WhatsApp's Signal Protocol integration is now complete

This is really excellent. A few thoughts:<p>1) They seem to have replaced TLS&#x2F;SSL between client and server with &quot;Noise Pipes&quot;. Based on a couple of minutes Googling this seems to be a brand new one-man protocol from Trevor Perrin (the same guy who did Axoltl on which Signal is based). At least, I&#x27;d never heard of it. I wonder if this is the first inkling of a post-TLS future?<p><a href="http:&#x2F;&#x2F;noiseprotocol.org&#x2F;noise.html" rel="nofollow">http:&#x2F;&#x2F;noiseprotocol.org&#x2F;noise.html</a><p>2) It&#x27;s a shame to see key words be killed off by internationalisation concerns. 12 words seems so much more friendly, at least to English speakers, than a 50 digit number. In practice I doubt any non-trivial numbers of people will ever compare codes by reading out such a number. I hope further research here can develop better replacements for encoding short binary strings in i18n friendly ways (perhaps with icons instead of specific words? if you don&#x27;t speak a common language with your chat partner then the app is useless anyway).<p>3) What&#x27;s the next step? My feeling is that the next step is securing the build and distribution pipeline. WhatsApp could partner with security firms around the world, like Kaspersky Lab in Moscow, perhaps one in Germany and another in Iran, to make it harder for the software to be forcibly backdoored by a single decision of a single government representative. This would require splitting the RSA signing keys used by the app stores. I have some code in my inbox that claims it can do this (it&#x27;s written by some academics and I obtained it after a bit of a runaround) but I never found the time to play with it.<p>Of course, getting a bunch of security firms to sign off on every update, no matter how trivial that update is, might prove politically difficult inside Facebook. If mobile platforms supported in-app sandboxing better then the app could slowly be refactored to be more like Chrome, where the base layer doesn&#x27;t trust the upper layers. Those upper layers wouldn&#x27;t have access to key material and could then be updated more freely than the higher privileged components.

What the article fails to mention:<p>1) I would assume Facebook still gets unencrypted access to my address book for use with their shadow profiles<p>2) We have zero control over what key the client encrypts the messages for. Is it only the other peer&#x27;s phone? Or is it for the peer&#x27;s phone plus Facebook for analysis of the messages?<p>Especially 2) is of some concern to me (against 1 I can&#x27;t protect myself anyways because if people add me to their address books I&#x27;m screwed anyways). From that perspective, I&#x27;m still inclined to trust apple&#x27;s iMessage a bit more especially after recent events.<p>The only safe solution right now is to compile your own signal client and use that, of course at the cost of reach because nobody else is on Signal.<p>WhatsApp might be a good compromise at least for only semi-important messages: The probability that any of your contacts has WhatsApp is much, much higher than the probability of them having Signal running. On the other hand, whatever you&#x27;re sending over WhatsApp is likely going to be used by FB (and then possibly handed out to governments and&#x2F;or stolen by attackers).

This is insanely cool. For everyone (very rightfully) worried about the PATRIOT act, the NSA, etc., etc. this is absolutely huge.<p>One BILLION people just got their messages encrypted. Facebook was under no obligation to do this; for the vast majority of tech history the messages sent by 99% of people were very insecure, and when the tech giants responsible were asked their response was &quot;ehh&quot;. This suddenly cuts into a huge portion of that. Pretty much everyone with a mobile phone in Europe or South America, as well as large parts of Asia, suddenly now has completely encrypted messages.<p>Kudos to Whatsapp for this fantastic move.<p>On a related note, if anyone is inspired by this announcement to start using encryption in other parts of their life, I have a handful of Keybase invites available (to bypass the 25k+ waiting list.) Keybase&#x27;s security depends on lots of people tracking other people, so only ask for one if you&#x27;ll track other people. I see too many people that make an account and nobody ever tracks them&#x2F;they don&#x27;t track anyone. My email&#x27;s in my profile.

WhatsApp have published further details for users[1], as well as a technical whitepaper[2] explaining the implementation. There&#x27;s also a blog post[3].<p>[1]: <a href="https:&#x2F;&#x2F;www.whatsapp.com&#x2F;security&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.whatsapp.com&#x2F;security&#x2F;</a><p>[2]: <a href="https:&#x2F;&#x2F;www.whatsapp.com&#x2F;security&#x2F;WhatsApp-Security-Whitepaper.pdf" rel="nofollow">https:&#x2F;&#x2F;www.whatsapp.com&#x2F;security&#x2F;WhatsApp-Security-Whitepap...</a><p>[3]: <a href="https:&#x2F;&#x2F;blog.whatsapp.com&#x2F;10000618&#x2F;End-to-end-encryption" rel="nofollow">https:&#x2F;&#x2F;blog.whatsapp.com&#x2F;10000618&#x2F;End-to-end-encryption</a>

Is there any reasonable way to verify that end-to-end encryption is actually being used, and used correctly? From a user&#x27;s point of view the app looks and works exactly the same as before, except for the addition of a QR code which could be doing anything.

