Stories
Slash Boxes
Comments

SoylentNews is people

WhatsApp Encrypts End-to-End in Latest Version

posted by cmn32480 on Tuesday April 05 2016, @11:17PM   Printer-friendly
from the what-about-beginning-to-beginning dept.

Max Hyre writes:

The title pretty much says it all. According to the report:

the service will encrypt all messages, phone calls, photos, and videos moving among [the devices].

Moxie Marlinspike is involved, so they have a chance of getting it right, and no one, even WhatsApp, will be able to know what you”re saying, texting, viewing, &c. (Unless, of course, your widget is running malware, or the opposition can get their mitts on it.)-: They claim this is available on nearly a billion devices—this is a really big deal.

takyon: Alternate links with no Wired paywall: TechCrunch, Washington Post, CNET, Reuters.

Original Submission

 
This discussion has been archived. No new comments can be posted.
WhatsApp Encrypts End-to-End in Latest Version | Log In/Create an Account | Top | 52 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Wednesday April 06 2016, @03:11AM

    by Anonymous Coward on Wednesday April 06 2016, @03:11AM (#327910)

    ...you have to do it yourself.

    If you actually want encryption you have to write (or at the very least compile) an .APK / .APP and install it on your device yourself.

    Bonus if you write your own algorithm.

    Not because your own algorithm will be more secure, it probably won't, but every bit of digital security is security through obscurity, and the more algorithms there are, the better for us all.

    I use hash based encryption in my ciphers, because it's strong against quantum computers. Eventually the crypto industry will use similar tech, but they're still squabbling over what cipher will be the standard for "authenticated encryption" while me and mine just use it right now.

  • (Score: 0) by Anonymous Coward on Wednesday April 06 2016, @04:35AM

    by Anonymous Coward on Wednesday April 06 2016, @04:35AM (#327925)

    Too bad you can't trust one of the handsets on the market today so all efforts are in vain.

    • (Score: 1, Interesting) by Anonymous Coward on Wednesday April 06 2016, @05:45AM

      by Anonymous Coward on Wednesday April 06 2016, @05:45AM (#327939)

      You can't trust any of the consumer grade CPU MFGs either. [wikipedia.org] AMD has a similar system with similar security concerns. That's why Russia and China are producing their own MIPS fabs. I have a few homebrew systems of my own, but that's just a fun hobby, not really practical (nor are my systems very reliable).

      So, any case one's best bet is to isolate the chip doing the ciphering from its network -- remove its ability to phone home. Perform the encryption on a device that never goes "online", and transfer the cipher via a method that's verifiable (like as the new hotness of "authenticated encryption", such as hash based encryption) -- Preferably perform this over a connection type that doesn't expose the isolated cipher host to exploit. I use a custom parallel port interface I built myself between desktop machines, and a similar homebrew IR interface for transferring onto mobiles. Think of it as a hardware firewall. Then the data can transit the nets encrypted and tamper proof.

      So long as the other party takes similar precautions you can be safe.

      Most people don't have anything they need to communicate securely. Most people just need to protect against thieves. Most people don't think crypto is "fun" nor do such things just because they can either...

  • (Score: 5, Insightful) by stormwyrm on Wednesday April 06 2016, @06:43AM

    by stormwyrm (717) on Wednesday April 06 2016, @06:43AM (#327949) Journal

    Your encryption algorithm will probably be crap, and if your adversaries get a hold of it they will rip it to shreds. It is always better to use an open algorithm that the international academic cryptographic community has been able to analyse and they have found has no serious flaws. I'd go with AES (Rijndael), Serpent, Twofish, or Blowfish. Hash-based encryption... *sigh* Hash algorithms are not designed to be resistant to, say, differential cryptanalysis, which is not an applicable attack against hashes. It may be "strong against quantum computers" but it probably has even bigger weaknesses that don't NEED a quantum computer to exploit!

    Then there is the question of protocols. Secure protocols are very difficult, and I don't know if there is an open standard protocol out there that hasn't been corrupted by the interference of the TLAs. TLS has many weaknesses due in part to government meddling in the days of Crypto War I. Simplistic protocols for key exchange with UDP-based VPNs not designed by professional cryptographers have proved insecure time and time again.

    People need interoperability when using cryptography, and the only way to do that is with standards. You're never going to talk to anyone unless you can convince other people to use your app too.

    --
    Numquam ponenda est pluralitas sine necessitate.