Want security? Make it simple.

by Volker Weber


You take two years to build out an infrastructure. You build out all the client software. And then, one day, you switch it on.


Secure messaging for a billion people.

WhatsApp, of all companies, has done it. Security researchers used to ridicule them for bad practices. When they did client side security for establishing identity for instance. But in the end, simplicity won.

WhatsApp is simple. There are no usernames, there are no passwords, no buddy lists, nothing. You install it, you run it, you verify your phone number. Bang. You're in. All your friends show up.

With that same simplicity you now get secure messaging. This is how you do it. It has to be simple.

[And yes, there is still a market for people who like it complicated.]


Unfortunately it's a matter of time until Mr. Zuckerberg knocks on Koums door asking how to make money.

Valentin Woelm, 2016-04-05

In the end, we are all dead.

Volker Weber, 2016-04-05

This is really huge. Imagine the emergency meetings and long nights in the intelligence services. All to no avail... There IS metadata, yes. But no more content.

I am so impressed. We all do projects. Small ones with hundreds of users / customers. Medium ones with thousands. Maybe even bigger ones. A million? Hardly. An effing billion? In a big bang rollout? With several different clients on platforms hugely different?? Respect. And balls of steel.

Hubert Stettner, 2016-04-05

Keep it simple, shithead! (Or did KISS stand for something else?)

Scott Hanson, 2016-04-05

There is one Problem. On my windowsphone it shows that the chat is encrypted, but on the chat partners android it shows that the chat is unencrypted.

Max Bauer, 2016-04-06

Where would I see that on Android and where on iOS?

Ragnar Schierholz, 2016-04-06

Max, that is a problem. Let me know what you find out.

Ragnar, tap the chat header.

Volker Weber , 2016-04-06

Still no reason to use WhatsApp. I just hate the idea that other people I gave my data only for their use give them away without asking me, or better get forced to do so.

Wolfram Votteler, 2016-04-06

Ah, it seems you need to check the user info or group chat info.

Ragnar Schierholz, 2016-04-06

Small children do that. They cover their eyes and deem themselves invisible. ;-)

Volker Weber , 2016-04-06

Their white paper mentioned that this is available with "WhatsApp client software released after March 31, 2016", but when I visit the Google Play store, it shows WhatsApp version 4.4 with a release date of March 24, 2016 (on a Nexus 5, Android 6.0.1, Patch level Match 1, 2016).
I don't think there are different waves of rolling out updates via the Play store (similar to the waves of OTA firmware updates). Am I wrong ?

Ragnar Schierholz, 2016-04-06

I see April 5 here: https://play.google.com/store/apps/details?id=com.whatsapp

Volker Weber, 2016-04-06

How do you know this is secure? Is there an independent assessment published anywhere

Andy Mell, 2016-04-06

Ah, I have been waiting for that. ;-)

Volker Weber, 2016-04-06

Wolfram, I have grown cynical of it. You can either use the comfort or not. 'They' will have and get your data anyway. You are free to choose :) BTW, I think I might TM 'Cloudfurcht' someday.

Max, for me it was the other way round, Windows 10 Mobile showed it insecure, iOS showed the same chat secure. I suppose, I could have simply waited. I quickly uninstalled and reinstalled it, all is fine, since. I would suggest switching the iPhone off and on again or simply wait.

Andy, there are several indicators:
- the creator is Moxie Marlinspike. Ed would use his Messenger. Google the rest, this would ne nuff said anyway.
- there is a whitepaper about it. Have you read it?
- and the best part: Hordes of researchers are doing exactly what you said. Wait a little :)

Hubert Stettner, 2016-04-06

Exactly. Moxie does not ship shit. And people will try to break it. After all, this is against the rules. Easy encryption! How dare they?

Volker Weber, 2016-04-06

Bye Telegram

Alper Iseri, 2016-04-06

Some things to note:
WhatsAp has had solid encryption for text messages for quite a while now.
This is the final piece - enabling/enforcing encryption on all types of message (voice calls, videos, pictures, and all other message types on every supported platform.)

Brazil was very unhappy with how solid WhatsAp's encryption is for text messaging:

Craig Wiseman, 2016-04-06

@Craig, the Brazilian judge's court order was based on a telecom provider's injunction which was not related to "WhatsApp's encryption" but rather how the app provides voice calling but is not subject to regulation as the cellphone providers are.

Dan Silva (@dansilva), 2016-04-06

@Dan The injunction was based on WhatsApp not being able to respond to the request because they can't access the encrypted messages:


"The first criminal court of São Bernardo do Campo said in a statement: “WhatsApp did not respond to a court order, dated 23 July, 2015. On 7 August , 2015, the company was notified again of being subject to fixed penalty in case of non-compliance.”

Failure of WhatsApp to respond to the court orders led “the prosecution to request the blocking of services for a period of 48 hours, based on the law of the Civil the internet Marco, which was granted by Judge Sandra Regina Nostre Marques”."

Craig Wiseman, 2016-04-06


"The court case in Brazil centered around drug traffickers who used WhatsApp to message about specific crimes, according to Reuters. WhatsApp offers end-to-end encryption, which means that messages sent using the app are only readable on a user’s phone, not Facebook or WhatsApp servers. That makes it impossible for WhatsApp to collect those messages or hand them over to authorities, Facebook argues."


Craig Wiseman, 2016-04-06

However, you are absolutely right in that the roots of the situation were the telecoms trying to 'get' WhatsApp.
Like telecoms in most other countries, they are scared of the competition and unable to adapt, so they try the legal route.
It won't work.

Craig Wiseman, 2016-04-06

One day later also the Android shows that the chat between the windowsphone and the android is encrypted.

I find it odd that one chat partners phone shows encrypted and the other unencrypted. That should not be possible.

Max Bauer, 2016-04-07

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Paypal vowe