Good News: WhatsApp Gets Serious About End To End Encryption

from the good-to-see dept

Tue, Nov 18th 2014 2:46pm — Mike Masnick

We recently noted that it was really good news to see companies like Google and Apple finally taking end user encryption seriously, and it appears that's spreading. The super-popular chat messaging app WhatsApp, which was acquired by Facebook not too long ago, just turned on full end-to-end encryption, powered by Open Whisper Systems, the makers of such great tools as TextSecure, which is the basis for the new encryption:

The most recent WhatsApp Android client release includes support for the TextSecure encryption protocol, and billions of encrypted messages are being exchanged daily. The WhatsApp Android client does not yet support encrypted messaging for group chat or media messages, but we’ll be rolling out support for those next, in addition to support for more client platforms. We’ll also be surfacing options for key verification in clients as the protocol integrations are completed.

WhatsApp runs on an incredible number of mobile platforms, so full deployment will be an incremental process as we add TextSecure protocol support into each WhatsApp client platform. We have a ways to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default.

It sounds like this project started prior to the Facebook acquisition, so it's great to see it continue to move forward either way. Just recently, the EFF rated various messaging apps for their security (which resulted in some controversy...), and WhatsApp didn't score all that well, while TextSecure got a perfect score. Making messaging more and more secure is incredibly important, so it's great to see it happening here.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, messaging
Companies: whatsapp, whisper systems

19 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Shmerl, 18 Nov 2014 @ 3:15pm

WhatsApp is horrible
1. It uses non compliant XMPP (you can't use third party clients).
2. It's not federated (walled garden). So you can't communicate with users from other XMPP networks.
3. It's security is flawed by design. They consciously made it into an insecure service by dropping the registration process (creating user name + password) like in any normal XMPP, and instead using identification tied to user's device to authenticate. All that to exploit people's laziness (saves 5 minutes of the registration process for the price of constant broken security).

Such developers are simply doing a huge disservice to their users.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Nov 2014 @ 3:59pm
  
  Re: WhatsApp is horrible
  And:
  
  4. It's not open-source, therefore it cannot be independently peer-reviewed. And therefore we cannot verify that it isn't loaded with security holes and backdoors.
  
  (Of course sometimes even open source code has security holes. But since it can be independently peer-reviewed, we have a fighting chance of finding them. With this...we have none.)
  
  If it's not open-source, it's shit, and NOBODY should trust it.
  [ link to this | view in chronology ]
Anonymous Coward, 18 Nov 2014 @ 3:27pm

If they still use US servers then that changes nothing. And even if they didn't it is still Facebook which afaik is a US company so no server would be save from any security agency.

At least I don't see much of a difference between them listening in somewhere in the middle and you never know about it or if they send a demand to facebook and you never know about it.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Nov 2014 @ 4:29pm
  
  Re:
  Based on the description given in the WhatsApp article the end to end encryption would only store the keys at the end users not in a central server so all they could do with the server in the middle is get a copy of the encrypted stream but not be able to decrypt it so no worries of someone getting the message in real time.
  
  However since the ID is tied to a device you don't have anonymity so they can still try to get access to the source or destination device. A plus is that perfect forward secrecy is proposed so reading of the message shouldn't be possible except for when the man in the middle knows the long term key on the ends that is used to encrypt the temp key used for the current set of messages.
  
  Should be interesting to see what happens from this push in the right direction.
  [ link to this | view in chronology ]
  - Anonymous Coward, 18 Nov 2014 @ 6:56pm
    
    Re: Re:
    A plus is that perfect forward secrecy is proposed so reading of the message shouldn't be possible except for when the man in the middle knows the long term key on the ends
    
    Good to know that someone uses PFS but not sure how safe that is in the current form(using mobile devices). Looks like they have to send two security letters now. One to Facebook and one to whoever build the phone i.e. Apple. And if that doesnt work there is always the blackmarket for 0days or if all fails then I bet there will be a new law.
    
    The whole security thing confuses me a bit atm. Should I be happy they don't want new laws but that might mean they have other ways (e.g. 0days) to access the data or should I be for new laws which would mean they cant access the data at the moment?
    [ link to this | view in chronology ]
Anonymous Coward, 18 Nov 2014 @ 5:25pm

End to End encryption is great, but only one aspect of security. The fact that the software is proprietary (and thus impossible to publicly verify), WhatsApp has control of chat metadata and address books, and other reasons mentioned above.

