
Your move, FBI
Good to see Apple won't have to be fighting the FBI alone if they start pushing against the use of "too much encryption" that hurts their ability to snoop.
Facebook-owned WhatsApp is switching on full end-to-end encryption for texts and voice calls used by a billion people. Updates to the chat apps are said to be rolling out from today. The software uses Open Whisper Systems' Signal Protocol. Technical details of the encryption can be found through here. "Over the past year, we' …
Perhaps WhatsApp is not that forthcoming with details, not wanting to be picked apart in case people find there's a weakness. "WhatsApp adds encryption" makes a good story for the public and the sort of publicity WhatsApp wants. "WhatsApp adds flawed encryption", in case they published the equivalent of the iOS security guide and someone figured out it was vulnerable to a MITM attack for example, would not provide the kind of publicity they're looking for!
Wait a minute and I'm sure someone can explain this to me but,
If it's end to end encryption then both ends must know how to decrypt each other.
How does each initiate the very first encrypted connection? i.e. key exchange.
Would this not mean that an unscrupulous government with access to the internet be able to sit in the middle and go, thanks for that I can now decrypt your data? Could it not also enable facebook to record these keys? Even though it said it wouldn't (yes I have a lack of trust for facebook for some strange reason) or even better as it knows how the initial exchanges are set up it could technically duplicate them.
How does each initiate the very first encrypted connection? i.e. key exchange.
Would this not mean that an unscrupulous government with access to the internet be able to sit in the middle and go, thanks for that I can now decrypt your data?
Yes, that is one red flag - to assure there is no MITM you would have to communicate a key checksum out of band (voice, SMS), and even that can be interfered with if the other party is unknown to you.
There is also a second one: your network, i.e. the people you associate with. As long as the mechanism by which WhatsApp matches people in your address book is not disclosed I would suggest it's not ephemeral, and it will thus support the main goal of most modern surveillance: identifying who communicates with whom (which conveniently has the advantage that you don't need to decrypt much - this is a key reason why you don't see any use of PGP in government circles).
In any case, I don't actually care what they add. It's part of Zuckerberg's circus so I won't touch it on account of a shortage of long enough barge poles.
Not.
"They trust me — dumb fucks" ~Zuckerberg.
I want to see an article by credible security researchers who have VERIFIED the end to end encryption aspect.
Another Z option would be to suck in a billion people, then one day simply cancel all encryption and furiously start vacuuming up the data. I think that would be a logical extension of the FB modus operandi.
The protocol being used is (allegedly) open source, reviewable here...
https://github.com/whispersystems/libsignal-protocol-java/
But being that it's a Facebook implementation I still have a fair few reservations about exactly how it was implemented in this instance. Good to see they're trying though.