Want security? Make it simple.

by Volker Weber

ZZ42528B46

You take two years to build out an infrastructure. You build out all the client software. And then, one day, you switch it on.

Bang.

Secure messaging for a billion people.

WhatsApp, of all companies, has done it. Security researchers used to ridicule them for bad practices. When they did client side security for establishing identity for instance. But in the end, simplicity won.

WhatsApp is simple. There are no usernames, there are no passwords, no buddy lists, nothing. You install it, you run it, you verify your phone number. Bang. You're in. All your friends show up.

With that same simplicity you now get secure messaging. This is how you do it. It has to be simple.

[And yes, there is still a market for people who like it complicated.]

Comments

Unfortunately it's a matter of time until Mr. Zuckerberg knocks on Koums door asking how to make money.

Valentin Woelm, 2016-04-05

In the end, we are all dead.

Volker Weber, 2016-04-05

This is really huge. Imagine the emergency meetings and long nights in the intelligence services. All to no avail... There IS metadata, yes. But no more content.

I am so impressed. We all do projects. Small ones with hundreds of users / customers. Medium ones with thousands. Maybe even bigger ones. A million? Hardly. An effing billion? In a big bang rollout? With several different clients on platforms hugely different?? Respect. And balls of steel.

Hubert Stettner, 2016-04-05

Keep it simple, shithead! (Or did KISS stand for something else?)

Scott Hanson, 2016-04-05

There is one Problem. On my windowsphone it shows that the chat is encrypted, but on the chat partners android it shows that the chat is unencrypted.

Max Bauer, 2016-04-06

Where would I see that on Android and where on iOS?

Ragnar Schierholz, 2016-04-06

Max, that is a problem. Let me know what you find out.

Ragnar, tap the chat header.

Volker Weber , 2016-04-06

Still no reason to use WhatsApp. I just hate the idea that other people I gave my data only for their use give them away without asking me, or better get forced to do so.

Wolfram Votteler, 2016-04-06

Ah, it seems you need to check the user info or group chat info.

Ragnar Schierholz, 2016-04-06

Small children do that. They cover their eyes and deem themselves invisible. ;-)

Volker Weber , 2016-04-06

Their white paper mentioned that this is available with "WhatsApp client software released after March 31, 2016", but when I visit the Google Play store, it shows WhatsApp version 4.4 with a release date of March 24, 2016 (on a Nexus 5, Android 6.0.1, Patch level Match 1, 2016).
I don't think there are different waves of rolling out updates via the Play store (similar to the waves of OTA firmware updates). Am I wrong ?

Ragnar Schierholz, 2016-04-06

I see April 5 here: https://play.google.com/store/apps/details?id=com.whatsapp

Volker Weber, 2016-04-06

How do you know this is secure? Is there an independent assessment published anywhere

Andy Mell, 2016-04-06

Ah, I have been waiting for that. ;-)

Volker Weber, 2016-04-06

Wolfram, I have grown cynical of it. You can either use the comfort or not. 'They' will have and get your data anyway. You are free to choose :) BTW, I think I might TM 'Cloudfurcht' someday.

Max, for me it was the other way round, Windows 10 Mobile showed it insecure, iOS showed the same chat secure. I suppose, I could have simply waited. I quickly uninstalled and reinstalled it, all is fine, since. I would suggest switching the iPhone off and on again or simply wait.

Andy, there are several indicators:
- the creator is Moxie Marlinspike. Ed would use his Messenger. Google the rest, this would ne nuff said anyway.
- there is a whitepaper about it. Have you read it?
- and the best part: Hordes of researchers are doing exactly what you said. Wait a little :)

Hubert Stettner, 2016-04-06

Exactly. Moxie does not ship shit. And people will try to break it. After all, this is against the rules. Easy encryption! How dare they?

Volker Weber, 2016-04-06

Bye Telegram

Alper Iseri, 2016-04-06

Some things to note:
WhatsAp has had solid encryption for text messages for quite a while now.
This is the final piece - enabling/enforcing encryption on all types of message (voice calls, videos, pictures, and all other message types on every supported platform.)

