WhatsApp encrypts ALL its worldwide jabber • The Register

WhatsApp has announced that it will encrypt all its 600m users’ text messages by default, which is a serious stride forward for privacy – and one which will no doubt be criticised by spooks and police worldwide.

The rollout, announced today, was described by the app maker as the “largest deployment of end-to-end encryption ever.” The feature will, it’s hoped, safeguard messages from eavesdroppers by encrypting chats between people.

There are limits to Facebook-owned WhatsApp’s end-to-end encryption. So far, it only covers text messaging (as opposed to group messages or pictures), it only works on Android, and it remains open to potential man-in-the-middle attacks because there’s no way to verify the identity of the person you’re messaging.

Whisper Systems – the company behind the TextSecure software used for the encryption – said in a blog post that it was working on those issues, but nevertheless seems justifiably pleased with itself.

“We have a ways to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default,” it said.

WhatsApp is estimated to have 600 million monthly active users cranking out billions of messages every day.

The open-source TextSecure software allows two devices to exchange encryption and decryption keys in a way that an eavesdropper and the TextSecure servers cannot crack. Assuming WhatsApp uses the same system, and hasn’t compromised it for the feds, WhatsApp can’t decrypt messages in transit, and TextSecure encrypts data at rest. It uses Curve25519, AES256, and HMAC-SHA256 to protect chats over the wires.

The software also provides perfect forward secrecy by using new AES keys for each message: if an attacker is able to decrypt one text, past messages cannot be cracked using that unique key.

Apple’s iMessage system, according to Cupertino [PDF, page 30], works along the same lines, except Apple manages a central database of public keys: every registered iThing and Mac has its own private-public key, with the public keys stored in the iCloud, and every message sent to someone is encrypted using the public keys for each of the recipient’s devices.

HALF A BILLION TERRORISTS: WhatsApp encrypts ALL its worldwide jabber • The Register.

No Comments so far.

Leave a Reply