Recently the Guardian published an article titled “WhatsApp vulnerability allows snooping on encrypted messages“, detailing how this can be a huge threat to freedom of speech. According to the article,
WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman.
However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.
The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.
There has been an outcry by Open Whisper Systems, the team behind end-to-end encryption in WhatsApp. In a blog post, the begin with:
Today, the Guardian published a story falsely claiming that WhatsApp’s end to end encryption contains a “backdoor.”
The blog post has this to say about the Guardian article:
The way this story has been reported has been disappointing. There are many quotes in the article, but it seems that the Guardian put very little effort into verifying the original technical claims they’ve made. Even though we are the creators of the encryption protocol supposedly “backdoored” by WhatsApp, we were not asked for comment.
Instead, most of the quotes in the story are from policy and advocacy organizations who seem to have been asked “WhatsApp put a backdoor in their encryption, do you think that’s bad?”
We believe that it is important to honestly and accurately evaluate the choices that organizations like WhatsApp or Facebook make. There are many things to criticize Facebook for; running a product that deployed end-to-end encryption by default for over a billion people is not one of them.
It is great that the Guardian thinks privacy is something their readers should be concerned about. However, running a story like this without taking the time to carefully evaluate claims of a “backdoor” will ultimately only hurt their readers. It has the potential to drive them away from a well engineered and carefully considered system to much more dangerous products that make truly false claims. Since the story has been published, we have repeatedly reached out to the author and the editors at the Guardian, but have received no response.
We believe that WhatsApp remains a great choice for users concerned with the privacy of their message content.
What the Guardian article says is that WhatsApp has a security flaw that allows Facebook to snoop into the messages being exchanged by WhatsApp users. If Facebook can snoop around, then so can government agencies in the name of legitimate security needs.
End-to-end encryption means the message is encrypted as soon as it leaves your mobile phone and it is encrypted even when it reaches the mobile phone of the recipient. Encryption keys are created on both the ends. But, as it happens often, sometimes when someone sends a WhatsApp message, the recipient is off-line. This means the encryption key while works from the sender’s side, does not work at the recipient’s side. During that time the message is in limbo. Then, when the recipient comes online, new encryption key is created. It is this period when the so-called flaw can be exploited by anyone who would like to access the WhatsApp message
Whether it is a hit job or not, I think Guardian has a valid point. For example, I think this tweet is very brazen about the vulnerability of the encryption technology that is used in WhatsApp:
It's ridiculous that this is presented as a backdoor. If you don't verify keys, authenticity of keys is not guaranteed. Well known fact.
— Frederic Jacobs (@FredericJacobs) January 13, 2017
It’s like saying that it’s too bad that the WhatsApp encryption vulnerability can be exploited if you don’t verify the keys. It’s too bad that a recipient is off-line and the complete process of encryption cannot take place. If this really is a vulnerability, it should be addressed.