1) They seem to have replaced TLS/SSL between client and server with "Noise Pipes". Based on a couple of minutes Googling this seems to be a brand new one-man protocol from Trevor Perrin (the same guy who did Axoltl on which Signal is based). At least, I'd never heard of it. I wonder if this is the first inkling of a post-TLS future?
2) It's a shame to see key words be killed off by internationalisation concerns. 12 words seems so much more friendly, at least to English speakers, than a 50 digit number. In practice I doubt any non-trivial numbers of people will ever compare codes by reading out such a number. I hope further research here can develop better replacements for encoding short binary strings in i18n friendly ways (perhaps with icons instead of specific words? if you don't speak a common language with your chat partner then the app is useless anyway).
3) What's the next step? My feeling is that the next step is securing the build and distribution pipeline. WhatsApp could partner with security firms around the world, like Kaspersky Lab in Moscow, perhaps one in Germany and another in Iran, to make it harder for the software to be forcibly backdoored by a single decision of a single government representative. This would require splitting the RSA signing keys used by the app stores. I have some code in my inbox that claims it can do this (it's written by some academics and I obtained it after a bit of a runaround) but I never found the time to play with it.
Of course, getting a bunch of security firms to sign off on every update, no matter how trivial that update is, might prove politically difficult inside Facebook. If mobile platforms supported in-app sandboxing better then the app could slowly be refactored to be more like Chrome, where the base layer doesn't trust the upper layers. Those upper layers wouldn't have access to key material and could then be updated more freely than the higher privileged components.
> They seem to have replaced TLS/SSL between client and server with "Noise Pipes".
WhatsApp was already using a custom protocol instead of TLS. We worked with them to transition over to Noise Pipes, which has some advantages over what they were doing before. Also, we've renamed Axolotl to Signal Protocol: https://whispersystems.org/blog/signal-inside-and-out/
Imho one thing that the Signal project suffers from -- and that a lot of open-source projects suffer from -- is poor documentation. They need document their protocol better, to make it easier for third parties to integrate with their system.
Signal still lacks a working desktop client (no, the one that you can use if you're running Chrome doesn't count), and I'm sure tons of people would be eager to do stuff like provide integration for Pidgin if only there was better documentation.
I keep wondering if package managers (be it Google Play, apt or dnf) are in need of a solution like Certificate Transparency. Like Certificate Transparency, it would not necessarily prevent a backdoor(/certificate) from being pushed to selected users, but it would guarantee detectability, at least after the fact. If the package as a whole is included in the log, it would also allow BinDiff-style reverse engineering of any backdoor. Application developers could scan the log for unauthorized builds of their software (i.e. key compromises), and I imagine there are some things you can do with gossip protocols for end-users as well (i.e.: how popular is this build? Am I the only one running it?).
This would solve part of the trust issue both for proprietary and open source software (I mean, who's actually using or verifying reproducible builds?). It would also be a huge problem for intelligence agencies or other adversaries who want to do this undetected.
I'm hoping they deploy some from of key transparency. E.g. CONIKS or CONAME, the version Yahoo and Google are working on for e2e that already has a productionish grade sever and client[0]. Either that or give the community a practical reason why it can't be used as is, and then we can start working on alternatives.
> 2) It's a shame to see key words be killed off by internationalisation concerns. 12 words seems so much more friendly, at least to English speakers, than a 50 digit number. In practice I doubt any non-trivial numbers of people will ever compare codes by reading out such a number. I hope further research here can develop better replacements for encoding short binary strings in i18n friendly ways (perhaps with icons instead of specific words? if you don't speak a common language with your chat partner then the app is useless anyway).
There's a QR code representation as well that can be scanned to verify.
My hope is that the next step for WhatsApp is to add editing of arbitrary received messages in the client app. While the protocol provides plausible deniability of messages in the cryptographic sense, it's hard for someone who sent an incrimination message to argue that their layperson recipient someone modified the message when the app doesn't allow this to happen easily
Noise is really interesting. I'd hoped from the name that it might incorporate some of the ideas behind Dust[1], which attempts to hide even that there is a Dust session going on, and what the public and private keys of the recipients are. No such luck — still, it looks very interesting.
