WhatsApp Finishes Rolling Out End-To-End Encryption; Now Covers Group Messages, Media
from the backdoors-salesmen-en-route-to-Congress-as-we-speak dept
More good news on the secure communications front: WhatsApp has finally implemented full end-to-end encryption — for everyone. Late in 2014, WhatsApp began rolling out its end-to-end encryption, but it was limited to one-to-one communications and did not cover messages containing media. Now, it’s everything, including group messages.
This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network.
Law enforcement — particularly the Justice Department — can’t be pleased with this full implementation. Even if a warrant is obtained, WhatsApp cannot produce message content in response to these or other court orders. And from what we’ve seen, WhatsApp may be the next target of the FBI and its All Writs wrangling.
While this does have its implications for law enforcement in the US, it will likely have more of an impact in other nations where citizens are protected by fewer privacy-related rights — which is where most of its users are located. Whether or not this will result in more futile arrests of Facebook execs remains to be seen.
As the messaging app’s creators point out, even if you believe your government is basically good, you should still support (and use) encrypted communication options.
The argument can be made: Maybe you want to trust the government, but you shouldn’t because you don’t know where things are going to go in the future.”
As we’ve seen in the aftermath of the Paris and Brussels attacks, governments — including their law enforcement agencies — are often prone to expanding government power and weakening citizens’ rights. It only takes one successful attack to send a nation down previously unimaginable paths. Might as well have your communications protected just in case. And, as for law enforcement’s sudden “lack” of access? It might help to keep in mind that people chatted for hundreds of years without creating permanent records of their conversations and criminals were somehow still arrested and punished.
Filed Under: encryption, fbi, messaging, privacy
Companies: whatsapp
Comments on “WhatsApp Finishes Rolling Out End-To-End Encryption; Now Covers Group Messages, Media”
Of course since the app is closed source we’ll just have to take their word for it!
Re: Re:
I can’t imagine why anyone would have any trouble taking Facebook’s word for something!
Re: Re:
No Encryption is 100% perfect. You can find holes in the weak spots. It just can’t be 100% encrypted. Otherwise it wouldn’t run. People wouldn’t be able to read their messages, etc.
There’s Pro’s and Con’s to Open Source and Closed Source. It’s a Messaging App. If the FBI breaks in, what are they going to see that you care about? Does it have Nude Pictures of your Girlfriend? Medical History? Banking Info? So on and So on like a Smart phone??? Is someone going to steal your personal Identity breaking into Whatsapp?
If what you’re texting is really important that you don’t want anyone or any Government to see and read it, maybe Whatsapp isn’t the one to use. Especially being Facebook owned!!! It’s almost as bad is Google which flat out is a Advertising Company. All they do is spy on everything you do.
While iMessage is Encrypted and always has been, anything part of iCLoud, Apple still has the keys for and can get into that Data for the FBI. At least for now.
Sweet, more Facebook fluff from TD!
As I’ve said before, instead of calling it encryption we should be calling it Digital Rights Management. Which it is; it’s just that it’s the user who manages the rights to the encrypted data.
That way the FBI and others who declare jihad against encryption would be declaring jihad against DRM.
Re: Re:
I like your thinking.
How are they unable to decrypt messages?
Whatsapp is encrypting messages for storage and then decrypting messages so users can read them … so given a court order, how are they unable to comply? Is the app creating a unique 256-bit key on each client system? Does that mean my Android Whatsapp is unable to decrypt messages made by my iPhone Whatsapp? Since that’s likely not the case, Whatsapp’s servers contain all these keys.
Re: How are they unable to decrypt messages?
What Whatsapp claims is that the messages are indeed encrypted using keys held only by the endpoints. This should mean that you can’t read the messages on any other device.
Apple gets around this with its Messages app by encrypting the key against your AppleID so that while the encryption key might ineed reside on their iCloud server, they can’t decrypt the key to use it without knowing your password. Each device that uses that iCloud account has to register and get its own signing tokens.
Whatsapp could theoretically do this too, but I highly doubt that they have. Someone who runs it on both an Android device and an iOS device could probably clarify one way or the other.
The NSA may already control the servers, so they don’t need to worry about the encryption part.
Re: Re:
The NSA may already control the servers, so they don’t need to worry about the encryption part.
With end to end encryption, intercepting the message doesn’t help. It doesn’t matter what server they have compromised, they still wouldn’t be able to read any messages. They would have to compromise end user devices.
>Is the app creating a unique 256-bit key on each client system?
From the description, there would have to be a distinct (not necessarily-256-bit) key for each person and each group. The personal key might well be a public-key scheme.
So the process might go something like:
Alice wants to create a group. She creates a local key for it. The server doesn’t know that key, just knows that there is a group.
Alice sends Bob an invite to the group, including the group key, encrypted via Bob’s public key. The message travels through the server encrypted end to end.
Now Alice and Bob can create content, encrypt it locally using the shared group key, and upload to the server. Anyone invited into the group can download that content from the server, decrypting it locally.
I’m sure professionals could come up with something more sophisticated, and better protected from off-server attacks. And, of course, this is all still trusting the server to honestly transmit public keys between users (it could execute the usual man-in-the-middle attack under some circumstances.)
Re: Re:
If you use the public key to transfer the private ones and then destroy the data transferred then it should be mostly ok. Even if the public key is compromised, groups that were created before will be safe. I think it’s a good solution to implement end-to-end encryption without requiring much crypto knowledge from the users. Sure it doesn’t offer the best end-to-end security possible but it’s enough to make Govt abuse and criminal activity against the users quite harder.
Between you and your app is a hardware layer. As good as that app may be, it cannot prevent this often-compromised-by-default layer from also transmitting unencrypted keystrokes behind your back to the PTB.
But, but, but...
Going Dark! (TM)
Content is king!
“Even if a warrant is obtained, WhatsApp cannot produce message content in response to these or other court orders.”
Yes they can. The only catch is the content will be encrypted.
And they have only themselves to blame...
Of course the best part about this whole push towards stronger encryption, encryption by default, and encryption that companies cannot themselves crack is that it was primarily in response not to the actions of your average criminals but the actions of governments and police showing absolutely no restraint and grabbing everything that they could, just because they could.
Once it became clear that those that were supposed to be protecting the public had absolutely no interest in protecting the privacy and security of the public, and in fact seemed more interested in undermining both, companies and individuals stepped in to do it themselves, leading to cries of ‘Not fair!’ and ‘You’re not allowed to do that!’ from the voyeurs that are suddenly finding their easy access to private data at risk.
Intel Management Engine
the security battle is shifting into the firmware
AMD has this too: Platform Security Processor
stuff is related to UEFI
it will appear in ARM as sure as sunrise as various commercial and government interests will hike through hell before they give up access to, and control over computers and networks
Not necessary to create a Group Key
From the description, there would have to be a distinct (not necessarily-256-bit) key for each person and each group. The personal key might well be a public-key scheme.
Not necessarily, it would seem quite possible that the sender could send individual messages to EACH of the group members using their public key. This way you don’t need a key for each group (a group is just multiple individuals).
Re: Not necessary to create a Group Key
The problem with your approach tho is that if you had, say, a group of 50 people, this would mean you’d have to encrypt a single message 49 times, once for each member (apart from yourself).
Encryption is quite an expensive process, running encryption across say a 1MB jpeg 49 times would be very expensive.
Having a unique encryption key just for that group chat, with each group member having a copy, means a single encryption process for every member to receive an encrypted message.