Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday January 16 2017, @10:07AM   Printer-friendly
from the tradeoffs dept.

A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

Privacy campaigners said the vulnerability is a "huge threat to freedom of speech" and warned it could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure.

Source: WhatsApp vulnerability allows snooping on encrypted messages

Reporting at Ars Technica took a different view — Reported "backdoor" in WhatsApp is in fact a feature, defenders say:

At issue is the way WhatsApp behaves when an end user's encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.

Critics of Friday's Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.

[...] Moxie Marlinspike, developer of the encryption protocol used by both Signal and WhatsApp, defended the way WhatsApp behaves.

"The fact that WhatsApp handles key changes is not a 'backdoor,'" he wrote in a blog post. "It is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system."

[...] Ultimately, there's little evidence of a vulnerability and certainly none of a backdoor—which is usually defined as secret functionality for defeating security measures. WhatsApp users should strongly consider turning on security notifications by accessing Settings > Account > Security.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday January 16 2017, @10:27AM

    by Anonymous Coward on Monday January 16 2017, @10:27AM (#454334)

    What I'm curious about is:
    1) How does Whatsapp Web work with all this encryption
    2) What does that whatsapp - facebook "improve ads" thing[1] really imply, is it really as Whatsapp claims?

    [1] http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-facebook-terms-private-data-sharing-opt-out-how-to-a7210841.html [independent.co.uk]
    https://www.whatsapp.com/faq/general/26000016 [whatsapp.com]

  • (Score: 2) by Unixnut on Monday January 16 2017, @12:09PM

    by Unixnut (5779) on Monday January 16 2017, @12:09PM (#454351)

    whatsapp web connects to your phone via some sort of remote API. This is why you need your phone up and running when using it, and why if your phone battery dies you cannot continue using whatsapp web.

    I suspect that the phone connects to some sort of proxy server ran by whatsapp, then you connect to the website. The QR code is a way of authenticating so that the right proxy channel is forwarded to the web interface (lest you end up in someone elses whatsapp).

    Encryption seems to just be bog standard SSL, and I have no idea how secure the backend is. Chances are that it is less secure than using the phone directly, just because you have a whole extra layer of abstraction, so you have a larger attack surface for an attacker.

    • (Score: 0) by Anonymous Coward on Tuesday January 17 2017, @07:25AM

      by Anonymous Coward on Tuesday January 17 2017, @07:25AM (#454784)
      If the decryption is not happening at the PC's web browser client then presumably Whatsapp/Facebook/etc can spy on the conversations.
  • (Score: 3, Informative) by driverless on Monday January 16 2017, @01:10PM

    by driverless (4770) on Monday January 16 2017, @01:10PM (#454361)

    Oops, Soylentnews is a bit late to the party here, this story was already debunked as nothing more than bad reporting several days ago.

    • (Score: 1) by pTamok on Tuesday January 17 2017, @01:30PM

      by pTamok (3042) on Tuesday January 17 2017, @01:30PM (#454875)

      Debunked, you say?

      Bruce Schneier's take on it is here: https://www.schneier.com/blog/archives/2017/01/whatsapp_securi.html [schneier.com]

      ...a potential vulnerability in the WhatsApp protocol that would allow Facebook to defeat perfect forward secrecy by forcibly change users' keys, allowing it -- or more likely, the government -- to eavesdrop on encrypted messages.

      It seems that this vulnerability is real:

      now, I'm not going to quibble with Bruce Schneier, but it would be great of you could provide a link to where the vulnerability is debunked. Moxie Marlinspike states that is is a deliberate design decision: https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/ [whispersystems.org]

      Given the size and scope of WhatsApp's user base, we feel that their choice to display a non-blocking notification is appropriate. It provides transparent and cryptographically guaranteed confidence in the privacy of a user's communication, along with a simple user experience.

      One thing to note is that the Signal protocol, upon which the WhatsApp implementation is modelled, does not have this behaviour. As Schneier describes for Signal:

      If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

      WhatsApp is certainly easier to use. But this ease-of-use can be argued to reduce its security. It is the usual security versus ease-of-use argument. A slightly less secure but easy to use application like WhatsApp may be more beneficial overall than a potentially secure application that few people use (e.g. PGP). WhatsApp is probably good enough for most of its userbase, but a very small number of people may need to use Signal instead.

      • (Score: 3, Insightful) by driverless on Wednesday January 18 2017, @05:47AM

        by driverless (4770) on Wednesday January 18 2017, @05:47AM (#455251)

        It's opt-in for WhatsApp (I run with it enabled). Really depends on what you perceive as being important to get it used. A mostly-secure system that huge numbers of people use is still better than a (theoretically) very secure system that almost no-one uses. As someone pointed out on a mailing list recently, "there are always trade-offs between usability and security, as demonstrated by about a million times more people using Signal in the last year than have ever used PGP/GPG in the 26 years since it was written". So if you think it's important, use WhatsApp and enable it, or use Signal where it's the default. For the masses though, I'd aim for getting it universally adopted first, and then you can tweak the security later for people who really want it. Whether it's good of bad will be an endless bikeshedding point for security geeks, but I'd call it a philosophical issue rather than a vuln.

  • (Score: 2) by Arik on Monday January 16 2017, @01:52PM

    by Arik (4543) on Monday January 16 2017, @01:52PM (#454367) Journal
    Somehow I really doubt that facebook is using whatsapp to convert their shitty ads to HTML, so I'm thinking that's what's called 'puffery' - obvious bullshit that's so obvious you can't even sue them over it.
    --
    If laughter is the best medicine, who are the best doctors?