1) I would assume Facebook still gets unencrypted access to my address book for use with their shadow profiles
2) We have zero control over what key the client encrypts the messages for. Is it only the other peer's phone? Or is it for the peer's phone plus Facebook for analysis of the messages?
Especially 2) is of some concern to me (against 1 I can't protect myself anyways because if people add me to their address books I'm screwed anyways). From that perspective, I'm still inclined to trust apple's iMessage a bit more especially after recent events.
The only safe solution right now is to compile your own signal client and use that, of course at the cost of reach because nobody else is on Signal.
WhatsApp might be a good compromise at least for only semi-important messages: The probability that any of your contacts has WhatsApp is much, much higher than the probability of them having Signal running. On the other hand, whatever you're sending over WhatsApp is likely going to be used by FB (and then possibly handed out to governments and/or stolen by attackers).
I think this is a reasonable analysis. I would refine it this way (examples are only for illustrative purposes):
Tier 1 secure messengers: all possible tradeoffs in favor of security made; use for worst-case adversaries:
- Signal/TextSecure
- Pond
- PGP†
- OTR
Tier 2 secure messengers: serious secure messaging protocols that make some tradeoffs in favor of adoption and usability; use for normal messages of low sensitivity:
- WhatsApp
- iMessage
Tier 3 secure messengers: secure messaging protocols with flaws, limited cryptanalysis, only content-controlled browser clients, &c
- Redacted to avoid flamewars.
Everything else: insecure; use only to bootstrap conversations to a Tier 2 protocol (knowing that if you're a state-level target, you're exposed even after you "upgrade")
- Google Talk
- Facebook Messenger
- AIM
I think WhatsApp would like to be a tier 1 secure messenger (they'd be the first mainstream tier 1 secure messenger!) and they have a shot at being that, but they're probably some years away from it.
† (I know PGP and OTR are cryptographically limited compared to Signal Protocol, but from an OPSEC perspective they're still a tier above iMessage.)
I'm curious, is that because of what they did in the FBI case, or for technical reasons? IIRC iMessage would allow Apple to add public keys which they (or the FBI/$ADVERSARY) control as a sort-of backdoor as well. I can't say that I've been keeping track of Facebook's position or history on this topic, so it might or might not be fair to say that Apple deserves more trust here, but on a technical level there's not much of a difference.
> From that perspective, I'm still inclined to trust apple's iMessage a bit more especially after recent events.
I'm surprised by this statement. After recent events I'd say the imessage protocoll is a weird ad-hoc construction that failed to follow basic modern crypto constructions like authenticated encryption and forward secrecy. I don't expect anything alike from the signal protocol.
This is insanely cool. For everyone (very rightfully) worried about the PATRIOT act, the NSA, etc., etc. this is absolutely huge.
One BILLION people just got their messages encrypted. Facebook was under no obligation to do this; for the vast majority of tech history the messages sent by 99% of people were very insecure, and when the tech giants responsible were asked their response was "ehh". This suddenly cuts into a huge portion of that. Pretty much everyone with a mobile phone in Europe or South America, as well as large parts of Asia, suddenly now has completely encrypted messages.
Kudos to Whatsapp for this fantastic move.
On a related note, if anyone is inspired by this announcement to start using encryption in other parts of their life, I have a handful of Keybase invites available (to bypass the 25k+ waiting list.) Keybase's security depends on lots of people tracking other people, so only ask for one if you'll track other people. I see too many people that make an account and nobody ever tracks them/they don't track anyone. My email's in my profile.
That last blog post is clearly written by Jan Koum, as it talks about his past in the Soviet Union. But his name doesn't appear anywhere on the blog post and if you didn't know that odd bit of trivia, it'd be completely confusing - who the heck is talking? Some random employee?
They need to add the name and job title of the blog posts author to the bottom.
Is there any reasonable way to verify that end-to-end encryption is actually being used, and used correctly? From a user's point of view the app looks and works exactly the same as before, except for the addition of a QR code which could be doing anything.
