as security/privacy goes. I use Signal.
Rolf Weber • April 6, 2016 4:43 AM
@Mark
You should actually read your Wikipedia link:
On June 8, 2013, the Director of National Intelligence issued a fact sheet stating that PRISM "is not an undisclosed collection or data mining program," but rather "an internal government computer system" used to facilitate the collection of foreign intelligence information "under court supervision, as authorized by Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a).
When companies are compelled to reply to legal orders, the word "complicit" is simply not correct. But this was by far not the only incorrect claim that Snowden and his fanboys made.
Steveo • April 6, 2016 5:10 AM
@Meneth Attacked? If you are the NSA/FBI you just request that WhatsApp MITM a user for you.
Steveo • April 6, 2016 5:11 AM
If we can't trust a half open source platform like Android, how can we possibly trust a closed source WhatsApp or iOS?
Not Sure • April 6, 2016 5:21 AM
@Rolf Weber
And second because the key-change alert is not set by default, it's an opt-in. And I bet virtually nobody will enable it. As well as virtually nobody will use the key verification feature.
It's a promising start that they've enabled encryption by default.
I'm not sure why they've not enabled the key-change alert functionality by default but my guess would be that they're going to wait until a critical mass have E2E encryption enabled (i.e. the most current app) before they switch it on.
I agree that the key verification feature won't be used by the majority but I wouldn't go so far as saying that "virtually nobody will enable it". I think as the public become more aware of the security risks of instant messengers they will be more likely to verify their keys.
Somebody earlier mentioned Threema and they have an interesting 'solution' to this. I'd like to see something similar implemented in WhatsApp. They have three 'levels' with one red dot, two orange dots or three green dots.
Having a really clear traffic light system would push/prompt people to verify their contacts keys.
Level 1 (red): the ID and public key have been obtained from the server because you received a message from this contact for the first time or added the ID manually. No matching contact was found in your address book (by phone number or email), and therefore you cannot be sure that the person is who they claim to be in their messages.
Level 2 (orange): the ID has been matched with a contact in your address book (by phone number or email). Since the server verifies phone numbers and email addresses, you can be reasonably sure that the person is who they claim to be.
Level 3 (green): you have personally verified the ID and public key of the person by scanning their 2D code. Assuming their device has not been hijacked, you can be very sure that messages from this contact were really written by the person that they indicate.
The verification levels don't change anything in the encryption strength (it is alwaysthe same high-grade ECC based encryption), but they are a measure of thetrust that the public keys saved for your contacts really belong to them. Having the wrong public keys leaves you open to man-in-the-middle (MITM) attacks, therefore it isimportant to verify the keys.
[https://threema.ch/en/faq/levels_expl]
Mark • April 6, 2016 5:36 AM
@Rolf Weber,
Perhaps you should read it.
"According to The Guardian, NSA had access to chats and emails on Hotmail.com, Skype, because Microsoft had "developed a surveillance capability to deal" with the interception of chats, and "for Prism collection against Microsoft email services will be unaffected because Prism collects this data prior to encryption".
http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
Complicit is the correct word. The collaboration between US companies and their intelligence services is well known.
Dirk Praet • April 6, 2016 5:55 AM
@ Rolf Weber, @ Mark
... the Director of National Intelligence issued a fact sheet stating that ...
James Clapper lied to Congress and got away with it. He's about as trustworthy on matters of US national security as Iceland's PM is on matters of financial transparency. But I don't want to go in this argumentum ad infinitum again.
@ Mark
Just leave it there. Arguing with @Rolf over PRISM or similar matters is like talking to a brick wall.
Charles • April 6, 2016 6:10 AM
@ Arthur, "Is there a backdoor ?
We don't know."
In my own little world, I think this is a step forward in communications, if what they claim is true. As for the backdoor, an obvious solution would be to exploit the way WhatsApp enables multiple device sharing from a single user. For instance, to assist in law enforcement, they would simply add an invisible backport to an account in parallel to its other devices, one which the user cannot see nor explicitly remove. On a mass scale, this backport would have to work off the servers not the user device. This is kind of interesting to read.
Clive Robinson • April 6, 2016 6:28 AM
@ Nick,
But if you really want to be secure, you shouldn't run your applications under any proprietary operating system
Whilst in theory your own proprietary OS is more secure because you are denying your attacker information, the chances are you can not avoid an attacker getting the code if you connect it up to an accessable network. At which point the advantage vanishes. Whilst I would agree that the latest version of Windows is malware, it probably does not have NSA backdoors, because they get the source code and will find sufficient bugs for their purpose anyway. What I would say --and have-- is that Win10 is Jim Comey's "front door" due to the way Micro$haft get it to "dial home" almost continuously and presumably store on their servers for various reasons such as selling it to the advertising business. But for many a commercial OS and Application is all they can do, which is why they need to consider how you issolate the system via the old "air gap" or more modern "energy gap".
You also shouldn't run confidential applications on any device that contains an enabled cellphone modem
There are cellphone modems and then there are embbeded cellphone modems, then there are CPU sharing cellphone modems.
Originally all celephone modems were entirely seperate and used some kind of serial communications (RS232/USB) and talked a variation of the old Hayes AT command set. These you could simply "unplug" however manufacturing price reduction put the modems first on the PCB then removed the serial interface, then shared the devices CPU to control the modem, just as it had with the old POTS modems.
At each step along that integration path the user had less and less control. However in Smart Phones the radio interface is "shared" and thus tight integration was there from day one as the phone came first and the smarts were added later. There are standards that require phones --but not modems-- to have certain "safety features-- inherited from the old POTS system which enable variois features to be remotely enabled. But in addition in a phone the SIM in the radio interface has primacy over the overall phone, thus the Over The Air update system can be missused when the CPU is shared or as is quite often the case the network provider wants in on the smart functionality for revenue protection reasons.