Brazil was very unhappy with how solid WhatsAp's encryption is for text messaging:
http://www.theverge.com/2015/12/16/10349070/brazil-block-whatsapp-48-hours

Craig Wiseman, 2016-04-06

@Craig, the Brazilian judge's court order was based on a telecom provider's injunction which was not related to "WhatsApp's encryption" but rather how the app provides voice calling but is not subject to regulation as the cellphone providers are.

Dan Silva (@dansilva), 2016-04-06

@Dan The injunction was based on WhatsApp not being able to respond to the request because they can't access the encrypted messages:


https://www.theguardian.com/technology/2015/dec/17/whatsapp-blocked-brazil-48-hours-facebook

"The first criminal court of São Bernardo do Campo said in a statement: “WhatsApp did not respond to a court order, dated 23 July, 2015. On 7 August , 2015, the company was notified again of being subject to fixed penalty in case of non-compliance.”

Failure of WhatsApp to respond to the court orders led “the prosecution to request the blocking of services for a period of 48 hours, based on the law of the Civil the internet Marco, which was granted by Judge Sandra Regina Nostre Marques”."

Craig Wiseman, 2016-04-06

and...

"The court case in Brazil centered around drug traffickers who used WhatsApp to message about specific crimes, according to Reuters. WhatsApp offers end-to-end encryption, which means that messages sent using the app are only readable on a user’s phone, not Facebook or WhatsApp servers. That makes it impossible for WhatsApp to collect those messages or hand them over to authorities, Facebook argues."


Source:
http://recode.net/2015/12/17/the-familiar-culprit-behind-brazils-whatsapp-ban-encryption/

Craig Wiseman, 2016-04-06

@Dan,
However, you are absolutely right in that the roots of the situation were the telecoms trying to 'get' WhatsApp.
Like telecoms in most other countries, they are scared of the competition and unable to adapt, so they try the legal route.
It won't work.

Craig Wiseman, 2016-04-06

One day later also the Android shows that the chat between the windowsphone and the android is encrypted.

I find it odd that one chat partners phone shows encrypted and the other unencrypted. That should not be possible.

Max Bauer, 2016-04-07

Recent comments

Simon Laule on (Not) Losing Health Data When Upgrading a iPhone at 20:20
Frank Köhler on From my inbox at 19:25
Armin Grewe on Fueling the fire on social media at 19:23
Volker Weber on From my inbox at 17:58
Axel Koerv on From my inbox at 17:57
Johannes Matzke on Old iPad Pro 9.7 vs new iPad Pro 12.9 at 17:27
Heiko Wolf on Apple Pay in den Startlöchern at 14:41
Christian Andres on Motif :: Fotobücher wie von Apple at 13:52
Mick Moignard on Fueling the fire on social media at 13:10
Patrick Bohr on Old iPad Pro 9.7 vs new iPad Pro 12.9 at 12:54
Patrick Bohr on (Not) Losing Health Data When Upgrading a iPhone at 11:38
Alexander Koch on Apple Pay in den Startlöchern at 11:32
Matthias Welling on (Not) Losing Health Data When Upgrading a iPhone at 11:15
Michael Sampson on Old iPad Pro 9.7 vs new iPad Pro 12.9 at 05:27
Johannes Matzke on Old iPad Pro 9.7 vs new iPad Pro 12.9 at 21:55
Volker Weber on Old iPad Pro 9.7 vs new iPad Pro 12.9 at 16:20
Dominique Roller on Old iPad Pro 9.7 vs new iPad Pro 12.9 at 15:19
Ragnar Schierholz on Text selection with two fingers at 13:46
Samuel Orsenne on Wie schnell ist mein USB Type C Port? at 21:56
Volker Neumann on Text selection with two fingers at 21:54
Volker Weber on Text selection with two fingers at 19:58
Theo Heselmans on Text selection with two fingers at 19:55
Bernd Hofmann on File Management with iPad Pro at 18:37
Volker Weber on File Management with iPad Pro at 17:14
Ole Saalmann on File Management with iPad Pro at 16:05

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 20:42

visitors.gif

buy me coffee