Without whatsapp being open source, how do we know for sure that Facebook is not somehow storing or reading our messages?
As good as this sounds on paper, I hesitate to trust Facebook to transmit my data without wanting to peek a bit. I currently use both Whatsapp and Signal and will probably continue to do the same unless there is a way for users to verify Facebook doesn't keep a copy.
> However, WhatsApp on iOS still backs up chat logs to iCloud, and despite any effort by Facebook, those could be given to a law enforcement agency. It's not known whether the backups are encrypted, but we've reached out to Open Whisper Systems and will update with any new information.
Curious because when sending a .webm video from an Android device to a iOS device, the video file was transcoded on WhatsApp servers and then delivered to the iOS device as H264/mp4 (since iOS can not play .webm files)
- What if the government forces WhatsApp to write and push a targeted software update in order to compromise the end-to-end encryption (I'm of course thinking of the FBI vs Apple case)? Is there a way for the user to be notified?
- Does WhatsApp Auto Backup encrypt messages before sending them to Google Drive or iCloud?
- Would it be possible for WhatsApp Web to rely on backend servers storing an encrypted version of messages, instead of relying on a connection to the user's phone, and still be able to perform keyword search over the encrypted messages with something like github.com/strikeout/mylar?
> - Does WhatsApp Auto Backup encrypt messages before sending them to Google Drive or iCloud?
So you make a backup and loose the phone. What about the key? Is that gone too? Without it, encrypted backup is useless. How do you backup the key? You and me maybe will manage to do this, but what about grandma and all those people without anybody close who knows about this?
I came here apprehensive because you need UI support for this to work, but reading the article I was pleasantly surprised to see that they implemented all the verification and other bits to make this reasonably visibly secure.
Great job from everyone, I'm glad WhatsApp has done this. I look forward to these features on my device.
I'm looking at libaxolotl-c.
I'm a little bit disturbed about perfect forward/future secrecy.
Perfect forward secrecy ensure that a session key cannot be compromised if a long-term key is compromised in future.
With something like OTR even if a session key is compromised at n, session key at n-1 or n+1 will not be compromised. Here, we got perfect forward/future secrecy.
If i take a look at axolotl, in scenario Alice send message to bob when Bob is offline:
We can see that Alice re-use CKs to get a new symmetric key.
So if an attacker get CKs(n) he could easily compute CKs(n+1)
CKs is not a long term key, but we cannot honestly call this _perfect_ futur secrecy...
One more thing, if I remember correctly, according of perfect forward secrecy definition, an implementation must NOT re-use previous session key to derive a new one ...
"Perfect forward secrecy" requires synchronous key exchange. The compromise that signal protocol makes is for forward secrecy to "eventually repair" itself while in the meanwhile a limited number of messages are potentially vulnerable. That is one of the novel feature of the protocol and it is what allows for async communication without some central server doing all the key mgmt (central key mgmt doesn't have this problem because it's actually synchronous).
Perfect forward secrecy is actually the opposite of what you mentioned.
"In cryptography, forward secrecy is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys."
If someone were to compromise your key and they had a packet log of all your communication then PFS, which Signal has, guarantees that they wouldn't be able to derive previous keys from the current key to decrypt previous messages from the packet log that came before the key compromise.
The thing you're talking about can be resolved by revoking compromised keys but knowing when to revoke those keys is a whole other problem that hasn't been solved by anyone to my knowledge...
Okay, first off: This is great. The most popular messaging app finally gets the security it needed. And we've just rolled out E2E to 1b 'monthly active users'.
However, I have always wondered one thing about WhatsApp: How does it generate any kind of meaningful revenue?
Apparently they've ditched the old $1 subscription model [0], and even that was so loosely enforced that I have never paid a single cent for WhatsApp in my life--and never will (got it while it was free on the iOS App Store and now have a 'Lifetime' subscription, if they don't change those at some point).
