WhatsApp users were thrown into a panic Friday morning after a report claimed the service has a backdoor that could allow messages to be intercepted.
But cryptography experts and WhatsApp say that claim is false — people can continue using the app knowing their messages are secure.
A report from the Guardian said the “security backdoor” could allow WhatsApp or government snoops to intercept messages.
But the security researcher who the Guardian cited called it a vulnerability (not a backdoor). In an April blog post, Tobias Boelter explained how WhatsApp’s security structure could potentially allow someone to intercept messages by pretending to be a recipient.
In fact, this so-called vulnerability is a design choice made by WhatsApp so chats can flow uninterrupted.
WhatsApp encrypts messages on devices. So when a message is sent to a recipient who just got a new phone or doesn’t have the app installed, the message sort of floats in messaging purgatory, backed up on the sender’s phone until the recipient’s device is activated and the message is delivered.
An attacker could theoretically intercept backed up messages by working with Facebook (Tech30) (which owns WhatsApp) to change the recipient, or by pretending to be the recipient by registering a new device with the recipient’s stolen phone number. ,
You can enable a setting on WhatsApp that will alert you when your friend changes devices after your message is delivered. You should ask your friend in person or through a different channel to confirm that they changed devices if you’re worried about security.
Though not a backdoor, the vulnerability does highlight an issue debated by the cryptography community: What should an encrypted communication app do when someone switches phones? Apple (Tech30) and WhatsApp have decided to keep the conversation flowing. Signal, another encrypted messaging app, won’t send your message, and will also alert you that there’s been a device change. ,
WhatsApp is trying to make it less frustrating to talk with people who often change devices, according to Zaki Manian, founder of blockchain company Skuchain and board member of the civil liberties organization Restore the Fourth.
“We’re talking about a choice in design that both iMessage and WhatsApp have made,” Manian said. “But it potentially creates a way in which you could potentially intercept one message.”
Cryptographer and former Signal developer Frederic Jacobs also took issue with the “backdoor” claims.
It’s ridiculous that this is presented as a backdoor. If you don’t verify keys, authenticity of keys is not guaranteed. Well known fact.
— Frederic Jacobs (@FredericJacobs) January 13, 2017
A spokesperson for WhatsApp told CNNMoney that it does not give governments a backdoor, and said the company would fight any government request to create one.
“The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks,” the spokesperson said.
Article source: http://rss.cnn.com/~r/rss/edition_business/~3/HHAVecfAjL4/index.html