Thus there are no "hard and fast" rules to give, they are all conditional on the design of the device at hand and the applicable standards...
A war story :- many years ago I was involved with the design of phones for various well know companies. One of my colleagues had taken one of the latest designs I had designed parts of the hardware and all of the software off for approvals testing with the customer who was a major telco. When he came back almost the first thing he said to me was "Did you check it against the PABX standard XXX?" to which I replied "No I didn't know it had to be!!!". A conversation then followed where my colleague said it was a suprise to him as well, but he explained what the customers engineers had said why it should apply then and my colleague sensing my distress finally said "Don't worry about it, it passed anyway".... Leason learned for the next time.
Clive Robinson • April 6, 2016 7:14 AM
@ Charles, Arthur,
In my own little world, I think this is a step forward in communications, if what they claim is true.
It's the conditonal that is the sting in the tail ;-)
I tend to look at it as "They have made it easier to be off the radar", that is if they have told the truth, they have given the NSA et al a whole heap of hard work anf "forever storage" issues. If they have lied or the NSA et al or Micro$haft etc have got an end point exploit running on your device your traffic is insecure. Thus it is safer to assume the change makes no difference to your actuall comms security.
Which means take your crypto "off device" by moving it beyond any end point vulnerabilities in your device or it's software. Oh and where you can Codes which look like plaintext are preferable to ciphers that look like random noise or five letter groupings, provided of course that the Code security is sufficient.
Leif Auke • April 6, 2016 7:28 AM
I have a question:
Is it so that whatsapp also hide/make it impossible to get metadata (who message who) or is it only the content of communications that is end to end encrypted ?
Leif H.
keiner • April 6, 2016 7:44 AM
"@ Mark
Just leave it there. Arguing with @Rolf over PRISM or similar matters is like talking to a brick wall."
This guy get's paid for writing such counterfactual nonsense. My opinion on that....
Didn't you guys say this was ECDH yesterday?
And didn't the NSA publish a recommendation skipping over the ECHD tock in favor of PQC/ElGamel/Lattice ?
--ElGamel;
It sounds similar to what little I know about EC so I'm guessing that was a misstatement on my part.
I'm disheartened by all the complaining on here, though I'm not surprised. For years the security community has been banging the table saying that the large communication platforms ought to have end-to-end encryption, whether it was email, voice, SMS, or instant messaging. For years all the major companies that could do this have refused. Finally one of the largest communication platforms in world history takes a protocol for E2E encryption designed by someone widely respected and highly competent, and enables it by default on countless devices. The responses here?
"Meh, not open source"
"Probably backdoored"
"All corporations are evil anyway"
"The NSA could still eavesdrop using [some kind of complicated scenario here]"
etc.
Now, I would love for it to be open source so I can review every line if I want to and compile it myself. But let's be realistic: these companies are not going to open-source their systems. The only way encryption will be adopted on any meaningful scale is to bring it to the apps people already use, not force everyone to change to a different messaging platform. People actually use WhatsApp. If their conversations are now encrypted, that's a good thing and should be encouraged.
We're letting perfect be the enemy of good again. And yes, I know not everyone is being all negative about this.
tj williams • April 6, 2016 9:14 AM
@Obvious Enough
I guess Not Obvious Enough answered your questions.
@z I tend to agree with you and let me add that although I agree that open source is a must when analysing SW, I am very skeptical about the ability of a lot of people (including me) when it comes down to finding backdoors and vulnerabilities in SW. Recent (and recurring) examples in the Linux kernel and SSL implementations have demonstrated that a flaw can go unnoticed for years before being fixed.
Jack • April 6, 2016 9:20 AM
Hi,
Given that Open Whisper Systems makes Signal Private Messenger that uses naturally the Signal Protocol and now WhatsApp is incorporating Signal Protocol into it, is there any good reason to use Signal Messenger?
From my observation the only benefit with using Signal Messenger is that it is open source (client and protocol) and has been audited. But you are living in a much smaller world where non-Signal Messenger users are reluctant even to install another messenger app.
WhatsApp is built on 'Trust-me' model.
JAck
Fanboi • April 6, 2016 9:32 AM
Hey everyone, stop arguing with @Rolf Weber... He's a pure NSA fanboi and hates Snowden. Nothing you say will ever change that! No amount of evidence will change his mind, it's made up.
However, feel free to correct inaccuracies for the rest of our benefit, just don't bother to argue directly... :)
IVBela • April 6, 2016 9:54 AM
Let me ask again: are the previous privacy concerns about WhatsApp already forgotten? It wasn't even a year ago, and now everyone is talking about end-to-end encryption, and how WhatsApp are the good guys. I still have my concerns, I cannot trust this app due to their past. Someone please convince me I can get over with that, and they really became the good guys.
Sam • April 6, 2016 10:05 AM
@z
I agree that even little steps in the right direction is good news. It just is frustrating though that everything is SO broken that no amount of fixing seems like it will truly fix anything... We got a chain where every single link is weak as butter, and we have to celebrate because one of them got a bit harder? Sigh.
Jason • April 6, 2016 10:39 AM
This has been a long time coming, and it's something we desperately need in all our communications. Now they can't just "read the mail" as it passes by, they need to do targeted surveillance. A big privacy win for everyone.