Without whatsapp being open source, how do we know for sure that Facebook is not somehow storing or reading our messages?<p>As good as this sounds on paper, I hesitate to trust Facebook to transmit my data without wanting to peek a bit. I currently use both Whatsapp and Signal and will probably continue to do the same unless there is a way for users to verify Facebook doesn&#x27;t keep a copy.

Question for me is still around iCloud backups. Per <a href="http:&#x2F;&#x2F;www.popsci.com&#x2F;whatsapp-now-encrypts-all-messaging-for-its-billion-users" rel="nofollow">http:&#x2F;&#x2F;www.popsci.com&#x2F;whatsapp-now-encrypts-all-messaging-fo...</a>:<p>&gt; However, WhatsApp on iOS still backs up chat logs to iCloud, and despite any effort by Facebook, those could be given to a law enforcement agency. It&#x27;s not known whether the backups are encrypted, but we&#x27;ve reached out to Open Whisper Systems and will update with any new information.<p>Apple stores iMessage backups unencrypted and hands them out when given a lawful request (per <a href="https:&#x2F;&#x2F;thehackernews.com&#x2F;2016&#x2F;01&#x2F;apple-icloud-imessages.html);" rel="nofollow">https:&#x2F;&#x2F;thehackernews.com&#x2F;2016&#x2F;01&#x2F;apple-icloud-imessages.htm...</a> WhatsApp needs to store encrypted backups to prevent this attack.

Does this include file transfers, if so, how?<p>Curious because when sending a .webm video from an Android device to a iOS device, the video file was transcoded on WhatsApp servers and then delivered to the iOS device as H264&#x2F;mp4 (since iOS can not play .webm files)<p>This should no longer be working.

Excellent! 3 questions:<p>- What if the government forces WhatsApp to write and push a targeted software update in order to compromise the end-to-end encryption (I&#x27;m of course thinking of the FBI vs Apple case)? Is there a way for the user to be notified?<p>- Does WhatsApp Auto Backup encrypt messages before sending them to Google Drive or iCloud?<p>- Would it be possible for WhatsApp Web to rely on backend servers storing an encrypted version of messages, instead of relying on a connection to the user&#x27;s phone, and still be able to perform keyword search over the encrypted messages with something like github.com&#x2F;strikeout&#x2F;mylar?

I came here apprehensive because you need UI support for this to work, but reading the article I was pleasantly surprised to see that they implemented all the verification and other bits to make this reasonably visibly secure.<p>Great job from everyone, I&#x27;m glad WhatsApp has done this. I look forward to these features on my device.

Great news. I&#x27;m just wondering why Facebook&#x2F;Zuck is doing this. Is he fearing the competition–all the other E2E messengers out there?<p>I&#x27;m asking because I could imagine that Whatsapp might get banned in some countries soon (as recently happened in Brazil) and thus, lose market share.

