Is it a good move by Signal to enable WhatsApp End to End Encryption


#1

The latest update of WhatsApp provides end to end encryption. This is a result of a partnership with OpenWhisperSystems - the company that maintains ‘Signal’ - free and open source app for secure messaging and calls.

Apart from independent audits done by WhatsApp itself, the source code of WhatsApp is not available for auditing and validating. In which case, how good is this ‘update’?

On the other hand, was it a good move by Open Whisper Systems to work with WhatsApp in integrating their protocol in a proprietary software?


#2

Third party audits are different from open source audits. For instance, just because source code is available freely does not guarantee proper security audits. Security audits require a specific set of skills. So as for the audits, we need the source code to be audited by a “reliable, trusted” third party. Without this, the security implementation should not be trusted.

As for whether or not this is a good move, it’s an excellent move from both WhatsApp and OWS. If it makes whatsapp secure for millions of users, then sure. This would not replace Signal in anyway, for instance, Signal encrypts your messages on the device (in-situ encryption) so if your phone is lost, it is not feasible to crack the encryption. WhatsApp doesn’t have a robust in-situ encryption mechanism. Whatsapp also has to worry about making sweeping changes that affect performance, load time, etc. Since it does not advertise itself as an app for secure communication. Signal does not have these concerns.

Additionally, we don’t know if this extends to WhatsApp web which is a potential hole given message synchronization and everything. Signal desktop doesn’t have this problem.

All in all, I hope this kills the greatest “open source” snake oil Telegram. In my opinion, it’s the greatest threat to security. More than proprietary WhatsApp is because it’s a wolf in sheep’s clothing. Did you try out the latest cryptocat app btw??


#3

I see this move a positive move by whatsapp. End-to-End encryption is not something new. E2E is already implemented in IM clients like ChatSecure, Cryptocat, Conversations, Xabber, Kontalk, etc., even before WhatsApp (or) Telegram.

We shouldn’t be discussing whether this move by whatsapp is positive or negative at all, because we should welcome E2E implementation whoever does it. Instead what we should be discussing is, the nature of these platforms.

Take Whatsapp for example,

  1. Server is closed (proprietary).
  2. Client is closed (proprietary).
  3. No documentation about the protocol.
  4. No information about the API.
  5. End-to-End encryption enabled by default.
  6. Centralized (everything goes through the servers controlled only by whatsapp)

Take Telegram for example,

  1. Server is closed (proprietary).
  2. Client is Free Software.
  3. Documentation & API available.
  4. End-to-End encryption disabled by default. (also rolling their own security protocol).
  5. Centralized (everything goes through the servers controlled only by telegram)

Take XMPP,

  1. Free Software Server implementations are available.
  2. Free Software Client implementations are available.
  3. Standard and open protocol with documentation and APIs.
  4. End-to-End Encryption is available for a long time.
  5. Decentralized & Federated (need not go through a single centralized server).

Both Telegram and Whatsapp, no matter how strong their encryptions is, they both are centralized and lock users within their platform. The meta data of who is communicating with whom and at what time and from which geolocation is still available for them in one place. If a government issues subpoena, there is a possibility of doing a cryptanalysis by the platform creators themselves. Even though if telegram or whatsapp opens their code base to public, the very nature of centralization is still a big problem.

Consider XMPP which is decentralized and federated which doesn’t lock users to one single server or client, which allows users to have accounts on any server and talk to people at any server using any free software client, and along with that the use of end-to-end encryption! We should be discussing and promoting this.

That’s what a free software advocacy community or organization should be doing at this time. How to take forward a protocol like XMPP forward.


#4

Thus a communication application can be evaluated with the following parameters : (similar to governance)

  1. Transparency
  • Open STD, Protocols (like from RFCs)
  • Free H/W
  • Free S/W
  1. Distributable without compromising 1
  • Collaboratively developed
  • Collaboratively audited
  • Distributed Deployment/Usage
  1. Security without compromising 1 & 2
  • Mathematical mechanism

Why is not there any indicator for free/open systems & culture. If there is one, then it would be easy to measure how much a particular tool is inclined towards freedom !. This indicator development must also be publicly collaborative with reasoning.

Simple questions is : How can we indicate that this software/hardware system is FREE.
After all, manufacturing, agricultural commodities, FMCGs (sad ) :rage: use indicators that are not publicly reviewed. (I do not want to go philosophical here)

Critical thinkers evaluate a system beyond lay citizens thought process and we stream line analysis as we made in this discussion. But when we talk to lay citizens, they look at me like :confused:

However, i am just saying why cant we have one. I dont know whether it is a good idea or not . !


#5

As the aphorism goes: “When the service is free, you are the product.”