And even back then, maybe half of their 900m monthly active users [1] were iOS users who paid only once, and the rest may have dodged the fee in various ways. I have a really hard time believing the revenues so gained could ever actually cover the cost of R&D (especially for so many platforms) and infrastructure (which should be huge, given the amount of data they shift). Now they say they want customers to use WhatsApp as a platform, the way Facebook Messenger is doing it, but I'm not seeing any of those features implemented anywhere.
I always assumed there was some heavy data analysis going on behind the scenes--which would have been fair, I guess, since we're neither being shown ads nor really paying. Facebook's involvement added to that conviction. Now that they're encrypting everything (which, again, is wonderful), they can't analyze what is really, really interesting data anymore (keywords, etc.). And it's not like there was a public outcry for them to take this step--I would guess that not many end users actually appreciate the importance of E2E encryption.
So the question remains: How are they making money? You still have metadata (I presume), but then again, how do they use this data to make money if they can't always match it to a Facebook profile (where they can show you ads), and also, does this data really provide such a big improvement over all the data collected by Facebook and Facebook messenger? It just seems strange to me that WhatsApp apparently does not want to make any money.
Does anyone have any insight on this? What am I missing?
FB shelled out $15B for Whatsapp, and clearly the contents of these messages was a major factor in that valuation, especially once the subscription fee was phased out.
Now they're voluntarily encrypting. The only explanation I can come up with is that they are realizing that they will not be able to keep the contents of these messages for themselves in the face of motivated nation-state actors, and so they're killing that golden goose rather than share it. This seems pretty extreme and makes me wonder what is really going on behind the scenes.
My assumption is that there is a contingency to monetize metadata (something I'm not seeing discussed here too much) but I can't help but wonder if FB is now looking at the $15B as a huge overpayment.
One possible way they can benefit is to generate metadata (e.g. keywords used in messages) against a Whatsapp profile that they have linked to facebook accounts. They would then unleash their ad platform to users across the web where facebook ads are used.
I figure this isn't the question others want to discuss, but I too wonder the same. I think I used WhatsApp for a short period of time, until the point they asked me for money. Since then I haven't looked back. Now I am left wondering where their revenue comes from.
They get your phone number from WhatsApp which they can then use to connect customer surveys you've done in the last, which have phone numbers, names, email addresses. Even absent some of this info they can often discover who you are.
That's great news - secure-by-default is a huge thing, since it makes encrypted communication more normal. If most of your real-time communication is encrypted, then when and to whom you used encrypted communication isn't leaking valuable information.
The next step is some kind of noise injection into the metadata. There are almost certainly ways to look at who is chatting with who when. It'd be fantastic to automatically generate realistic-looking traffic to hide the normal stuff within. Plus, you'd be adding deniability to any communication you're having.
There's likely some pretty severe battery usage issues with it. If you offload the metadata fuzzing to a proxy server of some sort, then you're adding a vector to filter out that fuzz. It might be too big of a technical tradeoff to be worthwhile.
Great, now I really hope Telegram folks realise how much they already lost for not having open sourced their servers. Here in Brazil they've lost a huge amount of community power to Actor, which doesn't even have encryption.
Now, it's a shame Whatsapp doesn't have an open source client as well. As much as I appreciate encryption, it still looks like we're not going anywhere with a closed sourced program that is a pain in the arse to run on Linux.
Telegram secret chats are device specific which means you can't recover them if you get a new phone. How can Whatsapp recover encrypted chats on iCloud?
I'm grateful Whatsapp itself finally made a public statement about this as well, but I would hope they would go a step further and integrate this new change into its Privacy Policy as well.
Then they would be at least somewhat legally committed to using end-to-end encryption for the foreseeable future in which they'll keep using e2e encryption. I'd have a little more trust in them that they aren't just going to drop the E2E encryption for various individuals with just a phone call from government officials.
Kind of weird but I got the message claiming my chats were e2e encrypted but when testing it with a friend, his said no such thing, and his client claimed mine was out of date and our messages were NOT encrypted, despite there being a lock my side.
