top | item 12703266

(no title)

uph | 9 years ago

> What I can not comprehend is how respectable people and experts like Snowden and others from EFF can get behind a messenger that its authentication is based on cell phone numbers!

Authentication isn't based on cell phone numbers, that's just the identifier. See "verify security code" here: https://www.whatsapp.com/faq/en/general/28030015 The problem, which EFF does mention is that "if your contact changes keys, this fact is hidden away by default."

> When an application sends all your contacts to its servers (whether they are hashed or not) and more importantly when your whole access depends on a none encrypted code sent via SMS

Correct me if I'm wrong but it seems as if you think that someone who hijacks your number will get access to some account where all your contacts are. That's not the case. The problem here is the same as above.

> and worst of all, your identifier can be tied to your real identity extremely easy, how can they call it secure at all? > It is not all about E2E or how the crypto is designed or implemented, its also about your anonymity, your social graph and other pieces of information which are arguably more important not to give away!

That doesn't make it insecure, it's just not anonymous. No one claims that it is and it's not a goal https://www.whatsapp.com/faq/en/general/20971813

discuss

Amir6|9 years ago

On the first point: Account authentication (when you setup your account or when you add a new device) is done via a non encrypted text message delivered to you by the tel-co service. This method is extremely insecure as it has been used by state and non-state sponsored hackers to hijack the account. IMHO the only reason a messaging service uses and relies on phone number to identify (and of course authenticate accounts) is to steal (that's how I see it) their contacts and force them to use the service in order to grow their user base. Such unethical and disturbing practice can not be endorsed by an organization like EFF.

Regarding the second point, as mentioned above, my problem is with the support EFF shows for such applications/corporations. If you are looking to avoid mass surveillance, of course the ability to be anonymous is critical.

uph|9 years ago

> On the first point: Account authentication (when you setup your account or when you add a new device) is done via a non encrypted text message delivered to you by the tel-co service. This method is extremely insecure as it has been used by state and non-state sponsored hackers to hijack the account.

Again, the problem here is that "if your contact changes keys, this fact is hidden away by default." If WhatsApp did that by default, like Signal, then you would know that the key had changed.

> IMHO the only reason a messaging service uses and relies on phone number to identify (and of course authenticate accounts) is to steal (that's how I see it) their contacts and force them to use the service in order to grow their user base. Such unethical and disturbing practice can not be endorsed by an organization like EFF.

The phone number is used for contact discovery. You're not forced to do anything. For most people when they download a messenger they want to use it to talk to other people and they don't find it disturbing or unethical when that's possible.

https://whispersystems.org/blog/contact-discovery/

> If you are looking to avoid mass surveillance, of course the ability to be anonymous is critical.

Luckily it's possible to use more than one app. I'm ok with my friends knowing who I am. This app makes it easy to find your friends. If you want to talk to people you don't know without them knowing who you are, there are other apps. That's not the purpose of this one. It doesn't make it bad, it doesn't make it insecure, it just means it's not for you.