While a "Man in the Middle" attack may be possible, I don't see it as one of the best options. The major security vulnerabilities are in the endpoints, the phones themselves. A forced, silent update installing a backdoor would be a preferred method, probably more applicable to the Android world than the iPhone. Assuming they haven't stolen Apple's signing keys, a goal of just about any intelligence agency in the world. An update that could be delivered over the network, or through a Stingray like device placed where the target frequently travels.
Another good option is to insert a small vulnerability into as many apps as possible, not necessarily a back door, but a hook that will not trigger a warning in the verification process prior to putting it in the app store. They may even have to chain vulnerabilities in three or four apps to get the ability to control the phone and install the back door. Most people install and try so many apps that chances are very good that pretty much every phone can be attacked this way.
Slime Mold with Mustard • April 6, 2016 11:30 AM
@ Clive
Are you using a spellchecker? . I thought you considered them malware :)
Since you like to point out that original exchange of key material is a persistent weakness, I feel obliged to recall that Soviet Military Intelligence used an Almanac of German Industrial Statistics in a manner somewhat similar to a One Time Pad to communicate with the Sorge spy ring in Tokyo. Such lists, when modified by, for example, dropping the first two digits, provide sufficiently random data as to resist cryptanalysis. I learned this by reconstructing shredded documents.
Unfortunately for Sorge, when the Kempeitai raided his home, among his hundreds of books, the statistical volumes at his desk were all in pristine condition, save one that was stained, dog eared, and had pages falling out.
I suppose a modern equivalent would have corresponding parties accessing public statistics over TOR, with rules for modification, and exigencies for having the page changed or yanked. And the machine histories wiped with both BleachBit and CCleaner after use.
Charles • April 6, 2016 1:24 PM
@ Clive, Arthur
" If they have lied or the NSA et al or Micro$haft etc have got an end point exploit running on your device your traffic is insecure. "
I wasn't saying they lied. It's just that they may not have disclosed all the new lawful compliance features given the ubiqiutous, convenient requirements of instant messaging. The "mirroring" functionality between the phone and the desktop application is quite interesting. If desktop app in fact gets all of its contents from the phone directly, in which case the phone app may be giving up "alive and well" messsages back to its servers or simply running as a background service while the desktop app is connected. Too many spaghettie stuff going on here and there, and somewhere someone may have made a mistake which is inevitable of most claims of technology. That said, I don't plan on stop using it based on the information given here.
Still Pretty Obvious • April 6, 2016 1:29 PM
@tj
Sorry, but their answer sounds exactly like the prepared defense I would expect from the dark conspiracy. I believe the sincerity of that logic about as much as I believe the sincerity of Schneier when he suggests that fooling judges was ever anyones intent with so called 'warrant cannaries'. Please give me a better answer. I'm in the camp that believes a dark conspiracy took place to 'recentralized' video chat with skype after microsoft bought them, and as I've read in several places, for apparently technically needless reasons (outside of PRISM perhaps) they stopped doing node to node (cough server/client cough) communication and started routing through centralized microsoft servers. Certain technological evolutions of recent history make little sense to me outside the dark server-persecution hypothesis. And yet make so much sense given that hypothesis. Please take the skeptical (word, not username) position and give me a more convincing answer if you would be so kind. (I'm being sincere, but am also exhausted of what feels like a run a round and predictable bullshit spin from government and corporate types)
Note also that I do appear to have an official answer from Google's lawyer Darrah Franklin on this issue, and comparing the technical competence of it with the aforementioned predictable spin answers seems to add to my suspicions, not detract from them.
Still Skeptical Enough • April 6, 2016 1:38 PM
@tj
For clarification, if you are so generous (not sarcasm) as to consider and answer my question, the level of skepticism I'd request is this- Honestly consider money motives for establishment server operators, and secrecy motives given the Snowden story and how it has played out. NotObviousEnough's answer did not appear to have including any consideration at that level of skepticism.
Clive Robinson • April 6, 2016 2:52 PM
@ Jason,
The major security vulnerabilities are in the endpoints, the phones themselves.
Yes but the work factor and risk for the likes of the NSA et al goes up considerably by attacking end points.
Also those with real privacy needs should now know that the likes of electronic communications end points can not be realisticaly be made secure.
That is there are "end run" attacks whereby shims in the device I/O will get around any security an App may offer, further the walled gardens most comms devices have become stops user generated apps being installed, so apps can not be trusted either.
The solution is to extend the security beyond the comms end point to another device / system with the user being inside the security chain between the comms end point and the security end point device / system.
Which by the way I've been saying for nearly two decades with autheticating financial transactions, which most consider significantly private activities.
Still Confused • April 6, 2016 2:55 PM
Please at least use the same name for the length of one conversation or topic... otherwise it's hard to converse.
Not Obvious Enough • April 6, 2016 3:20 PM
@Still Pretty Obvious (maybe @Still Skeptical Enough and @Obvious Enough too? hard to say...):
First, you don't have to "believe" anything I say. Nobody does. One's belief has no bearing on truthfulness or falsehood. I did try to state my own experience more than explain the way everything is though, because surely I don't understand everything, but I do have my experience.
I actually agree with you on the conspiracy of Skype and Microsoft. There's no money in them changing it that I can think of, so I must look elsewhere for an explanation. Hence the conspiracy looks more plausible to me there.
But I don't personally automatically assume conspiracy in everything, when there's a good money-based explanation. Especially when my own experience with freely being able to run servers at home for the past 20+ years (even though every DSL and Cable ISP I've used has always "banned" servers) so far supports the money-based explanation, rather than the conspiracy one. This doesn't mean there's no conspiracy ANYWHERE... it just means I personally consider it less likely I've run into it yet.
