HALF A BILLION TERRORISTS: WhatsApp encrypts ALL its worldwide jabber WhatsApp has announced that it will encrypt all its 600m users' text messages by default, which is a serious stride forward for privacy - and one which will no doubt be criticised by spooks and police worldwide. The rollout, announced today, was described by the app maker as the "largest deployment of end-to-end encryption …
The new name for SMS texts when your carrier thinks it's reasonable to charge you 20p per text to a foreign country, for example.
I know a lot of Italians who live in London - they all have Whatsapp on their phones so they don't have to worry about roaming, pay a small fortune for texts, or have to carry two phones.
This post has been deleted by its author
Before the naysayers jump in -- yes this will be vulnerable to certain types of attack -- NO that does not make this useless.
The very fact that many messages are suddenly travelling encrypted means dragnet surveillance is much more difficult.
Hopefully other companies will follow this lead.
If you think about it, one man's extremist is another man's dissident. We need at least some small avenues that allow civil disobedience if we have any hope of maintaining our rapidly shrinking freedom.
Two thumbs up for the donation. It is a nice counter-point to the donation to Harvard we heard about recently.
Finally, we should not let the fact that something is not sufficient deter us from putting in place things that are necessary. The perfect should not be the enemy of the good.
> The very fact that many messages are suddenly travelling encrypted means dragnet surveillance is much more difficult.
This in turn means more focus on getting the messages (and metadata) at the source, i.e. owning the devices. Not that it would not be happening anyway...
The very fact that many messages are suddenly travelling encrypted means dragnet surveillance is much more difficult.
It is quite funny how the later Snowden revelations almost negated the first ones. The biggest "improvement" in surveilance techniques by the 5 eyes in the last 7 years is the use of social graphs and metadata. It is not important what the content of your message is, it is important whom are you talking to. No encryption will help you against that one.
No encryption will help you against that one.
There are protocols that use encryption to obstruct traffic analysis.
Here's a trivial one: encrypt your message with the public key of the recipient, and broadcast it. Everyone receives it; only the intended recipient can decrypt it.
Rivest's "chaffing and winnowing" protocol is another example.
TLA's being able to gain access to my communication through a warrant I have no problem with. The wholesale slurping and processing of anything sent plain text over the internet is not OK.
As a roaming expat I use whatsapp extensively....please roll out to all platforms and group chat ASAP.
1 April, 2015: FaceBook thought to gift you with all your group messages on WhatsApp searchable to all. Because as per Mark F**g, he has decided that the world should be more open.
"Our mission is to make the world more open".
Ref: https://lt-lt.facebook.com/markzukerbergofficial/posts/345738645482073?comment_id=3791262&offset=7&total_comments=8
Assume that the entropy of the decryption key be 256 bits and that of the user's password be 13 bits (= 4 digit PIN), and the chances are that the data are lost to criminals who broke the password. It would be no use talking about encryption without talking about the reliable password or identity authentication of the user.
Encryption is not free, by a long shot. The biggest reason not to push everyone to SSL is certainly the CPU use of the encryption (or specialist devices to offload it to) in the large datacenters. So it's not zero-concern.
However, on a modern smartphone, with specialist instruction sets, built-in encryption anyway, accessing SSL websites and sync sites all the time, and it not mattering that it might take a second or two in the background at the lowest priority to send the message? Yeah, not worth worrying about.
"Encryption is not free, by a long shot. The biggest reason not to push everyone to SSL is certainly the CPU use of the encryption (or specialist devices to offload it to) in the large datacenters. So it's not zero-concern."
Sure, maybe it's a concern on a server where you might need to do it thousands of times per second.
But, some common sense please. Remember 10 years ago, when CPUs were way slower and didn't have special instructions for encryption, you still went to SSL encrypted web sites and there was no multi-second delay to bring those up.
I just ran "openssl speed" on my computer and got 17.6 milliseconds for 4096 bit RSA sign. Granted, my computer is pretty quick, but even if it took 10 times as long it's still a small fraction of a second. Basically not noticeable on a cell phone and of no consequence to battery life.
I'm not really worried about the government reading my soppy WhatsApp message to 'er indoors, they can just ask me if they want to see them! However, it's cool that messages are no longer travelling through the air in clear-text if only to stop opportunist criminals in airport lounges and the like. I know very very little about encryption, but I'm led to believe that security measures such as the WPS/WEPS (is it called?) encryption on Wifi networks is easily breakable, so it would be easy to sit in an airport lounge and sniff up all manner of data. Email is probably the worst offender, being based on ancient clear-text protocols.
WPA2 is pretty unbreakable. It's basically AES.
The problem comes from airport lounges. You've joined the network, right? Did you have to enter a WPA2 passphrase into the wireless settings to do so? No. You went onto an open network, then typed some code or a credit card into a splashscreen / signup, then browsed over that same open network. There might, or might not, be some encryption of your data, but to get there you have to join an open network.
That's the classic problem with encryption - key distribution. To join that wireless network, you really need to give out a passphrase that everyone knows or some form of certificate, and then hope they isolate you from all the other uses of that same credentail (which is almost impossible to tell). And typing in a passphrase takes time and is too complicated for most users, and credential setup is hard to enforce on random clients on a public network if you want people to use you. That passphrase/certificate may or may not offer a shortcut into the encryption used to talk to individual clients, but it's certainly not the best solution.
Ironically, a pub that puts the passphrase to their free Wifi on the beermats could easily be more secure than the airport that allows you to "just join" some free Wifi provider.
pedantically: WPA2 is allegedly subject to a downgrade attack from AES to TKIP RC4.
The further attack on RC4 is not known, but Sigh....one might assume that large agencies...
source: http://lists.randombit.net/pipermail/cryptography/2014-September/006760.html
..but Yes, you're right about the dangers of "free" Wi-Fi
WPA2/AES is only as secure as the key. If you are using pre-shared keys, rainbow tables (i.e. http://www.renderlab.net/projects/WPA-tables/) take you a long way to getting access to some ones Wifi to then sniff traffic.
Using one of the 802.1x options for authentication via a RADIUS server with regular re-authentication periods largely addresses that (i.e. re-authenticating every hour will mean separate brute force runs over each hour of captured data).
"Email is probably the worst offender, being based on ancient clear-text protocols"
Actually if you employ opportunistic encryption for outgoing connections from the SMTP server, mandate TLS for mail clients for sending and POP3S or (preferably) IMAPS then email is as good as anything else.
This post has been deleted by its author
(Some politician in front of cameras, ten years from now): Yes, we have been successful with the Free Communication in America Act in banning all encryption in all texts, email, and VOI. This freedom is needed to help stop the Kitty Pron Terrorists.
But a loophole has been found! People can meet in person, talk quietly -- and we will have no record of their conversation! This is a terrible threat to America. Yes, we all have freedom of speech and are free to speak, a liberty essential to our freedom. But likewise the Government has the right to always know what we say. How else can it protect the people?
My new bill would require a permit for each conversation, issued after a short background check. A recording device or stenographer...
this is really good news. . .
WhatsApp is great BUT
can The Register ask them when they're going to make WhatsApp available on laptops??
for a range of reasons I avoid smart phone and GPS-enabled devices
but I really want to be able to send free sms's
thanks
Just installed WhatsApp using Virtualbox VM generated by genymotion Android emulator ( http://www.genymotion.com ), seems to work Ok. Can however find no trace of encryption settings/configuration in this latest (?) Whatsapp version (2.11.452) just downloaded from the Whatsapp website. I do not know how what the current Playstore version is.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
