The security of the Facebook-owned WhatsApp messaging service may not be as strong as previously believed, with a reported discovery of a backdoor that potentially allows Facebook see the contents of encrypted messages [updated with statement from WhatsApp].
WhatsApp has used end-to-end encryption on all communications between its users since April last year, with one-on-one messages encrypted by default since 2014. The app uses the Signal protocol from Open Whisper Systems to handle the encryption process, a protocol that Facebook's own Messenger app also employs.
Usually, unique security keys are traded between the users to confirm the communications are secure before sending messages. University of California cryptography and security researcher Tobias Boelter told The Guardian WhatsApp is capable of forcing apps to create new encryption keys for offline users.
Once new keys are created, the sender's app can be made to re-encrypt unreceived messages and resend them, allowing messages to be read once intercepted.
The users are not necessarily aware of the change in security keys, as the message sender would be notified if they had enabled encryption warnings in the app's settings. Message recipients are not warned of the changed key by the app at all.
WhatsApp has used end-to-end encryption on all communications between its users since April last year, with one-on-one messages encrypted by default since 2014. The app uses the Signal protocol from Open Whisper Systems to handle the encryption process, a protocol that Facebook's own Messenger app also employs.
Usually, unique security keys are traded between the users to confirm the communications are secure before sending messages. University of California cryptography and security researcher Tobias Boelter told The Guardian WhatsApp is capable of forcing apps to create new encryption keys for offline users.
Once new keys are created, the sender's app can be made to re-encrypt unreceived messages and resend them, allowing messages to be read once intercepted.
The users are not necessarily aware of the change in security keys, as the message sender would be notified if they had enabled encryption warnings in the app's settings. Message recipients are not warned of the changed key by the app at all.
No comments :
Post a Comment