Over the past year, we’ve been progressively rolling out Signal Protocol support for all WhatsApp communication across all WhatsApp clients. This includes chats, group chats, attachments, voice notes, and voice calls across Android, iPhone, Windows Phone, Nokia S40, Nokia S60, Blackberry, and BB10.
As of today, the integration is fully complete. Users running the most recent versions of WhatsApp on any platform now get full end to end encryption for every message they send and every WhatsApp call they make when communicating with each other. This includes all the benefits of the Signal Protocol – a modern, open source, forward secure, strong encryption protocol for asynchronous messaging systems, designed to make end-to-end encrypted messaging as seamless as possible.
WhatsApp is the most popular messaging protocol in the world (in my own country it’s effectively at 100% market share), so to see it do end-to-end encryption is a huge deal.
It looks like this may finally start becoming “the norm”, which is great. While open source projects like Jitsi had end-to-end crypto for a very long time, the fact that these projects were obscure and didn’t run on all platforms was always a problem.
I personally don’t and can’t use whatsapp because they limit the service to mobile devices and don’t offer a PC client. However I am glad to see that more mainstream services are deploying end to end crypto. It means ordinary people will actually start to use it rather than just those of us in the tech community who go out of our way to do it.
Are you aware of Whatsapp Web? It is a thing that runs in your browser and connects to the Whatsapp running on your phone (your phone must have a camera, since the Whatsapp Web – thing displays a QR-code on the screen that you then have to use on the phone to authenticate this connection) and allows you to do most of the things you’d do on the phone-client.
The web-frontend is not much different from having a desktop-client, except that it doesn’t support making calls, and it running in your browser makes it inherently cross-platform. It does support sending pictures and video and whatnot, and you can even drag-and-drop stuff if you will.
WereCatf,
Yes I saw that. How well does it work? I’m usually not a fan of messaging from the browser. Still, it is no good for me if I can’t establish my identity independently from my mobile phone. I already get more unwanted calls than I’d like and at least for me it’s not reasonable to force me to disclose it to use services like whatsapp.
Still, there are times it could be useful: some of my clients might benefit from end-to-end security, but I have a dedicated VOIP service for my business and as far as I know there’s no way to use it with whatsapp because they only support mobile activation. I’m not willing whatsoever to give out the wrong phone number (my personal cell) just to use the service with business associates. It seems pretty clear that they aren’t interested in desktop only users for now. Maybe they never will be, but until they are it isn’t a great cross platform solution.
Edited 2016-04-06 02:26 UTC
Yeah, you can’t. Well, I guess Whatsapp is not suitable for your needs, then.
https://web.whatsapp.com/
Technically, WhatsApp uses a personalised version of XMPP (jabber), so check if your preferred jabber application has a WhatsApp plugin.
Like, i.e., Pidgin and its whatsapp-purple plugin.
The counter part is, all those plugins are often in an early stage of development, and most of them are missing feature(s).
Not sure they will fit your needs.
Just try.
Are they planning to do similar with Facebook Messenger?
I remember when whatsapp was becoming popular they were making some pretty risky assumptions about user identity, which led the exploitation of said assumptions to commit spoofing:
http://gizmostorm.com/how-to-spy-on-someone-else-whatsapp-account-f…
http://www.wikihow.com/Access-Someone-Else‘s-WhatsApp-Account
http://www.spoofwhats.com/spoof
Does anyone know if whatsapp ever fixed these spoofing/identity issues? The article mentions optionally reading aloud a 60 digit authentication code to verify the encrypted channel between parties, but otherwise it doesn’t seem to indicate that the spoofing problems are fixed.
Edited 2016-04-06 00:20 UTC
“WhatsApp is the most popular messaging protocol in the world (in my own country it’s effectively at 100% market share)”
Is the above opinion, assumption, or fact? Would like to see some real numbers..
For the Netherlands it is 92% for WhatsApp and 57% for Messenger: http://tweakers.net/nieuws/109689/whatsapp-staat-op-11-komma-2-milj…
But the hard numbers are behind really expensive paywalls: http://www.telecompaper.com/research/dutch-apps-market-march-2016-e…
And of course FaceBook also provides numbers like that if you want to know more generically how much it is used, but you can search for that yourself
Good thing we had https://telegram.org/ to make zuckerboy do sensible things.
End to end encryption is good.
Bu does WhatsApp have the keys to decrypt?