[+] [-] mike_hearn|10 years ago|reply
1) They seem to have replaced TLS/SSL between client and server with "Noise Pipes". Based on a couple of minutes Googling this seems to be a brand new one-man protocol from Trevor Perrin (the same guy who did Axoltl on which Signal is based). At least, I'd never heard of it. I wonder if this is the first inkling of a post-TLS future?
http://noiseprotocol.org/noise.html
2) It's a shame to see key words be killed off by internationalisation concerns. 12 words seems so much more friendly, at least to English speakers, than a 50 digit number. In practice I doubt any non-trivial numbers of people will ever compare codes by reading out such a number. I hope further research here can develop better replacements for encoding short binary strings in i18n friendly ways (perhaps with icons instead of specific words? if you don't speak a common language with your chat partner then the app is useless anyway).
3) What's the next step? My feeling is that the next step is securing the build and distribution pipeline. WhatsApp could partner with security firms around the world, like Kaspersky Lab in Moscow, perhaps one in Germany and another in Iran, to make it harder for the software to be forcibly backdoored by a single decision of a single government representative. This would require splitting the RSA signing keys used by the app stores. I have some code in my inbox that claims it can do this (it's written by some academics and I obtained it after a bit of a runaround) but I never found the time to play with it.
Of course, getting a bunch of security firms to sign off on every update, no matter how trivial that update is, might prove politically difficult inside Facebook. If mobile platforms supported in-app sandboxing better then the app could slowly be refactored to be more like Chrome, where the base layer doesn't trust the upper layers. Those upper layers wouldn't have access to key material and could then be updated more freely than the higher privileged components.
[+] [-] moxie|10 years ago|reply
WhatsApp was already using a custom protocol instead of TLS. We worked with them to transition over to Noise Pipes, which has some advantages over what they were doing before. Also, we've renamed Axolotl to Signal Protocol: https://whispersystems.org/blog/signal-inside-and-out/
[+] [-] davorb|10 years ago|reply
Imho one thing that the Signal project suffers from -- and that a lot of open-source projects suffer from -- is poor documentation. They need document their protocol better, to make it easier for third parties to integrate with their system.
Signal still lacks a working desktop client (no, the one that you can use if you're running Chrome doesn't count), and I'm sure tons of people would be eager to do stuff like provide integration for Pidgin if only there was better documentation.
[+] [-] pfg|10 years ago|reply
This would solve part of the trust issue both for proprietary and open source software (I mean, who's actually using or verifying reproducible builds?). It would also be a huge problem for intelligence agencies or other adversaries who want to do this undetected.
[+] [-] StavrosK|10 years ago|reply
I have a feeling that English speakers are the minority of WhatsApp users.
> if you don't speak a common language with your chat partner then the app is useless anyway
They do speak a common language, it's usually just not English.
[+] [-] ianmiers|10 years ago|reply
[0] https://github.com/yahoo/conam
[+] [-] envy2|10 years ago|reply
There's a QR code representation as well that can be scanned to verify.
[+] [-] patcon|10 years ago|reply
[+] [-] erkkie|10 years ago|reply
[+] [-] zeveb|10 years ago|reply
[1] http://freehaven.net/anonbib/cache/wileydust.pdf
[+] [-] Mafana0|10 years ago|reply
I think it's actually a solid decision from WhatsApp since the majority of their users are from non English speaking countries[0].
[0]: http://www.statista.com/statistics/291540/mobile-internet-us...
[+] [-] pilif|10 years ago|reply
1) I would assume Facebook still gets unencrypted access to my address book for use with their shadow profiles
2) We have zero control over what key the client encrypts the messages for. Is it only the other peer's phone? Or is it for the peer's phone plus Facebook for analysis of the messages?
Especially 2) is of some concern to me (against 1 I can't protect myself anyways because if people add me to their address books I'm screwed anyways). From that perspective, I'm still inclined to trust apple's iMessage a bit more especially after recent events.
The only safe solution right now is to compile your own signal client and use that, of course at the cost of reach because nobody else is on Signal.
WhatsApp might be a good compromise at least for only semi-important messages: The probability that any of your contacts has WhatsApp is much, much higher than the probability of them having Signal running. On the other hand, whatever you're sending over WhatsApp is likely going to be used by FB (and then possibly handed out to governments and/or stolen by attackers).
