WHATSAPP, A MESSAGING platform owned by Facebook, is well known as one of the more secure messengers on the market.
Whatsapp redesigned its backend earlier this year so that every message sent using the service will be protected in a way that even Whatsapp would not be able to read it if it wanted to, called end-to-end encryption.
But a Guardian report published yesterday cast doubt on Whatsapp’s security, saying that a “vulnerability” or “backdoor” existed that could allow governments to snoop on people’s private messages.
But don’t worry, there is no backdoor in Whatsapp like the FBI was seeking for the iPhone says Moxie Marlinspike, one of the people behind Whatsapp’s encryption.
Marlinspike is founder of Open Whisper Systems, which helped designed Whatsapp’s security protocol and shot back against The Guardian’s claims in a long and detailed blog post.
Cryptography is detail-oriented and complicated, and often summaries can get important aspects wrong, but here goes: Messaging systems need to know if the person it’s sending a message to is actually who he says he is.
But Whatsapp decided that if one messenger changed his security key, then it would simply give the user a warning — instead of blocking him entirely like some secure messengers do, it would simply display a warning, like this:
This decision led The Guardian to speculate that a government might be able to pull off “man-in-the-middle” attacks and hijack messages meant for another person.
Marlinspike explains:
Most end-to-end encrypted communication systems have something that resembles this type of verification, because otherwise an attacker who compromised the server could lie about a user’s public key, and instead advertise a key which the attacker knows the corresponding private key for. This is called a “man in the middle” attack, or MITM, and is endemic to public key cryptography, not just Whatsapp.
In fact, Whatsapp made a security choice based on usability, because it has 1 billion users, and shutting down people’s conversations could be annoying for its users. Even worse, it could make the entire system less secure. Cryptographers have to make trade-offs all the time.
“Given the size and scope of Whatsapp’s user base, we feel that their choice to display a non-blocking notification is appropriate,” Marlinspike says.
“The choice to make these notifications “blocking” would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn’t, effectively telling the server who it could MITM transparently and who it couldn’t.”
Response
Whatsapp has denied that a “backdoor” exists to its content, providing a lengthy comment from cofounder Brian Acton that’s partly reproduced here:
The Guardian’s story on an alleged “backdoor” in Whatsapp is false. Whatsapp does not give governments a “backdoor” into its systems. Whatsapp would fight any government request to create a backdoor.Since April 2016, Whatsapp messages and calls are end-to-end encrypted by default. Whatsapp also offers people a security notifications feature that alerts them when people change keys so that they can verify who they are communicating with…Like everything else in Whatsapp, it’s designed to be simple. We built end-to-end encryption with encryption as the default so not a single one of our 1 billion users has to turn on encryption.This is also true for people who delete and reinstall Whatsapp or for those who change their phones. For some people, this can be a frequent occurrence as people manage data charges and phone storage, or share devices with family members.
We want to make sure that people in these situations do not lose access to messages sent to them while they are in the midst of re-installing the app or changing their phones. Because a person’s encryption key is changed when Whatsapp is installed on a new phone or re-installed on an old device, we make sure those messages can eventually be read using the new key.
“We appreciate the interest people have in the security of their messages and calls on Whatsapp. We will continue to set the record straight in the face of baseless accusations about “backdoors” and help people understand how we’ve built Whatsapp with critical security features at such a large scale.”
- Business Insider- Kif Leswing
To embed this post, copy the code below on your site
have your say