{"id":203,"date":"2017-01-18T21:32:15","date_gmt":"2017-01-19T02:32:15","guid":{"rendered":"https:\/\/sites.bu.edu\/perryd\/?p=203"},"modified":"2017-01-18T21:32:15","modified_gmt":"2017-01-19T02:32:15","slug":"i-still-think-whatsapp-has-a-security-problem","status":"publish","type":"post","link":"https:\/\/sites.bu.edu\/perryd\/2017\/01\/18\/i-still-think-whatsapp-has-a-security-problem\/","title":{"rendered":"I still think WhatsApp has a security problem"},"content":{"rendered":"<p>Last week The Guardian <a href=\"https:\/\/www.theguardian.com\/technology\/2017\/jan\/13\/whatsapp-backdoor-allows-snooping-on-encrypted-messages\">ran a story<\/a> that claimed a backdoor was embedded in Facebook&#8217;s WhatsApp messaging service. Bloggers went nuts as we do when it looks like there&#8217;s some nefarious code lurking in a popular application, and of course Facebook is a favorite target of everybody. I <a href=\"https:\/\/twitter.com\/perrydBUCS\/status\/820077048312041472\">tweeted my disdain<\/a>\u00a0for WhatsApp moments after reading the article, pointing out that when it comes to secure communication, closed-source code just doesn&#8217;t cut it.<\/p>\n<p>Today\u00a0Joseph Bonneau and Erica Portnoy\u00a0over at <a href=\"https:\/\/eff.org\">EFF<\/a> posted a <a href=\"https:\/\/www.eff.org\/deeplinks\/2017\/01\/google-launches-key-transparency-while-tradeoff-whatsapp-called-backdoor\">very good analysis<\/a> of what WhatsApp is actually doing in this case. It turns out that the purported back door is really a design decision by the WhatsApp team; they are choosing reliability over security. The quick explanation is that if a WhatsApp user changes his or her encryption key, the app will, behind the scenes, re-encrypt a pending message with the new key in order to make sure it is delivered. The intent is to not drop any messages.<\/p>\n<p>Unfortunately, by choosing reliability (no dropped messages), WhatsApp has opened up a fairly large hole in which a malicious third party could spoof a key change and retrieve messages intended for someone else.<\/p>\n<p>EFF&#8217;s article does a very good job of explaining the risk, but I think it fails to drive home the point that this behavior makes WhatsApp completely unusable for anyone who is depending on secrecy. You won&#8217;t know that your communication has been compromised until it&#8217;s already happened.<\/p>\n<p><a href=\"https:\/\/whispersystems.org\">Signal<\/a>, the app that WhatsApp is built on, uses a different, secure behavior that will drop the message if a key change is detected.<\/p>\n<p>Casual users of WhatsApp won&#8217;t care one way or another about this. However, Facebook is promoting the security of WhatsApp and implying that it is as strong as Signal when it in fact isn&#8217;t. To me this is worse than having no security at all&#8230;in that case you at least know exactly what you are getting. It says to me that Facebook&#8217;s management team doesn&#8217;t really care about security in WhatsApp and are just using end-to-end encryption as a marketing tool.<\/p>\n<p>Signal has its own problems, but it is the most reliable internet-connected messaging app in popular use right now. I only hope that Facebook&#8217;s decision to choose convenience over security doesn&#8217;t get someone hurt.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week The Guardian ran a story that claimed a backdoor was embedded in Facebook&#8217;s WhatsApp messaging service. Bloggers went nuts as we do when it looks like there&#8217;s some nefarious code lurking in a popular application, and of course Facebook is a favorite target of everybody. I tweeted my disdain\u00a0for WhatsApp moments after reading [&hellip;]<\/p>\n","protected":false},"author":11388,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[7,8,20],"tags":[],"_links":{"self":[{"href":"https:\/\/sites.bu.edu\/perryd\/wp-json\/wp\/v2\/posts\/203"}],"collection":[{"href":"https:\/\/sites.bu.edu\/perryd\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sites.bu.edu\/perryd\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sites.bu.edu\/perryd\/wp-json\/wp\/v2\/users\/11388"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.bu.edu\/perryd\/wp-json\/wp\/v2\/comments?post=203"}],"version-history":[{"count":1,"href":"https:\/\/sites.bu.edu\/perryd\/wp-json\/wp\/v2\/posts\/203\/revisions"}],"predecessor-version":[{"id":204,"href":"https:\/\/sites.bu.edu\/perryd\/wp-json\/wp\/v2\/posts\/203\/revisions\/204"}],"wp:attachment":[{"href":"https:\/\/sites.bu.edu\/perryd\/wp-json\/wp\/v2\/media?parent=203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sites.bu.edu\/perryd\/wp-json\/wp\/v2\/categories?post=203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sites.bu.edu\/perryd\/wp-json\/wp\/v2\/tags?post=203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}