What is WhatsApp end-to-end encryption: The truth
WhatsApp is now end-to-end encrypted at all times. This will ensure that users’ messages, videos, photos sent over WhatsApp can’t be read by anyone else — not WhatsApp, not cyber-criminals, not law-enforcement agencies. Even calls and group chats will be encrypted.
WhatsApp co-founder Jan Koum announced the update on his Facebook page, stating that the company has been working on the feature for the last two years.
“We’ve been working for the past two years to give people better security over their conversations on WhatsApp… People deserve security. It makes it possible for us to connect with our loved ones. It gives us the confidence to speak our minds. It allows us to communicate sensitive information with colleagues, friends, and others. We’re glad to do our part in keeping people’s information out of the hands of hackers and cyber-criminals.”
So what is end-to-end encryption and how exactly does it work in WhatsApp?
WhatsApp is using “The Signal Protocol”, designed by Open Whisper Systems, for its encryption.
In its White Paper, explaining the technical details of the end-to-end encryption, WhatsApp says that “once the session is established, clients do not need to rebuild a new session with each other until the existing session state is lost through an external event such as an app reinstall or device change.”
The paper explains how messages are encrypted as well.
It reads, “clients exchange messages that are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication. The Message Key changes for each message transmitted, and is ephemeral, such that the Message Key used to encrypt a message cannot be reconstructed from the session.” It also says that calls, large file attachments are end-to-end encrypted as well.
Note that the ever-changing message key can mean a delay in some messages getting delivered, according to the paper.
It should be noted that feature is enabled by default in WhatsApp, which means that if you and your friends are on the latest version of the app, all chats will be end-to-end encrypted. Unlike say Telegram where users have to start a secret chat to enable the feature, WhatsApp has the feature on at all times. Users don’t have the option of switching off end-to-end encryption.
Users need to be on the same versions of WhatsApp to ensure that their chats get end-to-end encrypted. If you’ve recently updated the app, and you start a chat with someone else (also on the new version) you are likely to see a message saying,
“Messages you send to this chat and calls are now secured with end-to-end encryption. Tap for more info.”
Once you tap on the message, WhatsApp has a pop-up menu explaining what end-to-end encryption means. Users can verify if the encryption is working as well. If a user taps on verify, they will be taken to a page with a QR code, followed by a string of 60 numbers.
If your friend is nearby, take their phone scan the code from your phone (the option is there at the bottom of the same page) and if the QR code matches, then the chat is encrypted. When the codes match, a green tick appears; when it doesn’t there’s an exclamation mark in red alerting a user that the chat is not secure.
So does the end-to-end encryption work all the time?
We tried verifying some chats that had the message saying encryption was enabled. In some cases, the verification failed for us. In the first case, we tried to verify a chat between an Android and iPhone 6s device (running iOS 9.3.1), and the QR codes didn’t match. We also tried matching QR codes on an two Android phones, and once again we got the red alert indicating no end-to-end encryption. Both Android phones are on the latest version of the app from the Google Play Store.
However, a verification between a chat on two iOS devices, (iPhone 6s, iPhone 5s) worked for us and showed the green tick.
We’re not sure why the verification failed, even though the chat says it is end-to-end encrypted. We might have to wait for another app update that could fix this issue.
Experts warn users about WhatsApp end-to-end encryption flaws
Ever since Facebook-owned WhatsApp publicized its new end-to-end encryption feature, it has been receiving plaudits from its large global user base but a number of experts have pointed out several ambiguities in the new security feature.
While the on-going encryption clash between Apple and the US Government proved to be an ideal platform for the messaging app to lure in the ovation, there is lot more to it than meets the eye.
A security engineer and journalist at the Intercept, Micah Lee, pointed out that WhatsApp is encrypted but according to its privacy notice, WhatsApp may (does) retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in a text exchange.
Moreover, the messaging app will also collect “any other information” which it is legally compelled to collect. On the contrary, WhatsApp claimed earlier that no data regarding the chats or any information related to it will be stored on its servers.
