[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WhisperSystems + WhatsApp

To: Marco Pozzato <[email protected]>, Eric Mill <[email protected]>
Subject: WhisperSystems + WhatsApp
From: [email protected] (Cathal (Phone))
Date: Wed, 19 Nov 2014 09:18:10 +0000
Cc: cypherpunks <[email protected]>
In-reply-to: <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ@mail.gmail.com>
References: <2429476.9jgn6LQJC8@lapuntu> <CANBOYLVgVY18sPa_0O6_x5pBZD_BtsMgwowwtRqcqkVmbusDNg@mail.gmail.com> <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ@mail.gmail.com>

Eh, easier than than. Keys generated end to end by the book, then code in the closed source spyware app justs lifts them and posts to FB.

Open protocols in closed apps are meaningless.

On 19 November 2014 08:46:50 GMT+00:00, Marco Pozzato <[email protected]> wrote:
>WhisperSystems designed good protocols, but I am afraid that Moxie was
>too
>anxious to release this info and hit ENTER key too early :-)
>
>I am quite skeptical about the actual value from the security point of
>this
>press release.
>
>WhisperSystems reports about end-to-end encryption, that means, I
>encrypt
>my message with an encryption key that only you or both of us know.
>
>1. How can we negotiate that key? Users are not involved, but
>everything
>happens automatically, under the hood, between two whatsapp clients.
>How?
>they negotiate the encryption keys through whatsapp servers: is it my
>own
>   key or the NSA one? are they leaking the key to Facebook?
>   2. We do need to authenticate the identity, eg: via QR code,
>fingerprint, spell it loudly on the phone,  etc.., which reduces
>usability,
>   especially for mass market.
>3. Last but not least: even if we authenticated identities and keys,
>how
>can we be sure that whatsapp client is really using the authenticated
>keys
>and not the NSA keys, maybe only on a white list of suspected mobile
>phone
>   numbers? above all, they provide a proprietary and closed source app
>
>The security model is faulted, at the root level:
>
>   - If I subscribe to a security service - such as messaging -,  the
> service provider is untrusted by default. I need total transparency ->
>every single components in the architecture should be auditable and
>open
>   source
>  - If mobile app is closed source, I can trust only the infrastructure
>that should be under my full control, to be sure that no information
>leak
>   outside infrastructure is ever possible.
>
>
>My 2 cents
>
>Marco
>
>2014-11-19 7:25 GMT+01:00 Eric Mill <[email protected]>:
>
>> This was honestly just about as exciting as the new
>EFF/Mozilla/Akamai/etc
>> CA. Strong encryption with no UX degradation, for *so* many people,
>and the
>> post certainly indicates it'll be going into the rest of WhatsApp's
>native
>> applications.
>>
>> I'm sure this fed into improvements into the TextSecure protocol, and
>that
>> the PR will help WhisperSystems obtain more partnerships like this. A
>great
>> day for the TS project.
>>
>> On Tue, Nov 18, 2014 at 6:35 PM, rysiek <[email protected]>
>wrote:
>>
>>> Well,
>>>
>>> I didn't see THAT coming:
>>> https://whispersystems.org/blog/whatsapp/
>>>
>>> --
>>> Pozdr
>>> rysiek
>>
>>
>>
>>
>> --
>> konklone.com | @konklone <https://twitter.com/konklone>
>>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20141119/84d6e957/attachment.html>

Follow-Ups:
- WhisperSystems + WhatsApp
  - From: [email protected] (Andy Isaacson)

References:
- WhisperSystems + WhatsApp
  - From: [email protected] (rysiek)
- WhisperSystems + WhatsApp
  - From: [email protected] (Eric Mill)
- WhisperSystems + WhatsApp
  - From: [email protected] (Marco Pozzato)

Prev by Date: Whatsapp open source
Next by Date: Whatsapp open source
Previous by thread: WhisperSystems + WhatsApp
Next by thread: WhisperSystems + WhatsApp
Index(es):
- Date
- Thread