back to article HALF A BILLION TERRORISTS: WhatsApp encrypts ALL its worldwide jabber

WhatsApp has announced that it will encrypt all its 600m users' text messages by default, which is a serious stride forward for privacy - and one which will no doubt be criticised by spooks and police worldwide. The rollout, announced today, was described by the app maker as the "largest deployment of end-to-end encryption …

  1. x 7 Silver badge

    whats whatsapp???

    1. Lee D Silver badge

      The new name for SMS texts when your carrier thinks it's reasonable to charge you 20p per text to a foreign country, for example.

      I know a lot of Italians who live in London - they all have Whatsapp on their phones so they don't have to worry about roaming, pay a small fortune for texts, or have to carry two phones.

    2. MartinB105

      A messaging app that's artificially restricted to use on smartphones, so you can't use it on a normal PC like every other messaging app in existence.

      1. VinceH Silver badge

        Bit of an odd name for a messaging app, isn't it?

        1. Def Silver badge

          Bit of an odd name for a messaging app, isn't it?

          I believe it to be a play on the words "What's up?", a phrase commonly used by the young people when greeting each other. Because it's an application running on a mobile device, it cunningly combines the aforementioned phrase with the increasingly accepted shortened form of the word "application", viz "app".

          But yes, it's a bit odd, as you so eloquently put it.

      2. The People

        Don't spread misinformation - Please install Telegram A: on your phone B on your PC. Do it NOW!

  2. btrower

    Welcome and useful

    Before the naysayers jump in -- yes this will be vulnerable to certain types of attack -- NO that does not make this useless.

    The very fact that many messages are suddenly travelling encrypted means dragnet surveillance is much more difficult.

    Hopefully other companies will follow this lead.

    If you think about it, one man's extremist is another man's dissident. We need at least some small avenues that allow civil disobedience if we have any hope of maintaining our rapidly shrinking freedom.

    Two thumbs up for the donation. It is a nice counter-point to the donation to Harvard we heard about recently.

    Finally, we should not let the fact that something is not sufficient deter us from putting in place things that are necessary. The perfect should not be the enemy of the good.

    1. DN4

      Re: Welcome and useful

      > The very fact that many messages are suddenly travelling encrypted means dragnet surveillance is much more difficult.

      This in turn means more focus on getting the messages (and metadata) at the source, i.e. owning the devices. Not that it would not be happening anyway...

    2. Anonymous Coward
      Anonymous Coward

      Re: Welcome and useful

      The very fact that many messages are suddenly travelling encrypted means dragnet surveillance is much more difficult.

      It is quite funny how the later Snowden revelations almost negated the first ones. The biggest "improvement" in surveilance techniques by the 5 eyes in the last 7 years is the use of social graphs and metadata. It is not important what the content of your message is, it is important whom are you talking to. No encryption will help you against that one.

      1. Michael Wojcik Silver badge

        Re: Welcome and useful

        No encryption will help you against that one.

        There are protocols that use encryption to obstruct traffic analysis.

        Here's a trivial one: encrypt your message with the public key of the recipient, and broadcast it. Everyone receives it; only the intended recipient can decrypt it.

        Rivest's "chaffing and winnowing" protocol is another example.

  3. Mark 85 Silver badge

    Well...maybe it's just one app and one platforn.

    But it's a start. I won't hold my breath that it's uncrackable by the 3-letter and 4-letter agencies, but I'll keep my fingers crossed.

    1. phuzz Silver badge

      Re: Well...maybe it's just one app and one platforn.

      Lets just say, it moves the weakest link away from the transport, and back into your pocket, ie if a TLA wants to read your WhatsApp messages, now they'll just take your phone and/or beat it out of you.

      1. Anonymous Coward
        Anonymous Coward

        Re: Well...maybe it's just one app and one platforn.

        TLA's being able to gain access to my communication through a warrant I have no problem with. The wholesale slurping and processing of anything sent plain text over the internet is not OK.

