Is There A Truly Secure Messaging App?

One could spend hours examining all the encrypted communications tools available, from popular services such as WhatsApp and Facebook’s Messenger to newcomers such as Signal and Wire. That point was driven home recently with the revelation that attackers could exploit a security vulnerability in WhatsApp to snoop on its users.

The vulnerability was found in the service’s implementation of end-to-end encryption, which is supposed to make it all but impossible for messages to be read by anyone except their intended recipient, and in WhatsApp’s management of the unique security keys used to scramble and unscramble those messages on users’ devices.

The problem stemmed from WhatsApp’s ability to create new encryption keys for offline users. This is common for secure communication tools, but WhatsApp is set apart by its decision to re-encrypt messages with the new keys without informing their sender or recipient.

This could allow someone to intercept communications with no indication to anyone involved with the conversation. WhatsApp has therefore effectively undermined the basic principle of end-to-end encryption.

It would be easy to overreact to this issue. WhatsApp did not create a backdoor into its service – a claim with which Brian Acton, the company’s co-founder, has taken issue with, saying WhatsApp would “fight any government request” to create one.

Nor did it introduce a vulnerability so critical that people should remove the app from their devices. Concerned users can verify someone’s identity by comparing the “fingerprints” associated with their key, and they can enable a setting that notifies them when a message has been re-encrypted with a new key.

Yet even the nature of those notifications is up to question. There are two options, blocking or non-blocking, which refer to requiring users to manually verify that a new key is legitimate or simply notifying them when a key has been changed. WhatsApp notifications are non-blocking. Signal, the encrypted messaging tool from Open Whisper Systems (OWS) whose end-to-end encryption protocol is used in WhatsApp, Messenger and other apps, uses blocking notifications.

Moxie Marlinspike of OWS said Signal planned to make blocking notifications an option for some users and use non-blocking notifications by default.

“The feedback we’ve gotten is that most of our users don’t want these messages to be blocking,” he said. “What they want is just to have the ability to verify the integrity of their communication and to see when these things are happening, but they don’t want it to interrupt their ordinary workflow.”

Which brings the conversation back to the root of the problem: should messaging apps 

“It really depends on the service provider and the risk it wants to take,” said Alan Duric, chief technology officer at the Wire secure communications provider.

“It is relatively difficult for WhatsApp to put it as ‘blocking’ when it has a billion users. And by doing it [the way WhatsApp has done it] you have a trade-off with the user experience and sacrificing something on security.”

Wire takes the opposite approach by valuing security over convenience.

Some messaging apps follow WhatsApp in not informing users of key changes by default. Others, like Wire, don’t send messages to people with new keys without user consent. These companies will face criticism no matter what they choose. WhatsApp users might worry that their messages are insecure; Wire users might grow tired of security notifications, and might change their approach based on user feedback as OWS is doing with the Signal app.

There is no right or wrong answer. The same can be said for other decisions, such as Google’s Allo and Facebook Messenger’s “secret conversations” not using end-to-end encryption by default, which the companies say allows them to offer features that wouldn’t be possible otherwise. Apps that do use encryption by default – such as Signal and Wire, among others – require people to convince everyone with whom they wish to communicate to switch to unfamiliar messaging tools.

Which is why these companies have different approaches to the same problem. WhatsApp has to decide between making 1 billion people more secure in non-obtrusive ways or notifying them every time a security key has changed. Google must balance efforts to make people more secure with the desire to offer features that could help a newcomer like Allo compete with established services. Even more privacy conscious apps like Signal have to design with their users in mind.

There will never be a one-size-fits-all in the secure communications market. Just as these services have to decide on what problems they wish to solve, consumers must choose the app that best suits their needs. More apps support end-to-end encryption than ever, and even if none of them are perfect, this means private communications are more secure than before. These are nuanced problems that must be considered with care instead of being oversimplified.

“WhatsApp has designed a pretty good thing with really considerable care and has successfully deployed it to the largest network of end-to-end encryption in the history of the world,” Marlinspike said.

“Approaching questions of the best user experience and how we should think about these problems by just calling this a ‘backdoor’ and telling everyone to uninstall WhatsApp does a lot more harm than good, because it’s just going to drive people to other apps that use way less consideration and care that users are also not capable of evaluating the goodness of.”

Guardian

Encrypt A Message In the Big Bang Afterglow:             WhatsApp Becomes The Latest Victim:

 

« Udacity Offer Deep IT Learning Programs & Nano-Degrees
Nation State Hacking Has A Big Commercial Impact »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyberis

Cyberis

Cyberis are pioneers in customer-focussed information security. Since 2011, we’ve been helping businesses protect their brands, customers and reputation.

Renaissance

Renaissance

Renaissance is Ireland's premier value added distributor of IT security solutions and a leading independent provider of business continuity consultancy.

Equilibrium Security Services

Equilibrium Security Services

Equilibrium Security Services is a specialist cyber security company providing a full spectrum of IT security solutions from consultancy to design & implementation and managed security services.

Secure Innovations

Secure Innovations

Secure Innovations is a cybersecurity firm dedicated to providing top-tier cyber security solutions for the Defense and the Intelligence Community.

Digital Resolve

Digital Resolve

Digital Resolve delivers solutions that help companies maintain trust and confidence through proven and cost-effective fraud-protection and identity intelligence technology.

Baffin Bay Networks

Baffin Bay Networks

Baffin Bay Networks operates globally distributed Threat Protection Centers™, offering DDoS protection, Web Application Protection and Threat Inspection.

WiJungle

WiJungle

WiJungle is an Indian Cyber Security Company that develops and markets a unified network security gateway solution.

ThreatSwitch

ThreatSwitch

ThreatSwitch a software platform for cleared federal contractors to get and stay compliant with NISPOM and Conforming Change 2.

Internet Infrastructure Investigation

Internet Infrastructure Investigation

Internet Infrastructure Investigation offers a bespoke Internet Governance Solution to your brands online infringement problems.

UKsec: Virtual Cyber Security Summit

UKsec: Virtual Cyber Security Summit

Join 100s of UK Cyber Security Leaders Online for Expert Cyber Security Talks, Strategy Insights, Cyber Resilience Tips and More.

Cyber Security Forum Initiative (CSFI)

Cyber Security Forum Initiative (CSFI)

CSFI is a non-profit organization with a mission to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training.

Profian

Profian

Profian’s hardware-based solutions maintain your data's confidentiality and integrity in use, providing true confidential computing to meet regulatory and audit requirements.

Cyber Unit

Cyber Unit

Cyber Unit offer next level protection from cyber attacks in packages and pricing options that are accessible to smaller organizations.

BetterWorld Technology

BetterWorld Technology

BetterWorld Technology provides cloud solutions, managed services, SaaS, cybersecurity and virtual CIO, all customized to meet your needs.

BluTinuity

BluTinuity

BluTinuity is a premier management consulting firm with a passion for information security, business continuity, incident response, disaster recovery, and HIPAA security.

C/side (cside)

C/side (cside)

At c/side, we're creating the ultimate delivery, performance and detection mechanism for browser-side fetched 3rd party Javascript.