WhatsApp Becomes The Latest Victim

Is there a truly secure messaging app? One could spend hours examining all the encrypted communications tools available, from popular services such as WhatsApp and Facebook’s Messenger to newcomers such as Signal and Wire.

But while experts agree that some of these options are more secure than others, there always seems to be another flaw waiting to be discovered. This makes the search for a perfect app resemble the hunt for the goose that laid the golden egg.

That point was driven home recently with the revelation that attackers could exploit a security vulnerability in WhatsApp to snoop on its users.

The vulnerability was found in the service’s implementation of end-to-end encryption, which is supposed to make it all but impossible for messages to be read by anyone except their intended recipient, and in WhatsApp’s management of the unique security keys used to scramble and unscramble those messages on users’ devices.

The problem stemmed from WhatsApp’s ability to create new encryption keys for offline users. This is common for secure communication tools, but WhatsApp is set apart by its decision to re-encrypt messages with the new keys without informing their sender or recipient.

This could allow someone to intercept communications with no indication to anyone involved with the conversation. WhatsApp has therefore effectively undermined the basic principle of end-to-end encryption.

It would be easy to overreact to this issue. WhatsApp did not create a backdoor into its service, a claim with which Brian Acton, the company’s co-founder, publicly took issue, saying WhatsApp would “fight any government request” to create one.

Nor did it introduce a vulnerability so critical that people should remove the app from their devices. Concerned users can verify someone’s identity by comparing the “fingerprints” associated with their key, and they can enable a setting that notifies them when a message has been re-encrypted with a new key.

Yet even the nature of those notifications is up to question. There are two options, blocking or non-blocking, which refer to requiring users to manually verify that a new key is legitimate or simply notifying them when a key has been changed.

WhatsApp notifications are non-blocking. Signal, the encrypted messaging tool from Open Whisper Systems (OWS) whose end-to-end encryption protocol is used in WhatsApp, Messenger and other apps, uses blocking notifications.

Some messaging apps follow WhatsApp in not informing users of key changes by default. Others, like Wire, don’t send messages to people with new keys without user consent. These companies will face criticism no matter what they choose, WhatsApp users might worry that their messages are insecure; Wire users might grow tired of security notifications, and might change their approach based on user feedback as OWS is doing with the Signal app.

There is no right or wrong answer. The same can be said for other decisions, such as Google’s Allo and Facebook Messenger’s “secret conversations” not using end-to-end encryption by default, which the companies say allows them to offer features that wouldn’t be possible otherwise.

Apps that do use encryption by default, such as Signal and Wire, among others, require people to convince everyone with whom they wish to communicate to switch to unfamiliar messaging tools.

There will never be a one-size-fits-all in the secure communications market. Just as these services have to decide on what problems they wish to solve, consumers must choose the app that best suits their needs.

More apps support end-to-end encryption than ever, and even if none of them are perfect, this means private communications are more secure than before.

These are nuanced problems that must be considered with care instead of being oversimplified.

Guardian:

WhatsApp Implements Encryption:             Delete/Never-Use Google Allo: Says Snowden:

 

 

« How To Automate Cyber Defense
Technology, Multilateralism, War and Peace »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Disklabs

Disklabs

Disklabs are industry leaders in data recovery, digital forensics and data erasure.

High Sec Labs (HSL)

High Sec Labs (HSL)

High Sec Labs develops high-quality, cyber-defense solutions in the field of network and peripheral isolation.

e-End

e-End

e-End provides hard drive shredding, degaussing and data destruction solutions validated by the highest electronic certifcations to keep you compliant with GLB, SOX, FACTA, FISMA, HIPAA, COPPA, ITAR.

Zerodium

Zerodium

Zerodium is the leading exploit acquisition platform for premium zero-days and advanced cybersecurity research.

BetaDen

BetaDen

BetaDen provides a revolutionary platform for businesses to develop next-generation technology, such as the internet of things and industry 4.0.

Satori Cyber

Satori Cyber

The Satori Cyber Secure Data Access Cloud is the first solution on the market to offer continuous visibility and granular control for data flows across all cloud and hybrid data stores.

ISARR

ISARR

The ISARR software platform - your bespoke Risk, Resilience & Security Management solution. Simple, cost effective and adaptable, now and into the future.

NodeSource

NodeSource

NodeSource helps organizations run production-ready Node.js applications with greater visibility into resource usage and enhanced awareness around application performance and security.

Progress Partners

Progress Partners

Progress Partners is a corporate advisory firm that works with buyers and sellers of emerging growth companies to complete M&A or private placement transactions. Our sectors include cybersecurity.

Winmill Software

Winmill Software

Winmill is a technology services company that provides expert consulting services in Application Development, Application Security and Cyber Security.

Orpheus Cyber

Orpheus Cyber

Orpheus Cyber provides predictive and actionable intelligence to our clients - enabling them to anticipate, prepare for and respond to the cyber threats they face.

ImmuneBytes

ImmuneBytes

ImmuneBytes is a cutting-edge security startup that aims to provide a secure blockchain environment for a dependable and open Web3 ecosystem.

Menaya

Menaya

Menaya provide Ethical Hackers for leading companies while also providing cyber security solutions to help major infrastructures protect against cyber crime.

ThrottleNet

ThrottleNet

ThrottleNet provides world-class managed IT services and cybersecurity to organizations in St. Louis and throughout Missouri.

Board of Cyber

Board of Cyber

Board of Cyber offers Security Rating: a fast, non-intrusive, continuous, 100% automated solution to evaluate the cyber performance of an organization.

Centum Digital

Centum Digital

Centum Digital provide services, products and solutions specialized in communications engineering, control and signal intelligence.