        As a roaming expat I use whatsapp extensively....please roll out to all platforms and group chat ASAP.

  4. phil8192
    Coat

    Hahaha!

    To think anything to do with Facebook is "secure" is to be naïve in the extreme.

    1. solo

      Re: Hahaha!

      1 April, 2015: FaceBook thought to gift you with all your group messages on WhatsApp searchable to all. Because as per Mark F**g, he has decided that the world should be more open.

      "Our mission is to make the world more open".

      Ref: https://lt-lt.facebook.com/markzukerbergofficial/posts/345738645482073?comment_id=3791262&offset=7&total_comments=8

  5. gerdesj Silver badge

    That's nothing

    This lot want to enable encryption for the entire interweb:

    https://lwn.net/Articles/621676/rss

    or

    http://it.slashdot.org/story/14/11/18/1830229/launching-2015-a-new-certificate-authority-to-encrypt-the-entire-web

  6. Apul_MadeeqAoud

    "And yet Whisper Systems got $455,000 from the US government [PDF, page 17] to fund TextSecure development."

    All you need to know about how secure it is, is right in that sentence. Game over.

    1. Jamie Jones Silver badge
      Black Helicopters

      If we are going to explore conspiracy theories, how about:

      "Sir, we've thrown our best minds at this new whisper tech, and we can't break it. How can we make it less effective?"

      "We'll just give them development funding, and let the tinfoilies do the rest"

  7. Jin

    Need only to break the user's password

    Assume that the entropy of the decryption key be 256 bits and that of the user's password be 13 bits (= 4 digit PIN), and the chances are that the data are lost to criminals who broke the password. It would be no use talking about encryption without talking about the reliable password or identity authentication of the user.

    1. Anonymous Coward
      Anonymous Coward

      Re: Need only to break the user's password

      What password are you talking about?

      To my knowledge WhatsApp does not use passwords.

      You are identified by your phone number which WhatsApp reads from your SIM card and you must be able to receive a confirmation code from them via SMS.

  8. Anonymous Coward
    Anonymous Coward

    Power consumption

    "You may worry that there's a battery consumption issue, since the app will need to do extra computation on the phone itself to perform the encryption and decryption."

    Hadn't crossed my mind.

    How much computation do you think it takes to encrypt or decrypt a few bytes??

    1. Lee D Silver badge

      Re: Power consumption

      Encryption is not free, by a long shot. The biggest reason not to push everyone to SSL is certainly the CPU use of the encryption (or specialist devices to offload it to) in the large datacenters. So it's not zero-concern.

      However, on a modern smartphone, with specialist instruction sets, built-in encryption anyway, accessing SSL websites and sync sites all the time, and it not mattering that it might take a second or two in the background at the lowest priority to send the message? Yeah, not worth worrying about.

      1. Anonymous Coward
        Anonymous Coward

        Re: Power consumption

        "Encryption is not free, by a long shot. The biggest reason not to push everyone to SSL is certainly the CPU use of the encryption (or specialist devices to offload it to) in the large datacenters. So it's not zero-concern."

        Sure, maybe it's a concern on a server where you might need to do it thousands of times per second.

        But, some common sense please. Remember 10 years ago, when CPUs were way slower and didn't have special instructions for encryption, you still went to SSL encrypted web sites and there was no multi-second delay to bring those up.

        I just ran "openssl speed" on my computer and got 17.6 milliseconds for 4096 bit RSA sign. Granted, my computer is pretty quick, but even if it took 10 times as long it's still a small fraction of a second. Basically not noticeable on a cell phone and of no consequence to battery life.

  9. ForthIsNotDead Silver badge

    Government...

    I'm not really worried about the government reading my soppy WhatsApp message to 'er indoors, they can just ask me if they want to see them! However, it's cool that messages are no longer travelling through the air in clear-text if only to stop opportunist criminals in airport lounges and the like. I know very very little about encryption, but I'm led to believe that security measures such as the WPS/WEPS (is it called?) encryption on Wifi networks is easily breakable, so it would be easy to sit in an airport lounge and sniff up all manner of data. Email is probably the worst offender, being based on ancient clear-text protocols.

