By now you will have seen a headline screaming something about the security of Facebook's WhatsApp messaging service, ranging from somewhere between a backdoor purposefully inserted into the app to a complete denial of any security risk at all. The actual issue is much larger than WhatsApp and address a security issue with all applications which depend on public key encryption.
Many applications utilize public keys for their encryption, the encryption relies on keys unique to the sender and receivers devices and which use the public key to verify the authorization of a new device. If your accounts key was permanently attached to a specific piece of hardware you would need a separate account for each device you used, which would be quite onerous.
The issue is that the Open Whisper Signal protocol is configured by WhatsApp in a way which makes the data vulnerable to a man in the middle attack. If you can managed to block the transmission of a message, then take over one of the authorized devices accounts or phone numbers and trigger the generation of a new private key via a public key request to Facebook then you will be able to read messages until people realize what is going on. This is not impossible but far from easy to accomplish, and effects any similar encryption system, not just WhatsApp.
Perhaps more worrying is Facebook's ability to take advantage of this, as they can generate a new public key to read messages, if they so choose. If you are concerned about this, you can enable the Show Security Notifications setting under Settings -> Account -> Security to be notified whenever a contact's security code has changed. The Register links to several articles which delve into the technology as well as the media's reactions here, if you are interested.
"The problem – which is "endemic to public key cryptography" – was raised in April last year, and at the time WhatsApp said it wasn't a serious enough design flaw to spend time fixing."
Here is some more Tech News from around the web:
- Microsoft's Security Bulletins Will End In February @ Slashdot
- Windows 10 Gets A New Linux: openSUSE @ Slashdot
- Just give up: 123456 is still the world's most popular password @ The Register
- Drone company fails to take off, tells pre-orderers: You can have your $34m back @ The Register
- Microsoft's Surface Studio has Enticing Features @ Hardware Secrets
- McDonald's website insecurity leaves passwords open to Hamburgling @ The Inquirer
- Canary Smart Home Security Device Review @ NikKTech
take a look at open whisper
take a look at open whisper systems response to the guardian article.
https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
Ya, that would be one of the
Ya, that would be one of the links in that article.
“This is not impossible but
“This is not impossible but far from easy to accomplish, and [affects] any similar encryption system, not just WhatsApp.”
Fixed it.
well! I did not know that. I
well! I did not know that. I don’t spend much time on WhatApps/..
Well, yeah. When you put your
Well, yeah. When you put your trust in Facebook to be the cert authority and your method of authenticating to Facebook is your phone number, it’s kind of a given that Facebook and whoever can take over your phone number will be able to read anything sent to you.
And I don’t know how naive you have to think that Facebook, which is a huge company that makes billions selling user data, would be aggravating surveillance states by offering legitimately secure means of communication to people.
It does seem rather a storm
It does seem rather a storm in a teacup: why would Facebook on behalf of some state actor do this ludicrous key-swapping song-and-dance (in order to inject a known key you’d need a server to continuously re-encrypt with the target’s key in order for them to be able to receive the messages at all) that is easily detectable, when they ALREADY have you using a closed-source app that could simply upload your private key in the first place?!
It’s like the laughable people declaring they don’t trust ‘M$’ and therefore going and downloading some dodgy program to mess with registry keys and supposedly disable telemetry. All the while they’re still running Windows, and are therefore ownd by default. If you don’t trust your OS, you’re fucked, so don’t bloody use it at all!
In both cases, not only is the paranoia unjustified, but the reaction is completely ineffective in addressing the supposed issue in the first place.