But maybe you have? Maybe your experience is different than mine? Do share more details! What server were you running? How much traffic? How did the ISP figure it out and cut it off? Were they so angry that they cut you off as a customer? (i.e. did they "not want" your money any more?) or did they just enact some sort of firewall blocking incoming connections to your server and try to keep your money flowing otherwise?
Clive Robinson • April 6, 2016 3:38 PM
@ Charles,
I wasn't saying they lied. It's just that they may not have disclosed all the new lawful compliance features given the ubiqiutous, convenient requirements of instant messaging.
No you didn't but it's a reasonable assumption to make along with the end run attacks, when you are assessing your own security. It's part of the "Trust nobody or no thing untill you have good reason to" OpSec mentality.
Not Obvious Enough • April 6, 2016 3:54 PM
@Obvious Enough
My experience has been with Comcast, Charter, and Adelphia, and several other cable and phone companies... I've always run an "SSH Server" for remote shell access into my home network when traveling... I've often (but not always) run "Web Servers" (Apache, Nginx, etc) as well, but I made sure there were robots.txt files in place to tell search engines not to send the public to websites on my home servers. Sometimes I've run chat servers and various other things.
So far none of these companies (I've lived in the western USA, multiple states) have blocked any of my servers, nor complained about them in the slightest. None of them have been blocking any incoming ports. None of them have been "NAT"-ing my connection, which also would block incoming connections...
But every single one of these companies have banned servers in their contracts. They ban them, yet when I try to run one... they're not stopping me from running one... why? The only logical explanation I can think of is that they're banning it for the money, not the conspiracy. If it were the conspiracy, they should be enacting some sort of technical means to prevent me from running servers, not just putting it on paper only.
Again, this is my experience. This is not the whole world's experience. It can very easily be quite different in other parts of the world...
John @ StealthChat • April 6, 2016 7:06 PM
All:
There still appears to be some major vulnerabilities in the WhatsApp E2E implementation:
1. WhatsApp uploads all phone book contacts to the server in order to do "friend matching". This metadata is not protected from government access nor from Facebook access.
2. There is no discussion of encrypting the WhatsApp data on the end device disk. My presumption therefore is that it is not encrypted.
3. WhatsApp iOS build has always used APNs. Does it still use APNs? If so the message content may still be partially pushed in plain text via APNs. At the least Apple will have records for which device is messaging which device.
Comments?
Charles • April 6, 2016 8:55 PM
@ John @ StealthChat,
"3. WhatsApp iOS build has always used APNs. Does it still use APNs? If so the message content may still be partially pushed in plain text via APNs. At the least Apple will have records for which device is messaging which device."
In one of his blog posts, if I understand correctly, OWS is setting up their own push servers, but in order to work at the device level APNS/GN is still used sparingly. But in the end, and somewhere in the middle, if I read correctly, push is a "dirty" way to handle messaging, because "instant messsangers" had become more than just that. On top of lawful interception, not counting mass surveillance, it has to deliver stickies audio video photos urls (which it parse) payments and other people's money, so the most efficient is a direct link to the "discovery" server which has hooks and properly track all these other goodies.
@ Clive Robinson,
"The world of Internet of Things (IoT) is going to make this mobile end point problem even harder, as it will not just be the end points hanging off of fixed leaf nodes, but end points hanging of mobile node points in an unfixed thus ever changing network topologies."
The physical layer is something we cannot avoid as it travels into laws of common ground. I think as a way to circumvent these frustrations "overlay" services like WhatsApp came into play, and if it can be done and what they claim is true and tested then it seems applicable to IoTs as well.
Clive Robinson • April 7, 2016 3:13 AM
@ Slime Mould...,
I learned this by reconstructing shredded documents.
That alone sounds like a story worthy of a couple of drinks if not a dinner ;-)
As for a "spelkchexer" I only treat them as malware when they get up my nose by not having the words I need in them...
I've made the mistake of updating this andoid phone, which previously had an underlining spell checker and reasonable behaviour at the start of paragraphs... Now it has turned the underlining off (although the function is still there) and added a ludicrous behaviour at the start of paragraphs unless you put in a space first... I'm sure in both cases a change to a config file will resolve the issues, but for some reason the developers have not provided a "user interface" to them. I'm guessing that having now said this somebody will hunt out the answers and post a link or whatever, to show it's me not the Android developers that are at fault ;-)
With regards to the OTP, yes you can use almanacs in that way but you have to be very careful. As it's a "known method" in this day and age it's likely to be checked automaticaly by the likes of the NSA, GCHQ et al who would have digitized any almanacs they could get there hands on.
However lets assume that AES256-CTR is crypto secure and you have a memorable pass phrase to generate the AES key, you could have a usable CS-OTP printed out at either end if you could have a way to match the IV's. Thus you could select the IV from an almanac using an appropriate indicator group within the sent crypto message.
Such things have been known to work... However if it was me I would use two compleatly diferent crypto algorithms run in CTR mode with two different IVs and combine the outputs in some way to print the pad out. Which is similar to the old argument that using four or more books to make a pad with will sufficiently flatten the statistics.
As I've indicated before, there is an argument about the onewayness of determanistic algorithms that can be used to combine determanistic streams of data to form the equivalent of a One Time Pad.
It arises from another earlier argument back in the 1990s about CS-PRNGs running at high speed getting an occasional nudge from a TRNG. That is at what point would the output be indistinguishable from a TRNG running at the same full speed? Which is a very similar argument about entropy pools and multiple low quality TRNGs.
Thus arises a philosophical question as to just how much entropy is realy needed in a "master secret"...