    1. Lee D Silver badge

      Re: Government...

      WPA2 is pretty unbreakable. It's basically AES.

      The problem comes from airport lounges. You've joined the network, right? Did you have to enter a WPA2 passphrase into the wireless settings to do so? No. You went onto an open network, then typed some code or a credit card into a splashscreen / signup, then browsed over that same open network. There might, or might not, be some encryption of your data, but to get there you have to join an open network.

      That's the classic problem with encryption - key distribution. To join that wireless network, you really need to give out a passphrase that everyone knows or some form of certificate, and then hope they isolate you from all the other uses of that same credentail (which is almost impossible to tell). And typing in a passphrase takes time and is too complicated for most users, and credential setup is hard to enforce on random clients on a public network if you want people to use you. That passphrase/certificate may or may not offer a shortcut into the encryption used to talk to individual clients, but it's certainly not the best solution.

      Ironically, a pub that puts the passphrase to their free Wifi on the beermats could easily be more secure than the airport that allows you to "just join" some free Wifi provider.

      1. Anonymous Coward
        Anonymous Coward

        Re: Government...

        pedantically: WPA2 is allegedly subject to a downgrade attack from AES to TKIP RC4.

        The further attack on RC4 is not known, but Sigh....one might assume that large agencies...

        source: http://lists.randombit.net/pipermail/cryptography/2014-September/006760.html

        ..but Yes, you're right about the dangers of "free" Wi-Fi

      2. theblackhand

        Re: WPA2 is pretty unbreakable

        WPA2/AES is only as secure as the key. If you are using pre-shared keys, rainbow tables (i.e. http://www.renderlab.net/projects/WPA-tables/) take you a long way to getting access to some ones Wifi to then sniff traffic.

        Using one of the 802.1x options for authentication via a RADIUS server with regular re-authentication periods largely addresses that (i.e. re-authenticating every hour will mean separate brute force runs over each hour of captured data).

    2. Andrew Meredith

      Re: Government...

      "Email is probably the worst offender, being based on ancient clear-text protocols"

      Actually if you employ opportunistic encryption for outgoing connections from the SMTP server, mandate TLS for mail clients for sending and POP3S or (preferably) IMAPS then email is as good as anything else.

  10. This post has been deleted by its author

  11. DrM

    Ten years from now

    (Some politician in front of cameras, ten years from now): Yes, we have been successful with the Free Communication in America Act in banning all encryption in all texts, email, and VOI. This freedom is needed to help stop the Kitty Pron Terrorists.

    But a loophole has been found! People can meet in person, talk quietly -- and we will have no record of their conversation! This is a terrible threat to America. Yes, we all have freedom of speech and are free to speak, a liberty essential to our freedom. But likewise the Government has the right to always know what we say. How else can it protect the people?

    My new bill would require a permit for each conversation, issued after a short background check. A recording device or stenographer...

  12. factorsof42

    when will they unchain WhatsApp?

    this is really good news. . .

    WhatsApp is great BUT

    can The Register ask them when they're going to make WhatsApp available on laptops??

    for a range of reasons I avoid smart phone and GPS-enabled devices

    but I really want to be able to send free sms's

    thanks

    1. captain veg

      Re: when will they unchain WhatsApp?

      Does it run on x86 Android? If so then spin up a virtual machine on the lappie.

      -A.

      1. Anonymous Coward
        Anonymous Coward

        Re: when will they unchain WhatsApp?

        Just installed WhatsApp using Virtualbox VM generated by genymotion Android emulator ( http://www.genymotion.com ), seems to work Ok. Can however find no trace of encryption settings/configuration in this latest (?) Whatsapp version (2.11.452) just downloaded from the Whatsapp website. I do not know how what the current Playstore version is.

  13. John Smith 19 Gold badge
    Meh

    If people are worried about it's security can't they just down load the source & build their own?

    It 's open source, right?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019