WhatsApp Becomes The Latest Victim

Uploaded on 2017-02-18 in BUSINESS-Services-IT & Telecoms, FREE TO VIEW, NEWS-Cybersecurity News

Is there a truly secure messaging app? One could spend hours examining all the encrypted communications tools available, from popular services such as WhatsApp and Facebook’s Messenger to newcomers such as Signal and Wire.

But while experts agree that some of these options are more secure than others, there always seems to be another flaw waiting to be discovered. This makes the search for a perfect app resemble the hunt for the goose that laid the golden egg.

That point was driven home recently with the revelation that attackers could exploit a security vulnerability in WhatsApp to snoop on its users.

The vulnerability was found in the service’s implementation of end-to-end encryption, which is supposed to make it all but impossible for messages to be read by anyone except their intended recipient, and in WhatsApp’s management of the unique security keys used to scramble and unscramble those messages on users’ devices.

The problem stemmed from WhatsApp’s ability to create new encryption keys for offline users. This is common for secure communication tools, but WhatsApp is set apart by its decision to re-encrypt messages with the new keys without informing their sender or recipient.

This could allow someone to intercept communications with no indication to anyone involved with the conversation. WhatsApp has therefore effectively undermined the basic principle of end-to-end encryption.

It would be easy to overreact to this issue. WhatsApp did not create a backdoor into its service, a claim with which Brian Acton, the company’s co-founder, publicly took issue, saying WhatsApp would “fight any government request” to create one.

Nor did it introduce a vulnerability so critical that people should remove the app from their devices. Concerned users can verify someone’s identity by comparing the “fingerprints” associated with their key, and they can enable a setting that notifies them when a message has been re-encrypted with a new key.

Yet even the nature of those notifications is up to question. There are two options, blocking or non-blocking, which refer to requiring users to manually verify that a new key is legitimate or simply notifying them when a key has been changed.

WhatsApp notifications are non-blocking. Signal, the encrypted messaging tool from Open Whisper Systems (OWS) whose end-to-end encryption protocol is used in WhatsApp, Messenger and other apps, uses blocking notifications.

Some messaging apps follow WhatsApp in not informing users of key changes by default. Others, like Wire, don’t send messages to people with new keys without user consent. These companies will face criticism no matter what they choose, WhatsApp users might worry that their messages are insecure; Wire users might grow tired of security notifications, and might change their approach based on user feedback as OWS is doing with the Signal app.

There is no right or wrong answer. The same can be said for other decisions, such as Google’s Allo and Facebook Messenger’s “secret conversations” not using end-to-end encryption by default, which the companies say allows them to offer features that wouldn’t be possible otherwise.

Apps that do use encryption by default, such as Signal and Wire, among others, require people to convince everyone with whom they wish to communicate to switch to unfamiliar messaging tools.

There will never be a one-size-fits-all in the secure communications market. Just as these services have to decide on what problems they wish to solve, consumers must choose the app that best suits their needs.

More apps support end-to-end encryption than ever, and even if none of them are perfect, this means private communications are more secure than before.

These are nuanced problems that must be considered with care instead of being oversimplified.

Guardian:

WhatsApp Implements Encryption:             Delete/Never-Use Google Allo: Says Snowden:

 

 

« How To Automate Cyber Defense
Technology, Multilateralism, War and Peace »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Corero Network Security

Corero Network Security

Corero Network Security is dedicated to improving the security of the Internet through the deployment of its innovative DDoS & Network Security Solutions.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

PakCERT

PakCERT

PakCERT is the national Computer Emergency Response Team for Pakistan.

Foresite

Foresite

Foresite is a global service provider, delivering a range of managed security and consulting solutions.

Digitronic Computersysteme

Digitronic Computersysteme

Digitronic focus on innovative software to protect your personal and sensitive corporate data.

Salviol Global Analytics

Salviol Global Analytics

Salviol Global Analytics is a leading provider of Fraud, Risk and Operational Performance Solutions to a number of vertical markets including Insurance, Banking, Utilities, Telco’s and Government.

River Loop Security

River Loop Security

River Loop Security specialize in solving complex cybersecurity challenges in the IoT and embedded devices space.

Quantexa

Quantexa

Quantexa automates millions of operational decisions, at scale, across multiple business units, including Anti-Money Laundering, Know-Your-Customer, Fraud, Credit Risk and Customer Intelligence.

TWC IT Solutions

TWC IT Solutions

Since 2011, TWC IT Solutions has offered managed IT Support, Cybersecurity, Disaster Recovery, Contact Centre and Business Connectivity services to clients across 24 countries globally.

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce has partnered with Purdue University and Carnegie Mellon University to create the Rolls-Royce Cybersecurity Technology Research Network.

TPx Communications

TPx Communications

TPx is a leading managed services provider offering a full suite of managed IT, unified communications, network connectivity and security services.

Safe Decision

Safe Decision

Safe Decision is an information technology company offering Cyber Security, Network, and Infrastructure Services and Solutions.

NVISO Security

NVISO Security

NVISO is a pure-play cyber security consulting firm, focused mainly on the Financial Sector, the Technology Sector, and Government & Critical Infrastructure.

Skillfield

Skillfield

Skillfield is a Melbourne based Cyber Security and Data Services consultancy and professional services company.

Infodot Technologies

Infodot Technologies

Infodot Technologies specialize in a co-managed IT support and services approach, where businesses share their IT responsibilities with a skilled Managed IT Services Provider (MSP).

CyVent

CyVent

CyVent helps you select the right cybersecurity solutions at the right price for your unique situation, without the need to invest endless time evaluating the ever-evolving options.