Encryption in Google Allo is not on by default

by Volker Weber

The changes also suggest that parties at a much higher pay scale than Duong's are highly resistant to providing the type of end-to-end encryption that's on by default in messaging apps such as Signal and WhatsApp.

Very good analysis by Ars Technica. Allo does not make any sense to Google, if they cannot listen to your conversation. Hangouts does not have it, Talk did not have it. And in Allo you have to turn it on each and every time. For Google to do its magic it needs to know what you are talking about.

More >

Comments

I'm glad Whatsapp now encrypts everything by default. I never thought I'd prefer Whatsapp over a Google solution... but hey, still time to learn ;-)

Markus Dierker, 2016-05-21 09:18

To be fair, the headline should probably specify end-to-end encryption. This issue is more nuanced than it appears.
The traffic is encrypted (https) when leaving the phone, it's just not end-to-end encrypted *within the phone*. This means people can't sniff you traffic externally, but Google assistant can 'help you'. You know, like Clippy.

Craig Wiseman, 2016-05-21 14:34

The bar has been raised. End-to-end encryption is the only thing that counts for data in transit.

You could switch it off for Google to listen. But it has to be on by default.

Volker Weber, 2016-05-21 14:45

Craig, *on the phone* the data exists in unencrypted form necessarily. Otherwise the app couldn't show you the message you received. The point of end-to-end encryption is that the data is encrypted at the sending application and is only decrypted at the receiving application. However, what Google needs is access to the data in their data center and thus the sending app uses HTTPS to encrypt the data on its way to the server, where it is decrypted (and open for analysis, long-term storage, whatever the server owner wants). For the way to the receiving end, it is again encrypted using HTTPS.

There are a number of attack scenarios and privacy concerns towards this setup which are not applicable or as easily applicable to true end-to-end encryption.

Ragnar Schierholz, 2016-05-22 12:43

Recent comments

Jean Pierre Wenzel on Pi-hole on Raspberry Pi at 11:39
Volker Weber on Pi-hole on Raspberry Pi at 11:11
Jean Pierre Wenzel on Pi-hole on Raspberry Pi at 10:57
Volker Weber on Fix that brand at 07:06
Stephan H. Wissel on Fix that brand at 01:17
Volker Weber on Pi-hole on Raspberry Pi at 00:04
René Fischer on Pi-hole on Raspberry Pi at 23:40
Volker Weber on Pi-hole on Raspberry Pi at 21:58
Darryn sullivan on Pi-hole on Raspberry Pi at 20:35
Jochen Kattoll on Coming up :: Nokia 7 Plus at 19:21
Tobias Hauser on Pi-hole on Raspberry Pi at 17:38
Volker Weber on Pi-hole on Raspberry Pi at 16:36
Patric Stiffel on Pi-hole on Raspberry Pi at 15:52
Volker Weber on Pi-hole on Raspberry Pi at 15:33
Volker Weber on Coming up :: Nokia 7 Plus at 15:32
Jochen Kattoll on Coming up :: Nokia 7 Plus at 15:01
Clemens Müller on Pi-hole on Raspberry Pi at 14:20
Michael Spreitzenbarth on Pi-hole on Raspberry Pi at 13:41
Volker Weber on Pi-hole on Raspberry Pi at 13:19
Jochen Schug on Pi-hole on Raspberry Pi at 12:30
Peter Muchmann on Alexa und die Oma at 16:27
Volker Weber on Coming up :: Nokia 7 Plus at 13:43
Volker Weber on Will a firmware update make an Onkyo receiver a Sonos player? at 13:40
Daniel Jäger on Will a firmware update make an Onkyo receiver a Sonos player? at 12:43
Felix Kluge on Coming up :: Nokia 7 Plus at 12:21

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter amazon

Local time is 14:39

visitors.gif

buy me coffee