Oct 11, 2016

Looking at WhatsApps security whitepaper:

"WhatsApp calls are also end-to-end encrypted When a WhatsApp user initiates a call: 1 The initiator builds an encrypted session with the recipient (as outlined in Section Initiating Session Setup), if one does not already exist 2 The initiator generates a random 32-byte SRTp master secret 3 The initiator transmits an encrypted message to the recipient that signals an incoming call, and contains the SRTp master secret 4 If the responder answers the call, a SRTp encrypted call ensues"

From wikipedia:

"Signal voice calls are encrypted with SRTP and the ZRTP key-agreement protocol, which was developed by Phil Zimmermann.[1][57]"

So from where I'm reading they seem to be doing more or less the same thing when it comes to encrypting voice calls.

https://www.whatsapp.com/security/WhatsApp-Security-Whitepap... https://en.wikipedia.org/wiki/Signal_(software)

Aug 25, 2016

So this argument is just a technicality. Please understand a little more about the background:

There is basically one person writing the app[1], and given the company has just a few[2] people _volunteering_[3] for them, you cannot expect them to release a large amount of code across so many devices. They prioritized the highest volume first.

Open Whisper Systems primarily develops a strong encryption protocol (Moxie's efforts). If you didn't realize, this protocol was adopted by WhatsApp[4] and also Facebook Messenger[5]. So, the developers of those other applications needn't spend time/resources on the encryption, but can release Desktop clients for people like yourself to enjoy.

People who use Signal trust Moxie. People who dislike Signal _may_ care more about features than the security properties of the software (note, WhatsApp doesn't open-source their software[6], and Telegram instead bets people cannot break their encryption[7]).

Also, their app will supposedly run on any OS that Chrome runs. I'm sure that was the intention.

[1] https://github.com/WhisperSystems/Signal-Desktop/commits/mas...

[2] https://whispersystems.org/#team

[3] https://whispersystems.org/workworkwork/

[4] https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

[5] https://whispersystems.org/blog/facebook-messenger/

[6] https://www.whatsapp.com/opensource/

[7] https://telegram.org/blog/cryptocontest

May 03, 2016

Open Whisper Systems, a non-profit, publishes open-source tools that do exactly what you need. WhatsApp and Open Whisper's own products use them.

More info:

https://en.wikipedia.org/wiki/Open_Whisper_Systems

https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

May 02, 2016

Whatapp's uses the Signal Protocol Java, which is open source.

https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

https://github.com/WhisperSystems/libsignal-protocol-java

Apr 19, 2016

TLS would normally be used between the client and server. Viber may use TLS for that too, though WhatsApp and Signal use Noise pipes for that purpose. The point of end to end encryption is that they're also encrypting the messages so that they can't be read on the server. Don't know what Viber is using, but moxie posted a link to the details about WhatsApp's implementation. https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

Apr 19, 2016

Yes, it is. It's linked directly from the paper (https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...) that documents their use of the protocol.

It's the exact same code we use in Signal: https://github.com/whispersystems/libsignal-protocol-java

Apr 05, 2016

The whitepaper (https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...) claims that the attachments of any type are encrypted

Apr 05, 2016

> whatever you're sending over WhatsApp is likely going to be used by FB

The article links to the technical white paper[0] which explains why your points are invalid.

> I'm still inclined to trust apple's iMessage a bit more

Do you have any proof why iMessage is more secure or is that statement also baseless?

[0]: https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

Apr 05, 2016

Downgrade attacks should be difficult. As the article mentions once a client has communicated with another once using encryption all future communications to that client will be encrypted. So a downgrade attack would require either spoofing a new client for a user (eg a phone they didn't have before) which is likely noticeable.

The whitepaper (https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...) goes into more detail.

That said, they could push out an update that changes the UI to disable E2EE without notifying the user, and that would be difficult to notice since the app is closed source. For this reason Signal is more secure, despite using the exact same protocol.

Apr 05, 2016

> The Signal Protocol library used by WhatsApp is Open Source, available here: https://github.com/whispersystems/libsignal-protocol-java/

https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

Apr 05, 2016

That's not necessarily true. I haven't spent much time analyzing it yet, but your assertion seems seems. Please correct me if I'm mistaken, but can't you verify end-to-end encryption without viewing the source of the program?

They're using the Signal protocol, which has been well-vetted.

What I've seen so far in Wireshark looks good, but I am not a crypto expert. I'm in the process of reading and trying to understand the whitepaper[0] now.

I doubt OpenWhisperSystems would condone the use of WhatsApp without verifying the app uses e2e.

[0] https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

EDIT: Spelling.

Apr 05, 2016

They have released a whitepaper [1] where they go into details of how the encryption works, so using this knowledge in theory one should be able to verify that the encryption is legitimate.

[1] https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

Apr 05, 2016

WhatsApp have published further details for users[1], as well as a technical whitepaper[2] explaining the implementation. There's also a blog post[3].

[1]: https://www.whatsapp.com/security/

[2]: https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

[3]: https://blog.whatsapp.com/10000618/End-to-end-encryption

Apr 05, 2016

WhatsApp have published further details for users[1], as well as a technical whitepaper[2] explaining the implementation. There's also a blog post[3].

[1]: https://www.whatsapp.com/security/

[2]: https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

[3]: https://blog.whatsapp.com/10000618/End-to-end-encryption