For online privacy advocates who thought that the new encryption feature will check malicious hackers and government intrusion, this is a reason of concern as rogue attackers will still be able to identify the recipient, sender, and even the time stamp. Also, the government can certainly ask for this information, which the company has to comply with.
WhatsApp is owned by Facebook
While the world-wide messaging app’s initiative is a step forward in the field of digital communication, the fact that it is owned by the largest social media networking site raises myriad questions regarding WhatsApp’s privacy.
In the past, there have been many instances which have proved that Facebook monitors and tracks user data to augment its own offerings, and a 2014 reportfrom the White House clearly hinted that the networking site also shares collected data with the government.
Moreover, you will find numerous articles like this one on the Internet, which draws a clear picture of Facebook’s monitoring activities.
Considering the fact that Facebook mines user metadata, it is safe to assume that it will do the same for WhatsApp; thus 100 per cent privacy is unachievable from a user’s point of view.
A Twitter user by the name YourAnonNews (not known whether related to Anonymous) warned users to not get excited about the end-to-end encryption feature as its parent company is Facebook.
End point security at risk
Another prominent Lebanese hacker Jed Ismael in his private blog described the new end-to-end encryption feature to be vague and explained that the new security feature is still vulnerable when it comes to end point security.
Ismael explained that end-to-end encryption is useless unless the device itself is secure and that is exactly what hackers and cyber-criminals will target.
He pointed out that the encryption feature does not matter if the end point devices—phones, tablets, and computers—are not encrypted.
Ismael explained that end-to-end encryption is useless unless the device itself is secure and that is exactly what hackers and cyber-criminals will target.
He pointed out that the encryption feature does not matter if the end point devices—phones, tablets, and computers—are not encrypted.
“Even the most perfectly encrypted platform’s communications are as secure as the user’s devices, and with the rise of new malware's every single day, nobody is safe,” Ismael said.
While WhatsApp is responsible for safely carrying the data from one user to the other, it is still not enough to protect end point devices from getting hacked. On the other hand, Apple’s encryption issue with the FBI was different; the device itself was encrypted rather than any third-party service, making the FBI’s job extremely difficult.
In the wake of increased security issues, the step taken by WhatsApp is definitely a step forward in securing digital communication but the question still remains: Is end-to-end encryption possible?
In the wake of increased security issues, the step taken by WhatsApp is definitely a step forward in securing digital communication but the question still remains: Is end-to-end encryption possible?
Whatsapp is not breaking Indian laws with 256-bit encryption:
India does not have any regulation in place for OTT messaging apps like Whatsapp or Facebook Messenger and certainly nothing on the encryption they can use.
Ever since Whatsapp announced end-to-end encryption there has been a flurry of reports on how the world’s most popular messenger service might have made itself illegal in India by switching on 256-bit encryption.
But that is not really right. India does not have any regulation in place for OTT messaging apps like Whatsapp or Facebook Messenger and certainly nothing that stipulates what type of encryption they can use.
“Under the existing regulatory framework, 256 bit encryption is certainly not prohibited. When it comes to the telecommunications space, the framework gets a little more complex with differing requirements (like restriction on bulk encryption and cap of key lengths at 40bits) being applicable to holders of different licenses or authorisations. However, in any case, these obligations currently only apply to license holders themselves (such as ISPs and TSPs) and not to internet, (i.e., over the top (OTT)) applications like WhatsApp,”
explains Tarun Krishnakumar, a Delhi-based lawyer specializing in technology.
The government’s draft policy on encryption placed was expected to place restrictions on what key sizes OTT players could use, but that draft has since been scrapped and is being reworked.
There is also the issue that the 40-bit key length, which ISPs and TSPs have to stick to, is pretty low by all standards these days. The US National Institute of Standards and Technology (NIST) no longer allows anything lower that 80-bit, that too only with three-key Triple DES (Data Encryption Standard), which is anyway being phased out in favour of advanced encryption standards like AES 128, AES 192, AES 256. Whatsapp uses AES 256, which is the strongest of the lot.
So, till the government stipulates what keys OTT messengers or other Internet players need to stick to, there is nothing wrong with Whatsapp’s 256-bit encryption.
0 comments: