When you communicate with someone over the internet, person-to-person, it’s easy to imagine that the message travels like an old-school phone call.
Analogue phone calls weren’t encrypted, and they could be eavesdropped, but they really were end-to-end communications.
The sound went from your mouthpiece, down a long and possibly very convoluted electrical circuit, right into the earpiece of the recipient.
If the recipient wasn’t there, the call couldn’t be saved for later – it simply didn’t happen.
When you add encryption to a circuit-switched call of that sort, as analogue phone scramblers did, the easiest way to do it is also end-to-end.
Your telephone instrument scrambles the voice signal as soon as it leaves the mouthpiece, and the instrument at the other end unscrambles it just before feeding it into the earpiece.
If the scrambling is any good, there’s nothing an eavesdropper can do to listen in, or to make sense of the call along the way, because the voice signal exists as unrecognisable noise all the way along the wire.
But internet communications such as emails and instant messages (IMs) hardly ever work like that.
After all, you probably have some sort of firewall, either in your router or on your computer, that deliberately blocks incoming internet connections, not least to reduce the chance of hackers finding a way in to a private device such as a webcam or a file server.
It’s not really end-to-end at all
When I send a email or an IM to you, it isn’t really end-to-end at all, and (in the strictest sense) it probably isn’t really sent to you.
Loosely speaking, I connect to a server and upload the message, where it sits around until you connect to the server and download it.
That may happen as good as instantaneously, but my computer never actually has a network connection open that transmits data packets directly from my network card to yours.
And when I say “a server,” I may very well mean “a service consisting of a vast collection of global server farms, in dozens of countries, that can deal reliably and redundantly with billions of messages a day from hundreds of millions of users, but which I access by a single, easy-to-remember name as if the whole thing consisted of just one server.”
Such as WhatsApp.
In an environment like that, true end-to-end encryption is much harder than it is for circuit-switched calls or browser-to-web-server connections, because messages may have multiple “ends” during their journey through the network.
For all you know, the message may get decrypted and re-encrypted many times as it is received, stored, queued up and delivered onwards until it’s ready to be downloaded by the recipient.
Does message encryption matter?
Does end-to-end encryption of our internet messages matter?
Yes, it does.
Many people think it doesn’t, on the grounds that they think they have nothing to hide.
What they mean by that is that they aren’t doing anything illegal.
Therefore they’re willing to risk letting other people know all about them in the hope that this will make it easier to catch out cybercrooks, who ought to be in trouble with the law but who currently seem to be getting away with it rather easily.
The problem is that the people who’d most like to eavesdrop on everything you do are those selfsame cybercrooks, and they aren’t interested in finding out whether you’ve broken the law.
They want to know about anything and everything that do you when you aren’t breaking the law, so that they can illegally get a slice of the bona fide parts of your life, such as receiving your salary and spending it.
As an aside, we actually all have things we need to hide, whether we realise it or not. The irony in today’s surveillance-happy society is that we are compelled to hide some of these things in order to be law-abiding ourselves. Securing customer data is a great example: we need to do that not only because it’s morally wrong not to, but also to comply with laws relating to privacy and data protection. Crudely put, the only way to have nothing left to hide is to hide everything.
That’s why we’re pleased to hear WhatsApp’s news that the latest versions of its app support end-to-end encryption, for calls, photos, videos, file transfers, and voice messages.
WhatsApp has a chequered history when it comes to security and encryption, including cooking up its own cryptographic algorithm that relied on randomly-generated encryption keys that were used only once…
…but then using them twice.
Almost exactly two years ago, we wondered whether Facebook’s acquisition of WhatsApp would lead to better security, both technically and culturally, and it’s looking as though the answers are, “Yes, and Yes.”
What WhatsApp did
We’re not going to try to explain the cryptographic details here (you can read a handy technical summary from WhatsApp itself), but the key aspects, if you will pardon the pun, are:
- The service neither generates nor stores your private encryption keys. This applies whether you’re sending or receiving data.
- The service uses a new public key for each message. These public keys are provided by you to match private keys generated by you.
- The server provides a key fingerprint for every message. You can verify these independently if you wish, a bit like clicking on the padlock in your browser to verify a web security certificate.
The side-effects of these features are, admittedly assuming that there no errors in the cryptographic protocols used or the programs written to implement them, are as follows:
- WhatsApp can’t decrypt your messages in transit, even if it wanted to, or if someone tried to force one of its staff to do so by fair means or foul.
- WhatsApp doesn’t hold any cryptographic secrets of yours that might help a crook attack other services you use.
- Eavesdroppers who record your messages have only one chance to decrypt each message. Decrypting today’s messages doesn’t give away the key to unscramble messages that were collected in the past but haven’t yet been decrypted.
(The last feature above is what’s known as forward secrecy because it means that you can’t crack a message in the future, for example when computers are much faster, and automatically use that crack to unlock years of past traffic in one go: there’s nothing analogous to a “message master key.”)