End to end encryption could be saying comms is never in the clear. It’s not necessarily saying they can’t decrypt if they wanted to.
Like many services – they use TLS for traffic and encryption when storing data… But they have the keys.
Snowdon talked about zero knowledge services like spideroak … And this one… https://smartshare.digital-dynamics.io is an example too
At least according to them, no. They have several times said that they do not and they cannot decrypt your stuff. Also, since the (encrypted) messages and such are only stored on their servers only until the recipient has received them or until 30 days has passed there’s little content for them to decrypt anyways.
I don’t know if any 3rd party has verified this, though.
Given their history, I don’t trust WhatsApp and probably never will.
However, if it’s using Moxie’s Signal design then yes, they can be zero knowledge: no data is stored at the servers*, keys are stored locally, keys are exchanged through 3rd party server infrastructure (i.e. on the internet, outside of your and your friend’s phone)
* that is actually a nice thing – a business which doesn’t store your data, it doesn’t have it, it doesn’t want to. Like snapchat. (Hope they don’t store it, of course)
See for yourself: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
Source: From https://www.whatsapp.com/security/
Get the Details
Read an in-depth technical explanation of WhatsApp’s end-to-end encryption, developed in collaboration with Open Whisper Systems.
I don’t know much about their history, but the fact that they’re currently owned by the internet’s biggest pestilence, Facebook, would make me pause for deep thought.
Having said that, they seem to be partnering with decent people (like you’ve stated) for the end-to-end encryption, so credit where it’s due…. for now.
Edited 2016-04-06 15:10 UTC
In other words, they’ve painted a big target on their backs for whichever government takes the next pot-shot against user privacy. Hope they’re ready to fight. Seeing as they’re owned by Facebook though…
project_2501,
They have a spec here, they’re using very typical crypto with “no-surprises” for end to end security. As usual, you have to trust their software actually implements the spec in good faith.
https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
I think it’s a good faith spec for end to end crypto. As always, the devil’s in the details…
One potential area for abuse lies with the initial session where you obtain the public key from their service. This in general is a difficult problem to solve. Websites use independent Certificate Authorities to establish session trust. Protocols like SSH ask the user to manually verify server keys. Whatsapp optionally lets users verify keys by having users reach each other a 60 digit number. If you skip this step, then you implicitly trust the keys you’ve been given. This could be compromised by Whatsapp itself or those who can fraudulently authenticate with whatsapp servers.
So yes it’s zero knowledge (they see no private keys). However since whatsapp sets a very low bar for user authentication, it is trivially compromised by spoofing phone numbers and mac addresses (see my earlier post), so the authenticity of the public key you get seems to be a legitimate concern if it’s not independently validated. At least once you’ve verified the public key you should be able to continue to trust it for many sessions.
However there is a caveat: keys can legitimately change over time (reinstall/new phone/etc), which means all the security assumptions start over at zero again. The user would have to revalidate the 60 digit code for each contact, or once again just trust that it’s correct. The whatsapp documentation says users will have to select an option to be notified of a key change. This is alarming to me because if users aren’t notified by default, it means an attacker can change this key at will without cluing the user into the fact that the key has changed. SSH makes it intentionally difficult to connect when keys change for this reason.
All technicalities aside, it’s great news that mainstream services are actually interested in deploying end to end crypto at all. This is so much better than having businesses that horde data in the clear for advertising. Also there’s a lot of reinventing the wheel here, it would be nice to see services move to embrace open digital identity standards.
Edited 2016-04-06 14:48 UTC
I don’t feel it is really end to end encryption, otherwise each user would need their own key? Only the communication between you and whatsapp is probably now always encrypted.
Edited 2016-04-07 12:52 UTC
hussam,
I’m not sure what gave you this impression, but each user does have their own key. The public portion gets distributed to your contacts. It really is end to end encryption. It seems that their end to end encryption solution may actually be pretty good, but people need to be careful because just having end to end encryption doesn’t actually mean it’s being encrypted for the right party. Given the weaknesses in Whatsapp user authentication, it would be very prudent to verify the public keys you receive before trusting them.
Edited 2016-04-07 15:00 UTC
Ok, I figured out how to see the key. Thanks Alfman.
Edited 2016-04-07 16:43 UTC
Zipt 2.0 also has end to end encryption. it was released in 2015 and already has 10+ million users (mostly in developing countries). It’s killer feature is high quality voice calls on 2G networks.
Zipt 2.0 is free on Google play and the App Store.
http://zipt.com/