Rolf Weber • April 7, 2016 10:05 AM
Dear fanboys, this is why end-to-end encryption will fail on the long run:
1. The security of end-to-end encryption stands or fails with the key management, which will always be a pain-in-the-ass for regular users. Even new ideas like CONIKS won't change that significantly. End-to-end means that the key is only on the end device, and the use of these end devices is simply much too dynamic for a convenient and easy-to-use solution for regular users.
2. As long as point 1. is true, the service provider is always capable of reading the messages with a simple man-in-the-middle attack. So when WhatsApp claims "even we cannot read your messages" than this is simply not the honest truth. "We could read your messages (and experienced users could notice that we are intercepting), but we promise that we won't do it" would be a much more accurate statement.
3. Most of today's popular mass communication services are proprietary and provided by single, private companies who have little interest in disclosing their source code, and this is very unlikely to change. So nobody knows for sure whether the company implemented a backdoor to its services, and even if there is currently none this could change anytime.
4. If the end-to-end encryption is reliably implemented, then it inherently means end-to-end, and nobody in between can read the communications. This however means on the other side that a centralized spam or virus scanning is impossible. This is currently not a big problem for messengers like WhatsApp, but this could change quickly. Look for example at HTTPS, which is another example for end-to-end encryption: Virus scanning is only possible with an SSL-intercepting proxy, and this is what currently more and more companies are introducing -- and voila, with it you again have a central point where everything could be read in plaintext.
5. Related to point 4., end-to-end means that nobody in the middle is able to read and that some business models which are based on personalized ads (like eg Google's) simply don't work anymore. For users this would also lead to a reduced user experience, when they receive random ads instead of personalized, or when they don't receive anymore automated reminders for booked flights and so on. Yes, at least I appreciate this kind of service Google offers, and I would never give it up for a "secure" end-to-end alternative. So maybe there will be a competition between "secure" and "convenient" services, but I'm pretty sure the big masses will opt for convenience.
6. End-to-end means that the key is only on the end device, which in turn means there is no easy, convenient and secure way to share data between end devices. This may not be a big problem for messengers like WhatsApp, but at least I highly appreciate that I can read my gmail emails, or that I can edit my Google docs, both from my smartphone and my laptop, and so on. Again, this will be a competition between "secure" and "convenient" services, and again I'm pretty sure the big masses will opt for convenience.
7. Lawmakers could simply pass laws demanding from service providers like WhatsApp that they must remain able to respond to lawful content requests (and they could easily implement this with source code changes and/or the above mentioned man-in-the-middle attack).
To summarize, I don't say end-to-end doesn't have its legitimate use cases. But they are rare, and then you have to live with serious drawbacks. The current call for "end-to-end everything" is a result of the Snowden hysteria, where nobody seems to think about the consequences. But this will change, and then more and more people will ask themselves if it is really adequate to speak about a "mass, indiscriminate surveillance" when the plain fact is that a ordinary WhatsApp or Facebook user has a chance of 0.02% of being targeted by the NSA.
tj williams • April 7, 2016 10:48 AM
@Obvious Enough
"Please (really) explain to me how any kind of encrypted communications are done over the internet with no servers involved?"
I have to say the answer provided by Not Obvious Enough looked clear enough to me. Let's try again and focus on the SMS encryption app I mentioned.
SMS is a 1G protocol, part of the initial GSM service. You send a text message to a telco operated server that is somewhere on the terrestrial infrastructure, connected or not connected to the Internet, then this server sends it whenever its load permits to your recipient(s), possibly using other servers.
As explained by NOE, if you encrypt a text message on your smartphone using a locally generated key wrapped by a crypto mechanism (ECIES in our case) and send it to a recipient through the telco server, what is the issue? The telco server does neither get your private key nor your message key (exchanged with ECIES). What's wrong with that? Servers are involved in the distribution process but not in the encryption/decryption process and the weakness of such mechanisms is clearly in the end point(s) that can be implanted by a LEA or an IS, for instance.
The one thing that is not protected is the signaling data and what goes with it, nowadays aka "metadata".
Mulder • April 7, 2016 11:32 AM
As an FBI agent, I now advise people to use Wechat or QQ messenger. They are Chinese and full of back doors, so every government can monitor you. This means the best thing is they will NEVER be encrypted.
Still Wearing Them Down After All These Years • April 7, 2016 2:30 PM
@tj, @NotObviousEnough
I agree NotObviousEnough's answers are looking useful to me. I'm actually going to take my time formulating a good reply to him/her/them, quite probably with an offer of some amount of money for a U.S. citizen attested interview that I could use in further beaurocratic dealings. If NOE wants to prod me along to pay them maybe 20 or 100 bucks for a 2 party consent recorded phone interview, my rot13 email address is qzpngpybhqfrffvbaqbgpbz. Mainly the existing verbiage probably helps me combat some concocted logic from the FCC if not from Google. Which works well enough for me.
"Please (really) explain to me how any kind of encrypted communications are done over the internet with no servers involved?"
I have to say the answer provided by Not Obvious Enough looked clear enough to me. Let's try again and focus on the SMS encryption app I mentioned.SMS is a 1G protocol, part of the initial GSM service. You send a text message to a telco operated server [snip]
See, the word server seemed to find its way into your answer to a question that was about how something happens without a server. My position on the issue has not been changed.
So Very Wrong • April 7, 2016 3:07 PM
@tj
The telco server does neither get your private key nor your message key (exchanged with ECIES). What's wrong with that?
Yes, I get the concept of 'end to end encryption'. I think I grokked it pretty well even before about 20 years ago when I read Schneier's Secrets And Lies... What is wrong with mainstream residential ISPs disallowing servers in their terms of service is that it prevents me from operating an unreal tournament server in my living room, that my friends around the nation and the globe can use to play fun games with me. That's what is wrong. Oh, but you say I could just with legal intent ignore the terms of service, and (so long as I engender no sufficiently powerful political enemies) I can take comfort in the knowledge of 'rare selective enforcement' of law and business contracts. I consider that situation very wrong, and very contradictory to various concocted logic about gatekeepers on the internet.
