Stories
Slash Boxes
Comments

SoylentNews is people

WhatsApp Encrypts End-to-End in Latest Version

posted by cmn32480 on Tuesday April 05 2016, @11:17PM   Printer-friendly
from the what-about-beginning-to-beginning dept.

Max Hyre writes:

The title pretty much says it all. According to the report:

the service will encrypt all messages, phone calls, photos, and videos moving among [the devices].

Moxie Marlinspike is involved, so they have a chance of getting it right, and no one, even WhatsApp, will be able to know what you”re saying, texting, viewing, &c. (Unless, of course, your widget is running malware, or the opposition can get their mitts on it.)-: They claim this is available on nearly a billion devices—this is a really big deal.

takyon: Alternate links with no Wired paywall: TechCrunch, Washington Post, CNET, Reuters.

Original Submission

 
This discussion has been archived. No new comments can be posted.
WhatsApp Encrypts End-to-End in Latest Version | Log In/Create an Account | Top | 52 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by bitstream on Tuesday April 05 2016, @11:31PM

    by bitstream (6144) on Tuesday April 05 2016, @11:31PM (#327846) Journal

    WhatsApp Inc., have their corporate base in California, USA so they can get one of those famous letters. And the same goes for the two most popular operating systems and their hardware. So it's essentially been had before it even starts. But the first question to ask is how to ensure distribution of the client and to ensure that the client actually does what it says without, say encoding an extra key etc.

    Mobile phone security:
      * Hardware (signing, extra chip logic, radio modem entry point etc)
      * Operating system (backdoors)
      * Applications (doing extra thwarting of user actions)

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 1) by Francis on Tuesday April 05 2016, @11:56PM

    by Francis (5544) on Tuesday April 05 2016, @11:56PM (#327859)

    Depends how it's set up. They could set it up so that they don't have access to the device specific keys, such as via public key cryptography. In which case, it doesn't matter what letters they get, they wouldn't have the ability to break in there and can't be legally compelled to do so.

    • (Score: 0) by Anonymous Coward on Wednesday April 06 2016, @01:13AM

      by Anonymous Coward on Wednesday April 06 2016, @01:13AM (#327881)

      "Deploy a software update to this device's IP address that sends us a copy of the password and backdoors further encryption"

      • (Score: 1) by Francis on Wednesday April 06 2016, @02:42AM

        by Francis (5544) on Wednesday April 06 2016, @02:42AM (#327904)

        Google doesn't permit 3rd party updates. The only updates they can make are through play. I believe that Apple has similar rules.

        So, unless you're sideloading the app, they can't do that. Also, they can only access data that's stored at that time, not necessarily anything that you've been talking about previously.

        • (Score: 2) by frojack on Wednesday April 06 2016, @05:10AM

          by frojack (1554) Subscriber Badge on Wednesday April 06 2016, @05:10AM (#327931) Journal

          There is another hole to consider.

          Both Apple and Google have backup of settings you've made on your device. Maybe Windows phone too for all I know.
          They back up various app data. https://support.google.com/nexus/answer/2819582?hl=en [google.com]

          So if someone could get to your google account, they could attempt to get at that data, and probably get keys to a lot of castles.

          I've had one app issue an update just to turn off backup of its settings as that google backup represented a security risk.

          --
          No, you are mistaken. I've always had this sig.

        • (Score: 0) by Anonymous Coward on Wednesday April 06 2016, @10:41AM

          by Anonymous Coward on Wednesday April 06 2016, @10:41AM (#327998)

          "Deploy a software update that sends us a copy of the password and backdoors further encryption for this device"

    • (Score: 2) by bitstream on Wednesday April 06 2016, @02:53PM

      by bitstream (6144) on Wednesday April 06 2016, @02:53PM (#328081) Journal

      How would you know it actually does what it says?

  • (Score: 5, Insightful) by Anonymous Coward on Wednesday April 06 2016, @12:16AM

    by Anonymous Coward on Wednesday April 06 2016, @12:16AM (#327865)

    (1) There will ALWAYS be flaws. This is an improvement in the number of flaws. Do not let the perfect be the enemy of the good.

