Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday January 16 2017, @10:07AM   Printer-friendly
from the tradeoffs dept.

A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

Privacy campaigners said the vulnerability is a "huge threat to freedom of speech" and warned it could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure.

Source: WhatsApp vulnerability allows snooping on encrypted messages

Reporting at Ars Technica took a different view — Reported "backdoor" in WhatsApp is in fact a feature, defenders say:

At issue is the way WhatsApp behaves when an end user's encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.

Critics of Friday's Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.

[...] Moxie Marlinspike, developer of the encryption protocol used by both Signal and WhatsApp, defended the way WhatsApp behaves.

"The fact that WhatsApp handles key changes is not a 'backdoor,'" he wrote in a blog post. "It is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system."

[...] Ultimately, there's little evidence of a vulnerability and certainly none of a backdoor—which is usually defined as secret functionality for defeating security measures. WhatsApp users should strongly consider turning on security notifications by accessing Settings > Account > Security.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by RedIsNotGreen on Monday January 16 2017, @10:55AM

    by RedIsNotGreen (2191) on Monday January 16 2017, @10:55AM (#454338) Homepage Journal

    Using a closed-source app, crypto backdoor or not, allows snooping on messages.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Informative=1, Total=2
    Extra 'Informative' Modifier   0  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Monday January 16 2017, @11:52AM

    by Anonymous Coward on Monday January 16 2017, @11:52AM (#454349)

    Using an open-source app without reading every line of source code for every update allows snooping on messages.

    • (Score: 1) by pTamok on Monday January 16 2017, @12:25PM

      by pTamok (3042) on Monday January 16 2017, @12:25PM (#454355)

      This is true, but the open-source variant at least allows some* possibility of finding the backdoor. The closed-source one doesn't.

      *To be clear, open-source is not the answer: free software is. Unless you can compile the software yourself, there is no guarantee the source you are shown is the source used to compile the app(lication) you intend to use. Of course, you should also build your own compiler from the ground up. Free software allows you to check more of the production process - whether you choose to avail yourself of that is another matter. If you are truly paranoid, you won't trust the hardware you compile on unless you have built it yourself. It really boils down to who you choose to put your trust in, and how easy it is to verify their claims. Nation states can afford to be extremely paranoid, and spend a great deal of money on their military, security, and intelligence services to establish a 'web-of-state-approved-trust' they can rely on to whatever necessary extent. It is hard for individuals to compete with that. How paranoid do you wish to be, and how much resource can you dedicate to it? It can be an entirely rational decision to trust Facebook: but for a small number of people, extreme paranoia is justified.

      As far as I know, I'm not one of that small number. Which is fortunate for me.