Now rolling out strong crypto on the most used mobile messaging service in the world is an astounding feat. But we must critically weigh the harm that's being caused when we encourage users to stick with interoperable, proprietary, unverifiable options.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Nov 2014 @ 5:27pm
  
  Re:
  *uninteroperable (siloed)
  [ link to this | view in chronology ]
Matrix.org, 19 Nov 2014 @ 2:55am

Secure Messaging
It's great that Whatsapp are going ahead with end to end encryption but you should be able to choose whatever app you like to communicate securely with someone. Matrix.org's (http://matrix.org/) goal is to make real-time communication over IP as seamless, secure and interoperable as email by providing the world with a new open standard which allows communication services themselves to interoperate. For the end consumer this will mean they can choose to use their favourite app because they get the most value from it and trust the provider with their data, and still be able to communicate with friends using competing apps and services.
[ link to this | view in chronology ]
Anonymous Coward, 19 Nov 2014 @ 5:00am

Sure Google have *announced* it, but when will they deliver? 5.0 does not bring encryption by default, not even on their own devices. You still have to manually encrypt your disk.
[ link to this | view in chronology ]
KoD (profile), 19 Nov 2014 @ 6:31am

TextSecure
I downloaded and started using TextSecure after my wife sent me a link to the EFF article rating different chat apps. I have since managed to convince a dozen or so of my closest contacts to start using it as well. It really is an excellent program. Very slick and clean. I just got the Android 5.0 update yesterday, which now has always-on VPN :):):)
[ link to this | view in chronology ]
Anonymous Coward, 19 Nov 2014 @ 8:29am

surely the main things for these apps/programs are that:

a)they work
b)there are some instructions on how to use them/set them up
c)they are simple to set up/use. no good if it takes a degree in I.T. to get it running
d)there is no chance of them being broken/hacked
[ link to this | view in chronology ]
Anonymous Coward, 19 Nov 2014 @ 10:22am

TD fail.
User Data is the life blood of facebook and googles' existence- their business models are antithetical to privacy/security and ANY tech that would "honestly" enable them. 'Kind Fox offer's protection plan for it's fleet of hen houses' articles like this are disgraceful and ruinous of TD's reputation. This is yet another example of TD's generous propaganda passes to silicon valley- probably pays much better then subscribers and click ad's.
[ link to this | view in chronology ]
بلادى عاجل, 22 Nov 2014 @ 4:24am

Thank you for a beautiful article, which I have benefited greatly from it will come back even gave a renewed look at more of the articles in your site
[ link to this | view in chronology ]
Naomi, 13 Feb 2015 @ 3:19am

End to End encryption is great, but only one aspect of security. The fact that the software is proprietary (and thus impossible to publicly verify), WhatsApp has control of chat metadata and address books, and other reasons mentioned above.

Now rolling out strong crypto on the most used mobile messaging service in the world is an astounding feat. But we must critically weigh the harm that's being caused when we encourage users to stick with interoperable, proprietary, unverifiable options.
WhatsApp Hacken
[ link to this | view in chronology ]
Panneer, 5 May 2015 @ 11:01pm

Works
Finally it works for me!!! Status for WhatsApp in English
[ link to this | view in chronology ]
Alex, 30 Jun 2015 @ 7:16am

issue
Please, can you tell me, such an application on this site https://sites.google.com/site/handyspionageapps/ will not be able to transmit data?
[ link to this | view in chronology ]
Bob, 13 Jan 2017 @ 5:11am

help! real or not?
Can anyone tell me if this web page fake is or a real one - WhatsApp Hacken
p.s. sorry it is in German
[ link to this | view in chronology ]
- Bob, 13 Jan 2017 @ 5:13am
  
  Re: help! real or not?
  update. here is the website http://whatsapphacken.pro/
  [ link to this | view in chronology ]
Pablo, 30 Mar 2020 @ 4:55am

Need your help
Hi guys, I need also your help, please!!!!
Want to protect my daughter from her boyfriend, have read that with spy apps i can read all her whatsapp messages....is it true??? https://iortly.com/whatsapp-spy/
[ link to this | view in chronology ]