Dirk Praet • April 7, 2016 7:19 PM
@ Rolf Weber
Yes, at least I appreciate this kind of service Google offers, and I would never give it up for a "secure" end-to-end alternative.
While we can discuss to which extent both corporations and governments can successfully subvert the very technologies that are protecting us, the fundamental flaw in your reasoning is that all people are stupid and lazy, should voluntarily submit to authority, and - in today's context - are or should be willing to trade in their privacy and security for a bar of candy.
This kind of manifestos make you sound even more like a contemporary Diederich Hessling, the main character in Heinrich Mann's visionary masterpiece "Der Untertan" ("The Loyal Subject").
Rolf Weber • April 8, 2016 2:14 AM
@Dirk Praet
No, my key reasoning is "you cannot have the cake and it it". You cannot have both the security of properly implemented end-to-end encryption and the convenience of cloud-based services. So everybody has to make his *own* decision. And this is mainly a question of trust. How much do I trust companies that they don't do more with "my" data than they state in their ToC? And how much do I trust my government that they follow the rules of law? Here we differ. You will see it otherwise, but I say we mainly differ because you still believe in big parts of Snowden's fairy tales, while I say that the Snowden files actually prove that western governments do not deliberately and systematically break the law.
And my second reasoning should prove that I don't blindly trust what companies claim. Quite the opposite, I say companies like Apple and WhatsApp lie when they claim "we cannot unlock your phone" or "we cannot read your messages". "We could with some effort, but we promise you not to do" would be correct instead. (I don't deny that likely they could implement it in a way that they really could not break their own security any more, but then they had to pay with much more efforts and drawbacks)
Clive Robinson • April 8, 2016 3:07 AM
@ Rolf Weber,
You cannot have both the security of properly implemented end-to-end encryption and the convenience of cloud-based services.
If you think that faux assumption is valid your entire argument is likewise false.
Perhaps you had better try and explain why you think it should be axiomatic when clearly many others do not.
Rolf Weber • April 8, 2016 4:11 AM
@Clive Robinson
Then please explain me, for example:
- How to implement a centralized spam and virus scanning with secure end-to-end encryption?
- How can users securely switch to a new device without being manually involved in key management or a backup process?
- How can users securely use different end devices simultaneously without being manually involved in key management?
- How can users benefit from personalized ads instead of random with secure end-to-end encryption?
Dirk Praet • April 8, 2016 4:31 AM
@ Rolf Weber
You will see it otherwise, but I say we mainly differ because you still believe in big parts of Snowden's fairy tales ...
Nobody here needed Snowden to distrust any government, Rolf. Where we differ is your subservient disposition toward authority.
As to proper and user-friendly implementation of e2e encryption and key management, that's just a matter of time before we get it right. And if we should lose targeted ads, there's precious few people out there that are going to give a rat's *ss. Most even slightly security-aware folks use ad blockers anyway these days.
Rolf Weber • April 8, 2016 5:02 AM
@Dirk Praet
Some drawbacks of end-to-end are simply inherent. And if you dislike my example with personalized ads, than simply explain me how to implement centralized spam and virus scanning.
And BTW we are speaking about regular users, and add blockers are neither an option for the big masses. (That things like end-to-end is a good option for a small technical elite is nothing I deny)
Wael • April 8, 2016 5:37 AM
Oh, it's early Friday, nothing wrong with a little fun at za end of za week...
@Boris,
If you purchase an Apple iDevice in Saudi Arabia, it's delivered without iMessage or Facetime installed
Boris, habibi[1]: only If you are one of the lucky few. On some occasions, it's a bit "worse"...
Now that WhatsApp has 'gone dark' it will be interesting to see how they respond. Will they ban WhatsApp too?
*** Link contains "R" rated language" ***
They'll come up with a cover story and buy some time to install rogue apps before the phone gets delivered. Interdiction and subversion, in "ozer wordes"...
[1] This means: My love, Tovarish Boris.
Clive Robinson • April 8, 2016 5:46 AM
@ Rolf Webber,
Then please explain me, for example:
Those are irrelevant niceties, not insurmountable hurdles, and in absolutely no way make your faux assumption anything close to axiomatic. Thus your overall argument fails.
At best it's a sociological debating point but not a technical, legal or any other argument.
If you do not understand that then perhaps you need to join the Obama school of thought, which most hard scientists and mathmaticians know is just a delusional happy clappy view of someone who things the writ of man can bend the universe to it's logicaly inconsistant view point.
Rolf Weber • April 8, 2016 8:31 AM
@Clive Robinson
Those are irrelevant niceties, [...]At best it's a sociological debating point [...]
Of course it's a sociological argument when I say that while paranoid techies may go without these "irrelevant niceties", regular users will most certainly not.
Not Obvious Enough • April 8, 2016 9:56 AM
@Still Wearing Them Down After All These Years
I'm not sure why you need a phone interview... is this for some sort of legal proceeding? I'm just some guy that lives in the USA, who's been using the internet regularly since 1995, and had an email address since about 1989, not an expert per se.
