Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Nothing you say makes it even close to 'irelevant'. Even badly thought out end to end encryption message app is importend when rolled out to 300 million people.


No. Actually, I would say fake encryption is even dangerous. WhatsApp might not always run end-to-end encryption for compatibility issues, there isn't even a visual indication for encrypted connections, there is no way to verify keys (if at all, they are verified by WhatsApp servers), so leaving a lot of room for all kind of man-in-the-middle attacks. The encryption itself isn't documented, and at the same time WhatsApp had added an option for (likely insecure) cloud backups. Yes, WhatsApp does fake security. But people believe it's secure. Now more than ever.

But those cases are only saying that companies can't comply to disclosure requests. That doesn't say if the encryption itself is weak or if the user has to completely trust that company. Just like the Apple case, where a 4-6 digit PIN is basically protected by Apple's secret firmware and its signing infrastructure.

There is nothing worse than a messenger that is commonly called secure but actually isn't (like the current implementation at WhatsApp). Cryptocat already had a massive disaster related to this problematic. Known as the chat program for activists in danger, it had a mathematical bug that made it nearly as weak as cleartext. Another one: As long as people aren't always explicitly using Secure Chats, Telegram isn't more secure than WhatsApp and doesn't use any end-to-end encryption. Still hyped for its security. While secure clients can definitely exist, most of the famous everyday solutions are just FUD and bullshit.


I have never said that WhatsApp is secure. You seem to have completly missed the point. For people that are above avg in their security need should of course investigate and find the best tool for the job. That has always been true.

Listen to what Im saying. End to end encryption, however badly imemented, rolled out to 300 million people is a extremly big deal.

Just for the fact that it counteracts the belief that only suspect people use encryption. Also even badly implemented end to end encryption stops lazy dragnet survailance. The policy or the FBI simple do not have the ability to MITM billions of messages every day.

Remember that most texting was essentially done in cleartext before this.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: