WhatsApp Rolls Out End-To-End Encryption to Its Over 1B Users

It&#x27;s great that WhatsApp can&#x27;t see my cat pictures anymore. But there are 2 privacy and free speech issues that are not met.<p>Firstly META DATA. They know who I contact, when I contact them and how frequently. So people could derive information about me based on who I talk to.<p>Secondly, they can ban me.<p>Perhaps the EFF need to add more criteria to their secure message score card. <a href="https:&#x2F;&#x2F;www.eff.org&#x2F;secure-messaging-scorecard" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;secure-messaging-scorecard</a><p>But on the whole, a positive move.

Apps that force you to give them (and everyone else) your phone numbers for .. ummm ... &quot;contact discovery&quot; and yet talk about privacy are a bit of a contradiction.<p>No plausible reason for why apps like WhatsApp (and Signal) couldn&#x27;t use e-mail addresses for this. Or at least provide it as an alternative. It&#x27;s even problematic for people who change phone numbers, have multiple phones, want to use desktop clients, etc<p>My opinion: if it requires a phone number, it&#x27;s not really interested in privacy. Move on.

EFF should stop with this silly scorecard. I hate the thing because it&#x27;s inaccurate and incoherent (arguments I&#x27;ve made ad nauseam elsewhere on HN), but on this thread you can see another good reason: it makes EFF the ref, and crowds always try to work the ref.<p>So whatever &quot;score&quot; WhatsApp gets, it&#x27;s the wrong score, because: not open source; because: runs on iPhones; because: metadata; because: Facebook is evil, &amp;c.

This is quite a cavalier recommendation for proprietary unaudited (for the public at least) spyware that uploads your phone book to a company participating in PRISM.

Doesn&#x27;t appear to mention metadata at all.<p>While metadata is somewhat tangential to the actual encryption, it&#x27;s still a vital part of a truly secure messaging platform - who we talk to reveals quite a lot about us.<p>I&#x27;m not sure how solvable this is without sacrificing the usability that makes whatsapp as nice to use as it is, and I certainly don&#x27;t want to take away from how great it is that they&#x27;ve done this - but it is important not to lose sight of the fact that encrypting the contents of your messages is only one part of the puzzle.

Too bad 8&#x2F;10 of your contacts have automatic backups to iCloud or Google Drive enabled. Kind of defeats the idea of &quot;end-to-end&quot;. More like end-to-end-to-cloud.

That&#x27;s nice. What I really want to know is, can Mark Zuckerberg read my messages? Do WhatsApp servers have access to the private keys needed to decrypt my communications? If the answer to those questions is &quot;yes&quot;, then it&#x27;s great that we are now protected from most cybercriminals, but the NSA is probably monitoring our messages. If the answer to those questions is &quot;no&quot;, I may actually decide to start using WhatsApp.

EFF recommending closed source clients, erm they just drop in my esteem.

But WhatsApp requires a phone number, and requires that the recipient (of your message) have your number in their contacts list (or at least you should have their number in your contacts). Once your number (and your contacts&#x27;) have been leaked to WhatsApp, enough metadata has been leaked to make communication risky.<p>Why doesn&#x27;t WhatsApp allow anonymous communication? I should be able to create ephemeral WhatsApp &quot;IDs&quot;, and anyome who knows my &quot;ID&quot; should be able to communicate with me anonymously and securely, no strings attached.

This is a bit weird. I don&#x27;t believe WhatsApp are lying but there&#x27;s absolutely no proof they&#x27;re not.<p>I could release a closed source app with a bunch of padlocks in it and copy&#x2F;paste their white paper and have exactly the same level of proof of security. Would I get a 7&#x2F;10 from EFF?

It&#x27;s important to point out that all the Whisper Systems code is open source (<a href="https:&#x2F;&#x2F;github.com&#x2F;whispersystems&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;whispersystems&#x2F;</a>). So if you have concerns, go read their code. Some of the best minds in security have, and they&#x27;ve come away with good things to say. There&#x27;s a desktop version of Signal coming, which I&#x27;d personally be inclined to use over WhatsApp, but this is still a fantastic move.

It&#x27;s an improvement, but proper end-to-end encryption on unsafe devices is about as useful as seat belts on an airplane.

I am still trying to wrap my head around privacy in the modern age, and this triggered something for me - this is the end of the privacy-at-a-distance problem.<p>There is a large body of law around making distance communication private (&quot;secure in ones papers&quot; I think is the phrase from American law. Not allowing people to steam open your letters etc)<p>This move, which I am including the inevitable &quot;pgp emails using whatsapp collected public&#x2F;private keys&quot; seems destined to end the problem - two hundred years of law, one code release.<p>Really sure an email app will be next now they are building a base of secure keys<p>Edit: it&#x27;s now the purview of regulation to require me to keep &#x2F; handover private conversations as pre-Snowden and that seems a good thing. It forces surveillance to be active and open once again

I am so cynical (or is that realistic?) these days, that I would not trust the encryption on WhatsApp as far as I can throw a large, adult saltwater crocodile.

web.whatsapp.com still works, so clearly it&#x27;s possible for something outside my phone to gain access to my phone generated keys. That doesn&#x27;t seem backdoorable to me &#x2F;s.

This is quite a big win for privacy. If you use Whisper, Tor or most of the other privacy minded communications mediums, you are in a small minority so you stand out. Because a very large part of the population is using Whatsapp this allows you to communicate privately without standing out.

What happens when I log on to WhatsApp Web? How they send my private key from my phone to my web browser?

Has the WhatsApp code been audited by trusted third parties? I know it&#x27;s not quite as good as it being open source, but if we had people we trust audit it, that seems like a good step. Also, disassembly and teardown.<p>I think something this big needs people to really really scrutinise it.

How does the WhatsApp encryption model differ from Apple&#x27;s iMessage encryption model?<p>- In iMessage, Apple handles key distribution, so if I&#x27;m in your contacts, I know the keys for all of your Apple devices. (I&#x27;m guessing the private key stays on the device, but I&#x27;m not sure).<p>- iMessage seems to provide no way of verifying someone&#x27;s key fingerprint.<p>- On the other hand, whatsApp seems to force you and your contacts to meet at a Starbucks so you can distribute and sign each other&#x27;s public keys. Interesting.<p>What other differences are there?<p>(to make this easier, let&#x27;s assume that both companies implemented the system the way they claim they did)

Fantastic news - gets us closer to most Internet traffic being encrypted.<p>I have seen complaints that meta data is not hidden, that is, there is a record with who you communicate with.<p>I might have an unpopular opinion here, but I don&#x27;t think that having the meta data unhidden is in general such a bad thing. I am happy having my communications secure but having who I communicate with potentially public knowledge. Fair compromise.<p>For whistleblowers, protecting metadata is important, so use something else.

Garden path questions:<p>What&#x27;s the easiest way to get a copy of your own WhatsApp private key from your phone?<p>What&#x27;s the easiest way to get a copy of your friend&#x27;s WhatsApp private key from their phone?<p>What if the phone is rooted, or you can root it?<p>What if they won&#x27;t hand you the phone?<p>What if they are on your specially built wifi?<p>What if you have a fake cell tower?<p>What if you have a real cell tower?<p>What if you have a different makes&#x2F;models of phone?<p>for fun: s&#x2F;phone&#x2F;debian laptop&#x2F;g

Get the sense that EFF didn&#x27;t even talk to any of the parties involved before posting their review, and to me, given how much weight they carry in the community, it&#x27;s unclear why they didn&#x27;t.

Why some people got &quot;you are end to end encrypted with your friend&quot; while their same friend got &quot;the connection is not end to end encrypted with your friend&quot;?

Is there a way to build and deploy whatsapp from source?

What? How can you give it 6&#x2F;7 stars if you don&#x27;t even know what holes are in the code?

I hope I can get my friends to switch to actor IM [1] or some other open source solution that doesn&#x27;t suck. In the end all these chat systems turn into crap full of ads even if they aren&#x27;t spying on you.<p>[1] <a href="https:&#x2F;&#x2F;actor.im&#x2F;" rel="nofollow">https:&#x2F;&#x2F;actor.im&#x2F;</a>