@So Very Wrong
I am also frustrated at laws that are never intended to be enforced (most of the time, only selectively, when Law Enforcement doesn't like you), and terms of contracts that are never intended to be enforced (again, most of the time, only selectively, when The Company doesn't like you for some unrelated reason). That whole system of overstating things in laws and contracts is prone to abuse of the grossest kind. Even if such abuse is rare in some parts of the world today, it doesn't paint a bright future for mankind in my mind. So perhaps you meant the "conspiracy" is in the development of this whole system? If so, then I'd be more inclined to possibly agree, than only ISP's banning servers. However, I fear that this kind of conspiracy is too big for mere mortals to pull off, and therefore goes into the realm of the supernatural.
Still want that phone call? lol...
Not Obvious Enough • April 8, 2016 10:31 AM
Correction: overbroad laws that are never intended to be enforced (except selectively...) and overbroad terms of contracts... Being overbroad for nefarious future use is the real problem. Not that laws and contracts exist. But I see this as a general worldwide societal trend that everyone and everything tries to gain some kind of unfair advantage to themselves (which can be hoarded and abused later on) instead of playing "fair"... not just ISPs. You can see the same thing in large companies stockpiling huge arsenals of overbroad patents, for example, like they were all getting ready for some kind of Mutual Assured Destruction (MAD) of all companies someday.
Not Obvious Enough • April 8, 2016 2:31 PM
...so... in the case of ISPs... their contracts are worded in such a way that pretty much everyone violates the contracts all the time. There's hardly any way to use the service and not to, so many things are banned. And then on top of that, just to make sure, there's even wording thrown in that says they can terminate at any time without reason anyway.
So how do they, generally, use their absolute power over you stoking the fires ready to cast you into internet hell forever? Well, if you do anything they don't like, and they dislike it worse than they like your money (generally because it costs them more money than they earn from you)... then... poof... bye bye. You're outta here. This may not be the only reason, obviously, but it's a pretty popular one. So, if a certain percentage of the things I do on the internet technically qualify as a "server" at home (because something connected to an open port on my end), then if I download or upload too much, they terminate my contract. Even though their contract is for an unlimited data plan!!! Yep, right there is the nefarious thing. They guarantee me unlimited data, and a certain minimum bandwidth, but it's not really. It's a big lie. So it is a conspiracy, but I see it as (mostly) a money conspiracy, not a spying conspiracy. Of course, post Snowden, I would expect it to more and more become both, but they still haven't technically blocked any incoming connections, so...
Ricky • April 9, 2016 2:25 PM
WhatsApp might just have accidentally made itself illegal.
WhatsApp encryption uses a 256-bit key, which is only known to the sender and recipient, which is why the security is described as “end-to-end”. But the Indian rule requires companies to use no more than 40-bit encryption, unless they get explicit permission from the government.
Getting that permission will prove impossible because of the way that the system is set up. WhatsApp would have to hand the key over to the government for it to be checked — but since the company doesn’t actually have those keys, they can’t be handed over at all.
Whoa • April 10, 2016 12:31 AM
@Ricky
So I guess that means all banking, online commerce, and the whole internet is illegal in India too? Do people know how web sites are made? Programmers make them using encryption to log in remotely into a server. You ban all encryption, and you ban everything. It's a technological apocalypse. It's like the end of the world, turn off all computers, dress like cave men.
Wael • April 10, 2016 1:31 AM
Ideally 'End-to-End Encryption' means the surface of attack is shrunk to a transport / protocol / cryptography level. In terms of "Security", this means data-in-transit is protected (confidentiality, integrity, and possibly authenticity.) In other words, this means the communication channel is protected against MiTM attacks (active and passive.) It says nothing about: Data at rest, data in use, subversion, malware, key loggers, HW weaknesses, side channel attacks, social engineering, or other 'Men in the Middle' mechanisms[1]. If the cryptography has weaknesses either in implementation or design (intentional or accidental), then "End-to-End" will live as long as nobody is aware of such weaknesses.
To give an analogy: 'End-to-End Encryption' is to security what 'organic additive free tobacco' is to cigarettes. It's a healthier (less harmful, supposedly) cigarette because it contains no chemicals or additives. But it'll still kill ya!
[1] BMiT (OS, Browser, HW, FW, Air, Energy,...) ; where MiT is 'Boggie Man in the'. Looks like 'Men' get all the negative attributes. Why not use a WiTM for once? I mean hurricanes get alternate male and female names...
Clive Robinson • April 10, 2016 9:24 AM
@ Wael,
In other words, this means the communication channel is protected against MiTM attacks (active and passive.)
Yup that's about the short and the long of it and has been since before Claude Shannon did his "secret" take on comms channels.
With regards,
It says nothing about: Data at rest, data in use, subversion, malware, key loggers, HW weaknesses, side channel attacks, social engineering, or other 'Men in the Middle' mechanisms[1].
That's what "End Run Attacks" and "Energy / Air Gapping" deals with, and from my point of view is by far the harder task.
It's why I've suggested that the use of "paper and pencil" One Time Pads is actually something people should think seriously about.
The problems with True OTPs are KeyGen and KeyMan of the KeyMat.
Which is why CS-Pads might be an answer (ie a Crypto Secure algorithm used as the Stream Generator is printed onto paper).
The problem with CS-Pads is of course they are determanistic thus lack past and future secrecy in most cases. The question then becomes how do you get these desirable charecteristics back. One way to nearly do it is to consider something like AES-CTR which in effect has three secrets the AES Key the register seed/IV and the register update algorithm (for standard CTR this is assumed to be just a single step increment, though incrementing by a large relativly prime number works just fine).
Thus the question then moves to how to generate these three secrets and communicate them in a way which they cannot be recovered. The simplest solution is to use a True OTP and manually enter them into the KeyGen system. However the ideas behind Perfect Forward Secrecy could also be used but at what would be much higher risk (ie your points come back into play).
