[stouset]

Yes, thank you. So many people in this thread are making the absurd assertion that security is a binary thing — it's either totally secure against all threats, or it's insecure.

What the security community has spent the last 20 or so years coming to grips with is that it's very hard to cover every attack surface, and not wind up with a product that nobody outside of a select few are smart or dedicated enough to use (e.g., GPG), or that people don't just blindly click through endless warnings (e.g., the not-so-distant days of TLS). What we can do is make incremental improvement over the existing tools that people use by covering more in the threat model or improving the usability such that more people use it and/or fewer people ignore important concerns.

As a mass-market anti-surveillance and privacy-enabling chat app, WhatsApp is an incredible success. It's not replacing GPG with a carefully-curated web of trust. It's replacing plaintext SMS.

There are better tools if you know your threat model includes targeted, high-budget attacks the FSB, NSA, or CIA.