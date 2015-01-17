from the tradeoffs dept.
A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.
Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.
Privacy campaigners said the vulnerability is a "huge threat to freedom of speech" and warned it could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure.
Source: WhatsApp vulnerability allows snooping on encrypted messages
Reporting at Ars Technica took a different view — Reported "backdoor" in WhatsApp is in fact a feature, defenders say:
At issue is the way WhatsApp behaves when an end user's encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.
Critics of Friday's Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.
[...] Moxie Marlinspike, developer of the encryption protocol used by both Signal and WhatsApp, defended the way WhatsApp behaves.
"The fact that WhatsApp handles key changes is not a 'backdoor,'" he wrote in a blog post. "It is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system."
[...] Ultimately, there's little evidence of a vulnerability and certainly none of a backdoor—which is usually defined as secret functionality for defeating security measures. WhatsApp users should strongly consider turning on security notifications by accessing Settings > Account > Security.
Whatsapp Web (Score:0)
What I'm curious about is:
1) How does Whatsapp Web work with all this encryption
2) What does that whatsapp - facebook "improve ads" thing[1] really imply, is it really as Whatsapp claims?
[1] http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-facebook-terms-private-data-sharing-opt-out-how-to-a7210841.html [independent.co.uk]
https://www.whatsapp.com/faq/general/26000016 [whatsapp.com]
Reply to This
WhatsApp apoligsts (Score:0)
Reply to This