The ways and means of implementing such ideas securely is in effect multidisciplined, but I feel it's something that should be investigated as a way to obviate the impending legislation from Fraudstien in the US and Theresa "Noway" May in the UK.
I'm sure that @Thoth could give an indication of which Smart Cards could be used as HSMs to be used as secure KeyGen's in a dongle or some such.
Ricky • April 10, 2016 4:07 PM
@Whoa
There are special rules regarding banking in India.
I think the lawmakers know what they're talking about because they're saying that all unapproved encryption must be limited to 40-bits. The USA used to do the same/very similar. It's not sensible but it is their law.
Whoa • April 11, 2016 2:37 AM
@Ricky
If I use weak encryption to log into a remote server, that remote server will be hacked by criminals soon after! Guaranteed. No exceptions. All web sites are created by web site designers and programmers and administrators logging into remote servers and setting them up. Banning strong encryption is to ban the creation of all web sites, which is to ban the whole web.
So I think lawmakers who do such things do not know what they are talking about! I do. I help create web sites for a lot of different entities around the world. It's my job. My company will go out of business and I will lose my job if such a law is passed.
Also, if you share credit card information with an online store to make a purchase, and you use weak encryption, same thing happens. Your information is stolen by criminals. Guaranteed. Every time. No exceptions. So to ban strong encryption is to ban online purchasing. You'd need to say "sorry" to all those brick-and-mortar stores that have been closing for the past couple decades and reopen them all...
Same if you log into facebook, twitter, or anywhere else using weak encryption. Your credentials are stolen, and your account is hacked... Those kinds of companies must all be shut down too then.
I think there are some really stupid lawmakers in this world, I hope they don't shut down everything by accident, by passing stupid laws like banning strong encryption. It's like banning all technological advancement that's happened in the past couple decades or so. It's not merely a "privacy" issue.
Whoa • April 11, 2016 2:53 AM
By the way, the USA never banned strong encryption. They considered it 20 years ago, and realized it was a bad idea, and gave up on it. Some important people are trying to revive it again now. It's really worrisome, for all the reasons I mentioned above.
The USA did however ban the export of strong encryption for a while... until the code was printed in a paper book, and the book was taken out of the country... which is legal to do because it's "free speech" then. If that hadn't worked, it would have simply been re-invented again outside of the country. You can't just undo worldwide knowledge. They lifted that stupid rule soon after, because they realized how futile it was to ban inevitable general technological and mathematical advancement. It just makes other countries get better than yours and makes your country fall behind technologically. I feel sorry for India if that's what they're doing. Maybe your government will fall to someone more advanced within a few decades.
Niko • April 11, 2016 5:56 PM
@Whoa
For securing online shopping, encryption is just one part, and maybe not even the most important, in a defense in depth approach. One simple way to prevent online shopping theft is to require the shipping address to match the billing address. Most online thieves don't really want to drive to your house. The other way is that credit card companies are really, really good at spotting anomalies in spending patterns. EMV chips should eventually solve the POS fraud problem with cloned cards.
Whoa • April 11, 2016 11:34 PM
@Niko
If encrypting credit card numbers doesn't matter, then post yours, and the expiration date and cvv number right up here.... well... don't do it, you'll get stolen from.
In fact, it does matter, and it matters very much... though it's only one link in a chain... and every link matters, not only encrypting the numbers during transit with strong encryption. So I guess we're almost agreed, just different emphasis? The main reason for me focusing on the encryption part is because this started out with talking about banning ALL strong encryption! Making it all illegal. Only weak easily-broken encryption allowed (which means, why bother, just put it in the clear, just post all your info publicly online). So banning encryption is to ban shopping online... unless you just like to get stolen from each time.
Dirk Praet • April 12, 2016 5:50 AM
@ Niko
One simple way to prevent online shopping theft is to require the shipping address to match the billing address.
Unless you're unemployed or know at exactly what time your goods will be delivered, this sounds highly unpractical to me. I never have stuff delivered to my home address because, well, I'm hardly ever there.
Whoa • April 12, 2016 3:29 PM
@Dirk Praet
...or work from home... or call up your credit card company and have your work address added to your account as an "alternate" address..
That last one is what people should start doing actually, because some retailers already require the address to match.
Niko • April 13, 2016 7:18 PM
@Whoa
I suppose I was thinking more on a personal level. I've had my credit card used fraudulently multiple times. Each time it was easy to get the charges removed, although I did have to fill out some paperwork and wait for a new card.
@Dirk
Maybe, you live in a higher crime area than I do. Where I live, it's common to get items left on the doorstep, although high value items usually require a signature. I don't recall ever having a theft. Also, if you have a family, you only need one of you to be home.
wally king • April 17, 2016 9:15 AM
why everybody forgotten that whatsapp gave tools to some governments in the middle east allowing them to spy on whatsapp users for these countries to avoid being blocked? these countries like saudi and emirates are known to everybody in 2013.ianf • April 19, 2016 4:21 AM
[disclaimer: I do not use any messaging apps].
the grugq reviews WhatsApp (iOS) and concludes with
The Bottom Line
WhatsApps adoption of a strong encrypted protocol is a significant improvement in secure messaging, but problems remain. Although the data is well protected on the wire, there is still significant metadata leakage [to Fuckfacebook of all places—ed.] and there are significant privacy issues related to using the app.
WhatsApp is a great replacement for iMessage, but it is not the final word in secure messaging.
https://medium.com/@thegrugq/operational-whatsapp-on-ios-ce9a4231a034
michele m • April 24, 2016 1:50 AM
Thanks for the good insights folks. Can anybody elaborate on the following?
Thank you much.
michele
Subscribe to comments on this entry
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.
Leave a comment