[vulpino]

They deduct points as it's still open source. And they are more applauding the fact that WhatsApp - probably the most widely used messaging app currently - has adopted strong end to end encryption, something which other clients have been loathe to do.

This is a win. To disregard everything that WhatsApp and Signal have accomplished because WhatsApp isn't open source is silly.

[lmm]

> This is a win. To disregard everything that WhatsApp and Signal have accomplished because WhatsApp isn't open source is silly.

Is it? If the next Snowden uses WhatsApp on the basis of this recommendation, and it turns out (say) the NSA has backdoored their RNG and is scanning all messages sent over WhatsApp, that person is going to find themselves jailed or maybe executed. You can't say "it's secure except for not being open source"; the stakes are too high for that.

[sickbeard]

No but to blindly trust in it is silly. Even openssl had a heart-bleed bug that persisted for years without most people realizing it. All it takes is one bug for the entire thing to be useless.

[vulpino]

And heartbleed is also than example of open source not being totally secure. It was a bug that persisted for years before it was found - and OpenSSL is open source.

It's just as foolish to blindly trust OSS. There will always be holes - the main point to OSS is not to combat these, as they will exist regardless. Rather, it is so one might know exactly what they're installing/using, without having to trust the corporation behind it.

[sickbeard]

no it's foolish to trust something that hasn't been independently reviewed. How can EFF recommend something that hasn't even been subjected to an independent security audit?

[zdkl]

The goal is not to be perfect, but to kickstart encryption adoption by a large non technical audience I believe.

Sure that's no excuse for potentially bad crypto but it's worth it if this gets proper infosec into the public reach in the end. I'm confident this is a first step to having trustable encryption "in the real world" even if it's another client/company providing it later. Call me an optimist :)

[pdkl95]

> one bug

Everything can have bugs. The problem with this software is that it's a centralized single point of failure. Only a proper federated protocol can be resistant to subversion by business, government, or other interests.