WhisperSystems + WhatsApp

Marco Pozzato mpodroid at gmail.com
Wed Nov 19 00:46:50 PST 2014 

WhisperSystems designed good protocols, but I am afraid that Moxie was too
anxious to release this info and hit ENTER key too early :-)

I am quite skeptical about the actual value from the security point of this
press release.

WhisperSystems reports about end-to-end encryption, that means, I encrypt
my message with an encryption key that only you or both of us know.

   1. How can we negotiate that key? Users are not involved, but everything
   happens automatically, under the hood, between two whatsapp clients. How?
   they negotiate the encryption keys through whatsapp servers: is it my own
   key or the NSA one? are they leaking the key to Facebook?
   2. We do need to authenticate the identity, eg: via QR code,
   fingerprint, spell it loudly on the phone,  etc.., which reduces usability,
   especially for mass market.
   3. Last but not least: even if we authenticated identities and keys, how
   can we be sure that whatsapp client is really using the authenticated keys
   and not the NSA keys, maybe only on a white list of suspected mobile phone
   numbers? above all, they provide a proprietary and closed source app

The security model is faulted, at the root level:

   - If I subscribe to a security service - such as messaging -,  the
   service provider is untrusted by default. I need total transparency ->
   every single components in the architecture should be auditable and open
   source
   - If mobile app is closed source, I can trust only the infrastructure
   that should be under my full control, to be sure that no information leak
   outside infrastructure is ever possible.


My 2 cents

Marco

2014-11-19 7:25 GMT+01:00 Eric Mill <eric at konklone.com>:

> This was honestly just about as exciting as the new EFF/Mozilla/Akamai/etc
> CA. Strong encryption with no UX degradation, for *so* many people, and the
> post certainly indicates it'll be going into the rest of WhatsApp's native
> applications.
>
> I'm sure this fed into improvements into the TextSecure protocol, and that
> the PR will help WhisperSystems obtain more partnerships like this. A great
> day for the TS project.
>
> On Tue, Nov 18, 2014 at 6:35 PM, rysiek <rysiek at hackerspace.pl> wrote:
>
>> Well,
>>
>> I didn't see THAT coming:
>> https://whispersystems.org/blog/whatsapp/
>>
>> --
>> Pozdr
>> rysiek
>
>
>
>
> --
> konklone.com | @konklone <https://twitter.com/konklone>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3484 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20141119/570e4515/attachment-0001.txt>

More information about the cypherpunks mailing list