[+] [-] tptacek|10 years ago|reply
Tier 1 secure messengers: all possible tradeoffs in favor of security made; use for worst-case adversaries:
- Signal/TextSecure - Pond - PGP† - OTR
Tier 2 secure messengers: serious secure messaging protocols that make some tradeoffs in favor of adoption and usability; use for normal messages of low sensitivity:
- WhatsApp - iMessage
Tier 3 secure messengers: secure messaging protocols with flaws, limited cryptanalysis, only content-controlled browser clients, &c
- Redacted to avoid flamewars.
Everything else: insecure; use only to bootstrap conversations to a Tier 2 protocol (knowing that if you're a state-level target, you're exposed even after you "upgrade")
- Google Talk - Facebook Messenger - AIM
I think WhatsApp would like to be a tier 1 secure messenger (they'd be the first mainstream tier 1 secure messenger!) and they have a shot at being that, but they're probably some years away from it.
† (I know PGP and OTR are cryptographically limited compared to Signal Protocol, but from an OPSEC perspective they're still a tier above iMessage.)
[+] [-] Mafana0|10 years ago|reply
The article links to the technical white paper[0] which explains why your points are invalid.
> I'm still inclined to trust apple's iMessage a bit more
Do you have any proof why iMessage is more secure or is that statement also baseless?
[0]: https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...
[+] [-] pfg|10 years ago|reply
// edit: got my answer here: https://news.ycombinator.com/item?id=11432629
I'm curious, is that because of what they did in the FBI case, or for technical reasons? IIRC iMessage would allow Apple to add public keys which they (or the FBI/$ADVERSARY) control as a sort-of backdoor as well. I can't say that I've been keeping track of Facebook's position or history on this topic, so it might or might not be fair to say that Apple deserves more trust here, but on a technical level there's not much of a difference.
[+] [-] hannob|10 years ago|reply
I'm surprised by this statement. After recent events I'd say the imessage protocoll is a weird ad-hoc construction that failed to follow basic modern crypto constructions like authenticated encryption and forward secrecy. I don't expect anything alike from the signal protocol.
[+] [-] owenversteeg|10 years ago|reply
One BILLION people just got their messages encrypted. Facebook was under no obligation to do this; for the vast majority of tech history the messages sent by 99% of people were very insecure, and when the tech giants responsible were asked their response was "ehh". This suddenly cuts into a huge portion of that. Pretty much everyone with a mobile phone in Europe or South America, as well as large parts of Asia, suddenly now has completely encrypted messages.
Kudos to Whatsapp for this fantastic move.
On a related note, if anyone is inspired by this announcement to start using encryption in other parts of their life, I have a handful of Keybase invites available (to bypass the 25k+ waiting list.) Keybase's security depends on lots of people tracking other people, so only ask for one if you'll track other people. I see too many people that make an account and nobody ever tracks them/they don't track anyone. My email's in my profile.
[+] [-] Chris2048|10 years ago|reply
Does this actually protect you? If data goes through US FB servers, don't the NSA have access?
[+] [-] envy2|10 years ago|reply
[1]: https://www.whatsapp.com/security/
[2]: https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...
[3]: https://blog.whatsapp.com/10000618/End-to-end-encryption
[+] [-] mike_hearn|10 years ago|reply
They need to add the name and job title of the blog posts author to the bottom.
[+] [-] mjs|10 years ago|reply
[+] [-] nnnnnn|10 years ago|reply
As good as this sounds on paper, I hesitate to trust Facebook to transmit my data without wanting to peek a bit. I currently use both Whatsapp and Signal and will probably continue to do the same unless there is a way for users to verify Facebook doesn't keep a copy.
[+] [-] levelpublish|10 years ago|reply
> However, WhatsApp on iOS still backs up chat logs to iCloud, and despite any effort by Facebook, those could be given to a law enforcement agency. It's not known whether the backups are encrypted, but we've reached out to Open Whisper Systems and will update with any new information.
Apple stores iMessage backups unencrypted and hands them out when given a lawful request (per https://thehackernews.com/2016/01/apple-icloud-imessages.htm... WhatsApp needs to store encrypted backups to prevent this attack.