I&#x27;m looking at libaxolotl-c. I&#x27;m a little bit disturbed about perfect forward&#x2F;future secrecy. Perfect forward secrecy ensure that a session key cannot be compromised if a long-term key is compromised in future. With something like OTR even if a session key is compromised at n, session key at n-1 or n+1 will not be compromised. Here, we got perfect forward&#x2F;future secrecy.<p>If i take a look at axolotl, in scenario <i>Alice send message to bob when Bob is offline</i>:<p>(1) , (2)<p>MK = HMAC-HASH(CKs, &quot;0&quot;) &#x2F;&#x2F; (3)<p>msg = Enc(HKs, Ns || PNs || DHRs) || Enc(MK, plaintext)<p>Ns = Ns + 1<p>CKs = HMAC-HASH(CKs, &quot;1&quot;) &#x2F;&#x2F; (4)<p>return msg<p>We can see that Alice re-use CKs to get a new symmetric key. So if an attacker get CKs(n) he could easily compute CKs(n+1) CKs is not a long term key, but we cannot honestly call this _perfect_ futur secrecy... One more thing, if I remember correctly, according of perfect forward secrecy definition, an implementation must NOT re-use previous session key to derive a new one ...<p>I&#x27;m wrong ?<p>(1) Quoted from <a href="https:&#x2F;&#x2F;github.com&#x2F;trevp&#x2F;axolotl&#x2F;wiki" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;trevp&#x2F;axolotl&#x2F;wiki</a><p>(2) see session_cipher_get_or_create_message_keys (<a href="https:&#x2F;&#x2F;github.com&#x2F;WhisperSystems&#x2F;libaxolotl-c&#x2F;blob&#x2F;0640b5accaf207aa51fbf83a7d2cd389c2bd24ad&#x2F;src&#x2F;session_cipher.c#L646" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;WhisperSystems&#x2F;libaxolotl-c&#x2F;blob&#x2F;0640b5ac...</a>)<p>(3) i think we should read MK = HKDF(HMAC-HASH(CKs, 0x00) see ratchet_chain_key_get_message_keys (<a href="https:&#x2F;&#x2F;github.com&#x2F;WhisperSystems&#x2F;libaxolotl-c&#x2F;blob&#x2F;0640b5accaf207aa51fbf83a7d2cd389c2bd24ad&#x2F;src&#x2F;ratchet.c#L162" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;WhisperSystems&#x2F;libaxolotl-c&#x2F;blob&#x2F;0640b5ac...</a>)<p>(4) i think we should read MK = HMAC-HASH(CKs, 0x02) see ratchet_chain_key_create_next (<a href="https:&#x2F;&#x2F;github.com&#x2F;WhisperSystems&#x2F;libaxolotl-c&#x2F;blob&#x2F;0640b5accaf207aa51fbf83a7d2cd389c2bd24ad&#x2F;src&#x2F;ratchet.c#L227" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;WhisperSystems&#x2F;libaxolotl-c&#x2F;blob&#x2F;0640b5ac...</a>)

Does this mean that WhatsApp can talk to Signal Private Messenger app?

Okay, first off: This is great. The most popular messaging app finally gets the security it needed. And we&#x27;ve just rolled out E2E to 1b &#x27;monthly active users&#x27;.<p>However, I have always wondered one thing about WhatsApp: How does it generate any kind of meaningful revenue? Apparently they&#x27;ve ditched the old $1 subscription model [0], and even that was so loosely enforced that I have never paid a single cent for WhatsApp in my life--and never will (got it while it was free on the iOS App Store and now have a &#x27;Lifetime&#x27; subscription, if they don&#x27;t change those at some point). And even back then, maybe half of their 900m monthly active users [1] were iOS users who paid only once, and the rest may have dodged the fee in various ways. I have a really hard time believing the revenues so gained could ever actually cover the cost of R&amp;D (especially for so many platforms) and infrastructure (which should be huge, given the amount of data they shift). Now they say they want customers to use WhatsApp as a platform, the way Facebook Messenger is doing it, but I&#x27;m not seeing any of those features implemented anywhere. I always assumed there was some heavy data analysis going on behind the scenes--which would have been fair, I guess, since we&#x27;re neither being shown ads nor really paying. Facebook&#x27;s involvement added to that conviction. Now that they&#x27;re encrypting everything (which, again, is wonderful), they can&#x27;t analyze what is really, really interesting data anymore (keywords, etc.). And it&#x27;s not like there was a public outcry for them to take this step--I would guess that not many end users actually appreciate the importance of E2E encryption.<p>So the question remains: How are they making money? You still have metadata (I presume), but then again, how do they use this data to make money if they can&#x27;t always match it to a Facebook profile (where they can show you ads), and also, does this data really provide such a big improvement over all the data collected by Facebook and Facebook messenger? It just seems strange to me that WhatsApp apparently does not want to make any money.<p>Does anyone have any insight on this? What am I missing?<p>[0]: <a href="http:&#x2F;&#x2F;www.cnet.com&#x2F;news&#x2F;whatsapp-kills-1-subscription-fee&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.cnet.com&#x2F;news&#x2F;whatsapp-kills-1-subscription-fee&#x2F;</a> [1]: <a href="http:&#x2F;&#x2F;qz.com&#x2F;495419&#x2F;whatsapp-has-900-million-monthly-active-users-but-still-no-business-model&#x2F;" rel="nofollow">http:&#x2F;&#x2F;qz.com&#x2F;495419&#x2F;whatsapp-has-900-million-monthly-active...</a>

That&#x27;s great news - secure-by-default is a huge thing, since it makes encrypted communication more normal. If most of your real-time communication is encrypted, then when and to whom you used encrypted communication isn&#x27;t leaking valuable information.<p>The next step is some kind of noise injection into the metadata. There are almost certainly ways to look at who is chatting with who when. It&#x27;d be fantastic to automatically generate realistic-looking traffic to hide the normal stuff within. Plus, you&#x27;d be adding deniability to any communication you&#x27;re having.<p>There&#x27;s likely some pretty severe battery usage issues with it. If you offload the metadata fuzzing to a proxy server of some sort, then you&#x27;re adding a vector to filter out that fuzz. It might be too big of a technical tradeoff to be worthwhile.

