By now you will have seen a headline screaming something about the security of Facebook's WhatsApp messaging service, ranging from somewhere between a backdoor purposefully inserted into the app to a complete denial of any security risk at all. The actual issue is much larger than WhatsApp and address a security issue with all applications which depend on public key encryption.
Many applications utilize public keys for their encryption, the encryption relies on keys unique to the sender and receivers devices and which use the public key to verify the authorization of a new device. If your accounts key was permanently attached to a specific piece of hardware you would need a separate account for each device you used, which would be quite onerous.
The issue is that the Open Whisper Signal protocol is configured by WhatsApp in a way which makes the data vulnerable to a man in the middle attack. If you can managed to block the transmission of a message, then take over one of the authorized devices accounts or phone numbers and trigger the generation of a new private key via a public key request to Facebook then you will be able to read messages until people realize what is going on. This is not impossible but far from easy to accomplish, and effects any similar encryption system, not just WhatsApp.
Perhaps more worrying is Facebook's ability to take advantage of this, as they can generate a new public key to read messages, if they so choose. If you are concerned about this, you can enable the Show Security Notifications setting under Settings -> Account -> Security to be notified whenever a contact's security code has changed. The Register links to several articles which delve into the technology as well as the media's reactions here, if you are interested.
"The problem – which is "endemic to public key cryptography" – was raised in April last year, and at the time WhatsApp said it wasn't a serious enough design flaw to spend time fixing."
Here is some more Tech News from around the web:
- Microsoft's Security Bulletins Will End In February @ Slashdot
- Windows 10 Gets A New Linux: openSUSE @ Slashdot
- Just give up: 123456 is still the world's most popular password @ The Register
- Drone company fails to take off, tells pre-orderers: You can have your $34m back @ The Register
- Microsoft's Surface Studio has Enticing Features @ Hardware Secrets
- McDonald's website insecurity leaves passwords open to Hamburgling @ The Inquirer
- Canary Smart Home Security Device Review @ NikKTech