[+] [-] sauere|10 years ago|reply
Curious because when sending a .webm video from an Android device to a iOS device, the video file was transcoded on WhatsApp servers and then delivered to the iOS device as H264/mp4 (since iOS can not play .webm files)
This should no longer be working.
[+] [-] ngrilly|10 years ago|reply
- What if the government forces WhatsApp to write and push a targeted software update in order to compromise the end-to-end encryption (I'm of course thinking of the FBI vs Apple case)? Is there a way for the user to be notified?
- Does WhatsApp Auto Backup encrypt messages before sending them to Google Drive or iCloud?
- Would it be possible for WhatsApp Web to rely on backend servers storing an encrypted version of messages, instead of relying on a connection to the user's phone, and still be able to perform keyword search over the encrypted messages with something like github.com/strikeout/mylar?
[+] [-] hollander|10 years ago|reply
So you make a backup and loose the phone. What about the key? Is that gone too? Without it, encrypted backup is useless. How do you backup the key? You and me maybe will manage to do this, but what about grandma and all those people without anybody close who knows about this?
[+] [-] StavrosK|10 years ago|reply
Great job from everyone, I'm glad WhatsApp has done this. I look forward to these features on my device.
[+] [-] greenspot|10 years ago|reply
I'm asking because I could imagine that Whatsapp might get banned in some countries soon (as recently happened in Brazil) and thus, lose market share.
[+] [-] kijiki|10 years ago|reply
Zuck is way too savvy to publicly reverse that announcement once the deal closed. Imagine how bad that would look...
[+] [-] teaneedz|10 years ago|reply
[+] [-] defiancedigital|10 years ago|reply
If i take a look at axolotl, in scenario Alice send message to bob when Bob is offline:
(1) , (2)
MK = HMAC-HASH(CKs, "0") // (3)
msg = Enc(HKs, Ns || PNs || DHRs) || Enc(MK, plaintext)
Ns = Ns + 1
CKs = HMAC-HASH(CKs, "1") // (4)
return msg
We can see that Alice re-use CKs to get a new symmetric key. So if an attacker get CKs(n) he could easily compute CKs(n+1) CKs is not a long term key, but we cannot honestly call this _perfect_ futur secrecy... One more thing, if I remember correctly, according of perfect forward secrecy definition, an implementation must NOT re-use previous session key to derive a new one ...
I'm wrong ?
(1) Quoted from https://github.com/trevp/axolotl/wiki
(2) see session_cipher_get_or_create_message_keys (https://github.com/WhisperSystems/libaxolotl-c/blob/0640b5ac...)
(3) i think we should read MK = HKDF(HMAC-HASH(CKs, 0x00) see ratchet_chain_key_get_message_keys (https://github.com/WhisperSystems/libaxolotl-c/blob/0640b5ac...)
(4) i think we should read MK = HMAC-HASH(CKs, 0x02) see ratchet_chain_key_create_next (https://github.com/WhisperSystems/libaxolotl-c/blob/0640b5ac...)
[+] [-] ikawe|10 years ago|reply
I am not a cryptographer.
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] mobad|10 years ago|reply
"In cryptography, forward secrecy is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys."
https://www.wikiwand.com/en/Forward_secrecy
If someone were to compromise your key and they had a packet log of all your communication then PFS, which Signal has, guarantees that they wouldn't be able to derive previous keys from the current key to decrypt previous messages from the packet log that came before the key compromise.
The thing you're talking about can be resolved by revoking compromised keys but knowing when to revoke those keys is a whole other problem that hasn't been solved by anyone to my knowledge...
