[messaging] Second thoughts on WhatsApp encryption
Joseph Bonneau
jbonneau at gmail.com
Fri Nov 21 07:15:21 PST 2014
On Fri, Nov 21, 2014 at 10:06 AM, Nadim Kobeissi <nadim at nadim.computer>
wrote:
>
> You can actually get around the need to trust WhatsApp as a centralized
> key directory (by implementing a simple form of key authentication (QR
> codes, fingerprints, etc.)), but that wouldn't solve the problem. The issue
> here is that even if key authentication is implemented, WhatsApp servers
> still retain the capacity to selectively disable encryption on a case by
> case basis.
>
If you trust the app (verified build, etc.) then the app will tell you
you're communicating in non-encrypted mode. If you don't trust the app,
then the app can show you one fingerprint and encrypt with another (or not
at all), so independent verification of key fingerprints also won't help.
I should have said "assuming a trusted app and a means of independent key
verification" then the ability to disable encryption isn't any worse. So
we're back to the 2 main challenges either way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141121/46a43bc8/attachment.html>
More information about the Messaging
mailing list