WhatsApp is not just any messaging app. It’s a quite unique combination of popularity and security. Many people know it as “the” messaging app. A natural choice that all your friends are using already, so it’s a no-brainer for you to use it too. But WhatsApp is also committed to provide a secure solution. They have been working with Whisper Systems for a long time and gradually integrated their security technology. This work reached an important milestone yesterday when WhatsApp announced that all communications now are end-to-end encrypted, if the parties use the latest version. This level of encryption has previously been available in some situations, but now they have reached full coverage.
This is actually a very important milestone for all of us. Not only for the WhatsApp users who really care about security. Let’s take a look at what this means.
This means that the message is encrypted during the whole path from sender to receiver. The end-point devices handle encryption and decryption and the message is not readable in transit or when stored on the vendor’s server. The vendor does not have a key to the encryption and can’t read the messages, nor reveal them to authorities.
No. WhatsApp’s encryption is fully integrated and automatic. It’s enabled by default and you do not need to do anything. Except make sure that all communicating parties have the latest version of WhatsApp, but that will eventually happen anyway when people upgrade their apps.
WhatsApp is a leader is what we call secure by default. This is a very important trend as it helps us all stay secure. There will always be secure ways to communicate, even if strong end-to-end encryption would be banned in some countries. But using security tools that aren’t mainstream will always make you look suspect. There’s a lot of ways to detect them using network surveillance. Outsiders will not be able to read what you write, but authorities may still conclude that you have something to hide and start keeping an eye on you. Even if your business is perfectly legit and honorable. This is why secure by default is important. If the norm is to use a secure communication channel, then nobody can claim you are suspect because you use one. The masses who don’t care about security are actually helping those who really need it. Other examples of secure by default are Apple’s iMessage and mail traffic that to an increasing degree default to protected connections using SSL or TLS.
They are definitively serious about providing a secure solution. But we should always keep in mind that there are flaws in every existing system. Vulnerabilities will no doubt be discovered, and fixed promptly. But WhatsApp should anyway have sufficient security at least for people with low to medium needs. If you have a serious need for security, then you should investigate your needs thoroughly and carefully select what tools and methods you use. Consult professionals and keep in mind that security is a broad concept. Selecting the right tool is not enough. You also need to have good op-sec. You need to mind what you say and do, and how you handle data.
No, not really. Properly encrypted communications is no doubt an obstacle for investigating authorities. But there are so many other tools they can use instead. Like tapping phones and locations. Searching facilities. Tracking persons and vehicles. And using spying implants on devices. As WhatsApp puts it in the announcement:
“No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation.”
So yes. They could have included “Not investigating authorities” too, and that is a minor disadvantage in cases where we are dealing with terrorism and other kinds of sever criminality. But the overall picture is perfectly clear. The benefits of end-to-end encryption and secure by default clearly outweighs the disadvantages. Kudos to WhatsApp for showing the way.
Public domain image from Pixabay
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018