The IT Nerd

You’ll recall that I posted a story that detailed a story from The Guardian on what it called a “backdoor” in WhatsApp. Some security researchers have called out The Guardian for what they concluded was irresponsible journalism and misleading story. Over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian’s report fell short, and also asking the publication to retract the story.

So, is this a backdoor or not? The lack of a definitive answer on this leaves users in limbo. Maybe both sides should work together to clear the air on this. And for bonus points, maybe Facebook who owns WhatsApp should get involved as well?

It seems that those who rely on the fact that popular messaging app WhatsApp appears to have a backdoor that could allow Facebook (who owns WhatsApp) to read messages as well as making it possible for the company to comply with court orders to make messages available to government bodies. Here’s what The Guardian reports:

The security backdoor was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

The backdoor is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

WhatsApp’s implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.

Boelter reported the backdoor vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the backdoor still exists.

This news is sure to send Facebook into full damage control mode as Facebook really pushes the end to end encryption feature of WhatsApp and that they can’t read your messages. It will be interesting to see how they respond to this (which they haven’t as I type this), and how WhatsApp users respond to this.

In a move that will get a lot of attention, WhatsApp is rolling out it’s video calling feature that will be encrypted. The new video calling feature is rolling out on Android, iOS and Windows 10 Mobile. Here’s what the company said on a blog post that went up on Monday:

We’re introducing this feature because we know that sometimes voice and text just aren’t enough. There’s no substitute for watching your grandchild take her first steps, or seeing your daughter’s face while she’s studying abroad. And we want to make these features available to everyone, not just those who can afford the most expensive new phones or live in countries with the best cellular networks.

The reason why this will get a lot of attention is that it is going to take a direct shot at FaceTime from Apple and Skype from Microsoft. It will also get a lot of attention from law enforcement who tend not to be thrilled about anything that is online and encrypted since that takes away their ability to snoop.

If you’re a WhatsApp user and you haven’t seen this feature yet, it should appear in the coming days.

You’ll recall that I posted a story about Whatsapp implementing end to end encryption in the popular messaging app. I also had this to say:

It’s a safe bet that with this move some government (likely the US one) is going to go to Facebook to get some info and there is going to be an Apple vs. FBI type fight. I’m calling it now.

Well, the fight looks like it may be about to begin as the FBI has popped up to say this:

FBI General Counsel James Baker said in Washington on Tuesday that the decision by the Facebook-owned messaging platform to encrypt its global offerings “presents us with a significant problem” because criminals and terrorists could “get ideas.”

Speaking during an event hosted by the International Association of Privacy Professionals, the FBI’s top attorney said the increasing use of such encryption threatens the reach of law enforcement investigations.

“If the public does nothing, encryption like that will continue to roll out,” he said. “It has public safety costs. Folks have to understand that, and figure out how they are going to deal with that. Do they want the public to bear those costs? Do they want the victims of terrorism to bear those costs?”

I’d say that the public isn’t doing “nothing.” Instead, they via the methods of communication that they use are choosing privacy over letting a government have the ability to snoop at will. I think that’s called freedom. Something that the US apparently is in favor of. Or at least I thought they were. Now I do get that law enforcement might have reasons to get info to investigate something or stop something from happening. But bashing the encrypting of communications and devices I believe is not helpful.

In a move that is sure to annoy the FBI, Facebook owned Whatsapp via a update to their apps now do end to end encryption. This means that not only is WhatsApp unable to access the data generated by its users, but nobody else can either. Here’s what a blog entry on the topic said:

The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation.

If you’re interested in learning more about how end-to-end encryption works, you can read about it here. But all you need to know is that end-to-end encrypted messages can only be read by the recipients you intend. And if you’re using the latest version of WhatsApp, you don’t have to do a thing to encrypt your messages: end-to-end encryption is on by default and all the time.

It’s a safe bet that with this move some government (likely the US one) is going to go to Facebook to get some info and there is going to be an Apple vs. FBI type fight. I’m calling it now.

If you use WhatsApp, you have a new feature. They’ve partnered with Open Whisper Systems to bring encrypted end-to-end chats by default:

The most recent WhatsApp Android client release includes support for the TextSecure encryption protocol, and billions of encrypted messages are being exchanged daily. The WhatsApp Android client does not yet support encrypted messaging for group chat or media messages, but we’ll be rolling out support for those next, in addition to support for more client platforms. We’ll also be surfacing options for key verification in clients as the protocol integrations are completed.

WhatsApp runs on an incredible number of mobile platforms, so full deployment will be an incremental process as we add TextSecure protocol support into each WhatsApp client platform. We have a ways to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default.

Now this is good. But Apple’s iMessage has done this from day one. Thus WhatsApp is playing catch up in a way. But data is still backed up to the company’s servers, so that differs from WhatsApp in that regard. Still, it’s hard to complain about getting more security by default.