Great, now I really hope Telegram folks realise how much they already lost for not having open sourced their servers. Here in Brazil they&#x27;ve lost a huge amount of community power to Actor, which doesn&#x27;t even have encryption.<p>Now, it&#x27;s a shame Whatsapp doesn&#x27;t have an open source client as well. As much as I appreciate encryption, it still looks like we&#x27;re not going anywhere with a closed sourced program that is a pain in the arse to run on Linux.

Telegram secret chats are device specific which means you can&#x27;t recover them if you get a new phone. How can Whatsapp recover encrypted chats on iCloud?

Whatsapp&#x27;s own post:<p><a href="https:&#x2F;&#x2F;blog.whatsapp.com&#x2F;10000618&#x2F;End-to-end-encryption" rel="nofollow">https:&#x2F;&#x2F;blog.whatsapp.com&#x2F;10000618&#x2F;End-to-end-encryption</a><p>I&#x27;m grateful Whatsapp itself finally made a public statement about this as well, but I would hope they would go a step further and integrate this new change into its Privacy Policy as well.<p>Then they would be at least <i>somewhat</i> legally committed to using end-to-end encryption for the foreseeable future in which they&#x27;ll keep using e2e encryption. I&#x27;d have a little more trust in them that they aren&#x27;t just going to drop the E2E encryption for various individuals with just a phone call from government officials.

moxie: Does this mean that both Facebook and Signal servers are unable to see the plaintext?<p>(I would assume so, but I would like to have it confirmed. From someone who actually knows what he&#x27;s talking about.)

Kind of weird but I got the message claiming my chats were e2e encrypted but when testing it with a friend, his said no such thing, and his client claimed mine was out of date and our messages were NOT encrypted, despite there being a lock my side.<p><a href="https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;pgJsH" rel="nofollow">https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;pgJsH</a><p>This is kind of worrying. I&#x27;m sure it&#x27;s not malicious but I have literally no idea if things are encrypted right now.

&gt; The Signal Protocol library used by WhatsApp is Open Source, available here: <a href="https:&#x2F;&#x2F;github.com&#x2F;whispersystems&#x2F;libsignal-protocol-java&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;whispersystems&#x2F;libsignal-protocol-java&#x2F;</a><p><a href="https:&#x2F;&#x2F;www.whatsapp.com&#x2F;security&#x2F;WhatsApp-Security-Whitepaper.pdf" rel="nofollow">https:&#x2F;&#x2F;www.whatsapp.com&#x2F;security&#x2F;WhatsApp-Security-Whitepap...</a>

Does anyone know how the WhatsApp backup to Google Drive is encrypted? If so, how can it be decrypted so easily from a new phone with the same number. Clearly either WhatsApp or Google have to store a key - or am I missing something here?

Much appreciated! Girls behind me in the train were already freaking out about the message which popped up in the chats. I guess they don&#x27;t really understand the value :)

OT but <a href="https:&#x2F;&#x2F;whispersystems.org&#x2F;workworkwork&#x2F;" rel="nofollow">https:&#x2F;&#x2F;whispersystems.org&#x2F;workworkwork&#x2F;</a> was great to read. I would definitely apply if I was in the market for a job.

Is it still the case that verifying a user&#x27;s text identity does not verify their voice identity and vice versa?<p>IMO it would be very nice if calling someone and verifying the short code would confirm their text identity as well and if, once someone&#x27;s text identity is verified, if voice calls to that person were protected by the verified text identity.<p>(IIRC the reason that Signal does not work this way is that texts use Axolotl whereas voice uses ZRTP and the key material is completely independent.)

Does anyone know if WhatsApp still stores your master key? I assume you can still reset your password.<p>If so, kind of makes you wonder what you really buy by adding the axolotl protocol. Thoughts?

Very cool, but I wonder when it&#x27;ll be possible to key Signal off of something other than my phone number, and when it will be possible to support multiple accounts (e.g. phone numbers) on a single device. Also, I wonder when it&#x27;ll be possible for me to successfully reset Signal registration.<p>And when I&#x27;ll be able to share my certifications of contacts with other contacts …

How does this compare with Telegram?

