Hacker News new | ask | show | jobs
by tw04 3997 days ago
Given that we have the man himself onboard - can I urge you to ask the WSJ to remove the comment at the start of the article about WhatsApp implementing your encryption schema? Unless I've missed something, there's absolutely no way for an end-user to determine if their messages are being encrypted (with whatsapp). Or how they're being encrypted for that matter. I feel like WhatsApp latched onto your groundwork (potentially even with good intentions) - but never actually has opened up about the implementation, opened the code to audit, or been forthright about exactly who/how many users are covered.

I fear articles like this just make the average joe think "oh, whatsapp == secure" when recent events have proven that's far, far from the truth.

http://arstechnica.com/tech-policy/2015/06/intercepted-whats...
5 comments
Permit 3997 days ago
Part way through the article they say:

>Last fall, WhatsApp added Mr. Marlinspike’s encryption scheme to text messages between users with Android smartphones, but there is no easy way to verify that the encryption software is actually turned on.

So they're being pretty open about the fact users can't determine if their messages are truly encrypted.

link
xerophyte12932 3997 days ago
Yes but that's so deep down. A large number of people read the beginning and skim to the end. They might miss it. So it is a bit misleading IMO. Disclaimers should be more obvious
link
tedunangst 3997 days ago
Start with the linked reddit comment? https://www.reddit.com/r/Android/comments/34ecja/the_heise_s...
link
davisr 3997 days ago
"Absolutely no way"? I'm sorry to be impolite about it, but that's a bit of an exaggeration: one could jailbreak their phone, pull the binary into their computer, decompile it, and inspect it for implementation structures that would be coherent with how the two or three most popular encryption algorithms are commonly implemented. The expertise to be able to accomplish it doesn't come cheap, but it's certainly in the realm for anyone willing to invest the time.

If anyone out there does it, feel free to post your findings to http://imfreedom.org/.

I'd be willing to bet that WhatsApp has some competent programmers, and looks very similar to how Apple's built iMessage. I think everyone is entitled to the most security possible, but unfortunately when you're at the scale of WhatsApp, perfect security would make all that ultra-tantalizing data pretty hard to analyze. They're a business, they have a responsibility to their investors to grow the business, and data right now is a _big_ business.

link
JupiterMoon 3997 days ago
So you've probably just broken the law by doing so. And you have to do this everytime the app gets updates. And you have to be sure that the encryption is actually getting used on every message. And that the key is strong and not known to Whatsapp. And also that the recipients copy of the app is behaving the same as yours. So I guess the question is, if you had something to hide would you bet your life on it?

Whereas with Textsecure. Well it just works...

link
jsprogrammer 3997 days ago
>So you've probably just broken the law by doing so.

By modifying your own device? I don't think so.

link
JupiterMoon 3997 days ago
Many countries have laws against reverse engineering programs. Whilst I think these laws are stupid I would prefer to just use the open source program than mess around with the closed source alternative.
link
nitrogen 3997 days ago
According to Wikipedia[0], reverse engineering is generally legal in the US:

In the United States even if an artifact or process is protected by trade secrets, reverse-engineering the artifact or process is often lawful as long as it has been legitimately obtained.

[0] https://en.wikipedia.org/wiki/Reverse_engineering#United_Sta...

link
JupiterMoon 3997 days ago
Actually have another look at that before you break the law on this yourself.

As far as I can see that article says that reverse engineering is legal in the case that: (1) the EULA doesn't mention it (I've no idea what Whatsapp EULA says - do you?). (2) it is done for the purpose of interoperability. What is being proposed by the GP is in fact not interoperability but security testing.

As I said before I think that the laws on this are stupid. But why worry about this when there is a great FOSS program in the same space?

link
aw3c2 3997 days ago
And that is one country out of ~200.
link
JupiterMoon 3997 days ago
Assuming that nothing in the thing being reverse engineered is not encrypted or protected in some fashion right?
link
mightybyte 3997 days ago
> one could jailbreak their phone, pull the binary into their computer, decompile it, and inspect it for implementation structures that would be coherent with how the two or three most popular encryption algorithms are commonly implemented.

There's a much easier way. Turn off your phone's cellular connection, but turn on wifi and connect it to a wifi network you control. Then just sniff the packets.

link
stouset 3996 days ago
Not unless you have discovered a novel technique for distinguishing between good crypto and bad crypto over the wire.
link
higherpurpose 3997 days ago
At the very least I would want Whatsapp to:

1) add authentication with other users

2) make a public statement about it (believe it or not, that hasn't happened yet. Perhaps it will come when the iOS versions supports it - or perhaps it never will)

3) commit to the new encryption system in their privacy policy (make it at least somewhat legally binding - which could also be used against abusive law enforcement orders)

link
ytdht 3997 days ago
even if an Android application would communicate with others 100% securely, Google has wireless administrator privileges and can be served secret letters that can order Google to do anything, so technically they could log the data before it's encrypted.
link
jMyles 3997 days ago
Will an I/O audit of the network interface will detect this?
link
drcross 3997 days ago
No. How do you propose that it would?
link
jMyles 3996 days ago
I don't really know much about what kind of network chatter Android generates generally, but I imagine that, even if its encrypted, you can detect that there's suddenly network traffic to Google?

And then, depending on how silly the eavesdropping is, repeating the same message might cause the same encrypted payload to be transmitted?

link
ytdht 3996 days ago
traffic to Google is probably very common... and to be sure that you get the whole picture, you would probably need to intercept wireless signals going to the cellphone company which are also encrypted
link
venomsnake 3997 days ago
Only if you have google services installed.
link
aw3c2 3997 days ago
Without which TextSecure does not work.
link
em3rgent0rdr 3997 days ago
But what about the fork https://github.com/SMSSecure/SMSSecure which can be installed on via f-droid google-less phone?
link
aw3c2 3996 days ago
It has no push messages which means bad experience for non-SMS messages.
link
psykovsky 3997 days ago
The fork only handles SMS/MMS. There are no IM features in it.
link
jsprogrammer 3997 days ago
> there's absolutely no way for an end-user to determine if their messages are being encrypted (with whatsapp)

Watch the network traffic with Wireshark?

link
drcross 3997 days ago
You cant see into the encrypted traffic to see if it's implemented or not.
link
jacquesm 3997 days ago
But in the worst case you'll be able to see that it is plaintext.
link
em3rgent0rdr 3997 days ago
I would expect any messaging app these days woud never send pafkets with plain text.
link