Anyone who thinks that encryption systems should be fitted with backdoors, so that security and secrecy can be deliberately sidestepped when it’s convenient, will probably be unhappy with what WhatsApp has done here.
But at Sophos, we believe in #nobackdoors, so we’re pleased with WhatsApp, and we think you should be too.
History teaches us that deliberate encryption backdoors end up favouring exactly the people they were supposed to catch out, and putting at risk the vast majority of us who are law-abiding.
And those who cannot remember the past are condemned to repeat it.
14 comments on “WhatsApp encrypts messages end-to-end: why you should care”
There is more than a little irony in the fact that Facebook the company that sucks up all the information they can pretty much waging a war on privacy is bringing us an app that completely hides everything when we use it.
Interesting year, first Apple a company I have never really liked makes me feel that I should start buying its products and now Facebook….
Apple won a few points in my book–not that they’ve ever cared about my book–with their steadfastness in the recent drama.
Due to WhatsApp’s previous history and atrocities, I am finding it very difficult to entertain the notion of using their services again (especially now that Facebook holds the reins). The implementation of end-to-end encryption is certainly a welcomed “feature”; however, the old adage still applies….. “Nothing is ever free; if it appears “free”, then YOU are the product”. Are they feeding you advertisements from within the app? Or are they still banking on the overwhelming amount of valid phone numbers that they continue to store, and ultimately sell to a 3rd party? Basically…. How are they making money? Everything ALWAYS reduces to that, unfortunately.
WhatsApp doesn’t claim to be free, beyond a trial period.
Taken directly from the AppStore:
“Description: WhatsApp Messenger is a FREE messaging app available for iPhone and other smartphones. WhatsApp uses your phone’s Internet connection…… etc, etc…”
Then further down:
“Why Use Whatsapp: ** NO FEES: WhatApp uses your phone’s Internet connection, etc… etc…”
“There are no subscription fees to use WhatsApp”…….
Excuse me for making that assumption. :/
And also, to add: There’s no IAPs.
“Eavesdroppers who record your messages have only one chance to decrypt each message. Decrypting today’s messages doesn’t give away the key to unscramble messages that were collected in the past but haven’t yet been decrypted.”
can you elaborate/clarify? I interpreted this more along the lines of “one solution will work with only one message” instead of “one chance” to decrypt. What’s to keep the baddies from trying offline repeatedly?
“…the key aspects, if you will pardon the pun…”
I may have over-abbreviated 🙂
Imagine that you encrypt your messages with the same public-private key pair (or the same symmetric key) for years. I can record your messages but not read any of them, so I accumulate them just in case. One day, in 2019, I happen to crack/guess/see/sniff/bribe/steal your “password of the day,” which decrypts your messages for that day. So I try it, just because I can, on your last N years’ worth of messages, and…heigh ho, it unlocks the lot of them!
That means your old messages had no forward secrecy. (Put another way, cracking the 2019 messages created a backward insecurity.)
But if I use new one-time key material each day, or better yet for each message, instead of or as well as any long-term keys, my 2019 crack will be handy, but won’t apply backwards in time. I still have to crack each encrypted message in the historical list on a one-by-one basis. The 2019 “breakthrough crack” won’t provide any sort of skeleton key.
The main reasons that forward secrecy was widely ignored until quite recently are: [a] we weren’t collectively that worried about decrypting old messages until the suggestion emerged via E. Snowden and others that national security organisations may indeed have been stockpiling old conversations for years, just in case; and [b] generating unique per-message key material that you deliberately discard after each message needed more processing power than we were willing to to expend back when CPUs were slower.
very good explanation; thanks Duck.
…and maybe I’m slow today, or maybe there’s some over abbreviation. Your intent finally clicked in my head as soon as I read “same key pair for years.”
DOH! got it. 🙂
I believe they give you a “free” end-to-end encrypted app in exchange for the contents of your address book and your phone number, and all the metadata (they don’t know the contents of your calls/IMs, but they sure do know who you contact, how much, and when). This is unless more things changed than just their messaging protocol during their implementation of WhisperSystems’ Signal protocol. Does anyone have more information on this?
Interesting article! How does this relate to us “old-schoolers” who still use SMS as their primary messaging vehicle. For security, is it recommended that mobile users use WhatsApp (or some other messaging service that provides E-to-E encryption) instead of SMS whenever possible? Is SMS dead? Thanks, in advance, for your comments!
As far as I know, SMSes are encrypted into the mobile network, where they are decrypted, shovelled around as regular text, and then delivered to their destination. If that’s via an SMS message to another phone (rather than, say, via an email gateway), which is usually the case, the message is re-encrypted for the last bit.
In the middle, unless I am mistaken the mobile network can read your message, store it, scan it for malware; the network is also obliged (I think details vary from jurisdiction to jurisdiction) to provide the facility for what’s called “lawful interception” of calls and messages, in case anyone with a warrant should ask.
Is there any “trial monthly update” testing Sophos can do with these programs? I was into the app in question until the whole thing about their past issues.