    (2) There is a network effect here - by default ALL traffic is now encrypted. We already know that the NSA keys on encrypted traffic as suspicious and automatically worthy of scrutiny and preservation beyond their default levels. When everybody uses encryption, the people who desperately need encryption no longer draw attention to themselves simply by using encryption. That's a big improvement in the baseline.

    • (Score: 0) by Anonymous Coward on Wednesday April 06 2016, @12:22AM

      by Anonymous Coward on Wednesday April 06 2016, @12:22AM (#327867)

      Not to mention the increase in storage requirements.

    • (Score: 2) by bitstream on Wednesday April 06 2016, @03:01PM

      by bitstream (6144) on Wednesday April 06 2016, @03:01PM (#328083) Journal

      You'r right. Unless people are being lulled into using compromised encryption on a massive scale so that it's possible to pick out the unbreakable or hard ones from the crowd that then is only hard from the perspective of ordinary people (plebs).

      Proprietary software is now in a dilemma. They can protect profits, or protect trust. It's possible to make a profit from released source but it's not longer an obvious course of action.

    • (Score: 1, Informative) by Anonymous Coward on Wednesday April 06 2016, @07:16PM

      by Anonymous Coward on Wednesday April 06 2016, @07:16PM (#328202)

      This app has a serious issue, which is that it's proprietary. It doesn't respect the users' freedoms and can't be trusted. It's good that they supposedly have better encryption, but it needs to respect the freedoms of the user before it can really be recommended.

  • (Score: 2) by frojack on Wednesday April 06 2016, @03:55AM

    by frojack (1554) Subscriber Badge on Wednesday April 06 2016, @03:55AM (#327916) Journal

    WhatsApp Inc., have their corporate base in California, USA so they can get one of those famous letters.

    Well if they did it right the letter gets them nothing.

    It would take another rather public court order fight to get them to create a compromised version and cause it to be updated over the net to everywhere. That would be loud enough that you might hear about it.

    But don't forget this is FACEBOOK, and they are a hell of a lot more untrustworthy than Apple. I wouldn't be surprised if, as you suggest, they had their own key in there as well as the users, just to satisfy CLEAA.

    And I still don't understand the QR code business. Most of the people I deal with on the phone or via text I would have no opportunity to scan their QR code, so how does that work?

    --
    No, you are mistaken. I've always had this sig.

    • (Score: 0) by Anonymous Coward on Wednesday April 06 2016, @10:31AM

      by Anonymous Coward on Wednesday April 06 2016, @10:31AM (#327995)

      > . I wouldn't be surprised if, as you suggest, they had their own key in there as well as the users, just to satisfy CLEAA.

      The combined law enforcement associations of arizona? [cleaa]

      CALEA has no requirement to decrypt if the carrier does not posses the keys so simply by engineering the system not to have backdoor keys makes it so they don't legally have to have backdoor keys:

      47 USC 1002(b)(3): [cornell.edu]
      (3) Encryption

      A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

      House Report No. 103-827 - TELECOMMUNICATIONS CARRIER ASSISTANCE TO THE GOVERNMENT [fbi.gov]

      Nothing in this paragraph would prohibit a carrier from deploying an encryption service for which it does not retain the ability to decrypt communications for law enforcement access.

      > And I still don't understand the QR code business. Most of the people I deal with on the
      > phone or via text I would have no opportunity to scan their QR code, so how does that work?

      The QR code is for in person meetings, the manual reading aloud of the hex digits is for (weak) in-band verification. Just because you won't use the QR code doesn't make it useless to everyone. Your circumstances are not everyone's circumstances. Who would have guessed not everybody lives their lives exactly the way frojack lives his?

      • (Score: 0) by Anonymous Coward on Wednesday April 06 2016, @02:50PM

        by Anonymous Coward on Wednesday April 06 2016, @02:50PM (#328078)

        This is kind of off topic. I put Google Goggles on my phone which does a good job at identifying and decoding bar codes and QR codes from photos. It sends photos up to the clouds for processing and cross-referencing. I don't think I'd want to use something that sends everything I scan up to the clouds on a daily basis, especially as part of a secure system. It was more a gee-wiz thing. It's pretty keen for what it does.

        Is there a good Android bar/QR code reader that does everything on the phone?

        I don't really have a use case, just wondering if anyone has recommendations.