Looks like they feel threatened by Telegram growth, which means Telegram is doing quite well.

I am not seeing the information about encryption they mention in any of my chat details on the iOS client. Is this part Android only or did simply non of my contacts upgrade yet? I have version 2.16.1<p>edit: After a while it now shows up with certain contacts for me

Cool! Though am I the only one wondering how this fits into FB&#x27;s plans? I suppose they still get all contacts and know how frequently I contact them, which builds very valuable info. (Something MSN Messenger never leveraged, sigh.) I&#x27;m still very hesitant about ever trusting anything to FB.<p>Apparently by default there&#x27;s no notification of changed keys: &quot;WhatsApp users can opt in to a preference which notifies them every time the security code for a contact changes&quot;. I guess the question is, does this preference get sent to the server or exposed any other way? If it doesn&#x27;t then it might be too risky to use this as an attack channel.

One thing that&#x27;s odd about this is that it&#x27;s phone only, so they need your phone number. It would be a million times better if it were an android app you could sideload onto any device and use anonymously; exchanging your contact details anonymously. It&#x27;s hard to see how whatsapp can legally&#x2F;technically defeat a request for `which contacts does this person communicate with`. The same goes for the Signal app too. Am I missing something here? Clearly none of the protocols require phone numbers, so why do the implementations?

So exactly how do group chats work in Signal Protocol?

How is the WhatsApp contact list data handled? Is it completely encrypted too or does Facebook have access to it?

How does this effect web.whatsapp.com?

So does this seriously mean that if verified FBI &#x2F;NSA or anyone else would have a tough time reading your messages. I just find it hard to believe if Facebook owns Whatsapp that they wouldn&#x27;t create some form of backdoor.<p>Total security layman speaking here.

I assume old versions can still connect, and therefore there are legacy unencrypted modes. Is there any protection against downgrade attacks?

Would it be possible for WhatsApp to be compelled to provide both parties&#x27; private keys&#x2F;state representing same, and any other data resorted ml required, such that messages could be captured and decoded, spoofed etc?

What is the incentive for Facebook to add encryption here to WhatsApp? Don&#x27;t they want to mine every piece of data about every person that they can? I can&#x27;t imagine there is that much customer demand?

I&#x27;d really like the option to send SMS to non-whatsapp users with a GUI signaling that this is happening (and an option to disallow this). Balancing multiple text clients sucks.

What about system-level notifications? They go via Apple&#x2F;Google and include message content. If those are not encrypted, then this sort of defeats the purpose...

Just out of curiosity, this update isn&#x27;t just magically available for current versions. Users need to actually update their apps in order to use the new protocol, yes?

Signal&#x27;s stuff is all GPL&#x27;d (AFAIK). Does this mean that WhatsApp&#x27;s clients (and whatever else would apply) are also released under the GPL?

Also all URIs sent on whatsapp now open with https!

Mainstream cryptography is the new snake oil elixir.<p>Just replace cure-all-diseases secret ingredient from mysterious land with unbreakable secure algorithm that takes trillions of years to crack.<p>The algorithm is only secure under specific circumstances. The implementation might be not secure, the hardware it runs on can be tampered, the advertised security could only be the best case scenario but some protocols degrade encryption during handshakes... and you can start simplifying the thing by several orders of magnitude.

&gt; As of today, the integration is fully complete. Users running the most recent versions of WhatsApp on any platform now get full end to end encryption for every message they send and every WhatsApp call they make when communicating with each other<p>Emphasizing &quot;running the most recent versions of WhatsApp&quot;, does this mean the fancy new protocol can still be downgraded to the old one by an older client? I&#x27;d save the fanfare for a few more months yet

Anyone else reading the headline in Emperor Palpatine&#x27;s voice?

Is it open source? I can&#x27;t find the source code anywhere.

Signal is a protcol not an app!? Sweet jesus yes!

What next? Will they open-source the client?

According to WhatsApp security whitepaper, strp master key is sent throw network. Even inside encrypted payload, it breaks pfs...

absolutely no proof it is e2e encrypted without the source.

I should use this as a strong argument for the rest of my no-please-not-another-instant-messenger-i-stay-with-whatsapp-contacts:<p>When whatsapp is implementing the signal protocol, why should one use whatsapp in the first place?[1]<p>I hope this good advertisement gives signal another round of traction.<p>[1] Ok, you&#x27;ve got me. The less techie contacts will swing the feature-bat and the other already use signal.