[+] [-] wodenokoto|10 years ago|reply
[+] [-] lauritz|10 years ago|reply
However, I have always wondered one thing about WhatsApp: How does it generate any kind of meaningful revenue? Apparently they've ditched the old $1 subscription model [0], and even that was so loosely enforced that I have never paid a single cent for WhatsApp in my life--and never will (got it while it was free on the iOS App Store and now have a 'Lifetime' subscription, if they don't change those at some point). And even back then, maybe half of their 900m monthly active users [1] were iOS users who paid only once, and the rest may have dodged the fee in various ways. I have a really hard time believing the revenues so gained could ever actually cover the cost of R&D (especially for so many platforms) and infrastructure (which should be huge, given the amount of data they shift). Now they say they want customers to use WhatsApp as a platform, the way Facebook Messenger is doing it, but I'm not seeing any of those features implemented anywhere. I always assumed there was some heavy data analysis going on behind the scenes--which would have been fair, I guess, since we're neither being shown ads nor really paying. Facebook's involvement added to that conviction. Now that they're encrypting everything (which, again, is wonderful), they can't analyze what is really, really interesting data anymore (keywords, etc.). And it's not like there was a public outcry for them to take this step--I would guess that not many end users actually appreciate the importance of E2E encryption.
So the question remains: How are they making money? You still have metadata (I presume), but then again, how do they use this data to make money if they can't always match it to a Facebook profile (where they can show you ads), and also, does this data really provide such a big improvement over all the data collected by Facebook and Facebook messenger? It just seems strange to me that WhatsApp apparently does not want to make any money.
Does anyone have any insight on this? What am I missing?
[0]: http://www.cnet.com/news/whatsapp-kills-1-subscription-fee/ [1]: http://qz.com/495419/whatsapp-has-900-million-monthly-active...
[+] [-] atomic77|10 years ago|reply
FB shelled out $15B for Whatsapp, and clearly the contents of these messages was a major factor in that valuation, especially once the subscription fee was phased out.
Now they're voluntarily encrypting. The only explanation I can come up with is that they are realizing that they will not be able to keep the contents of these messages for themselves in the face of motivated nation-state actors, and so they're killing that golden goose rather than share it. This seems pretty extreme and makes me wonder what is really going on behind the scenes.
My assumption is that there is a contingency to monetize metadata (something I'm not seeing discussed here too much) but I can't help but wonder if FB is now looking at the $15B as a huge overpayment.
[+] [-] pookeh|10 years ago|reply
[+] [-] giancarlostoro|10 years ago|reply
[+] [-] dave2000|10 years ago|reply
[+] [-] ThrustVectoring|10 years ago|reply
The next step is some kind of noise injection into the metadata. There are almost certainly ways to look at who is chatting with who when. It'd be fantastic to automatically generate realistic-looking traffic to hide the normal stuff within. Plus, you'd be adding deniability to any communication you're having.
There's likely some pretty severe battery usage issues with it. If you offload the metadata fuzzing to a proxy server of some sort, then you're adding a vector to filter out that fuzz. It might be too big of a technical tradeoff to be worthwhile.
[+] [-] samueloph|10 years ago|reply
Now, it's a shame Whatsapp doesn't have an open source client as well. As much as I appreciate encryption, it still looks like we're not going anywhere with a closed sourced program that is a pain in the arse to run on Linux.
[+] [-] free2rhyme214|10 years ago|reply
[+] [-] mtgx|10 years ago|reply
https://blog.whatsapp.com/10000618/End-to-end-encryption
I'm grateful Whatsapp itself finally made a public statement about this as well, but I would hope they would go a step further and integrate this new change into its Privacy Policy as well.
Then they would be at least somewhat legally committed to using end-to-end encryption for the foreseeable future in which they'll keep using e2e encryption. I'd have a little more trust in them that they aren't just going to drop the E2E encryption for various individuals with just a phone call from government officials.
[+] [-] robert_foss|10 years ago|reply
(I would assume so, but I would like to have it confirmed. From someone who actually knows what he's talking about.)
[+] [-] moxie|10 years ago|reply
[+] [-] whyagaindavid|10 years ago|reply
[+] [-] Ianvdl|10 years ago|reply
[+] [-] antihero|10 years ago|reply
https://imgur.com/a/pgJsH
This is kind of worrying. I'm sure it's not malicious but I have literally no idea if things are encrypted right now.
[+] [-] barbs|10 years ago|reply
https://news.ycombinator.com/item?id=11432356