Security Experts Say New EU Rules Will Damage WhatsApp Encryption (theverge.com) 169
Corin Faife writes via The Verge: On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA). Seen as an ambitious law with far-reaching implications, the most eye-catching measure in the bill would require that every large tech company -- defined as having a market capitalization of more than 75 billion euros or a user base of more than 45 million people in the EU -- create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS -- which security experts worry will undermine hard-won gains in the field of message encryption.
The main focus of the DMA is a class of large tech companies termed "gatekeepers," defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to "break open" some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols. But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users.
Signal is small enough that it wouldn't be affected by the DMA provisions, but WhatsApp -- which uses the Signal protocol and is owned by Meta -- certainly would be. The result could be that some, if not all, of WhatsApp's end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging. Given the need for precise implementation of cryptographic standards, experts say that there's no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.
The main focus of the DMA is a class of large tech companies termed "gatekeepers," defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to "break open" some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols. But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users.
Signal is small enough that it wouldn't be affected by the DMA provisions, but WhatsApp -- which uses the Signal protocol and is owned by Meta -- certainly would be. The result could be that some, if not all, of WhatsApp's end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging. Given the need for precise implementation of cryptographic standards, experts say that there's no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.
Real user choice (Score:2)
Re: (Score:2)
Real user choice would be to allow the user to decide if they want interoperability, side loading, etc. As part of the settings, have a toggle that lets you turn off features you don't want, such as interoperability. That would allow users that value security to continue as is while allowing others to make a different choice. You could have them set as OFF and a popup ask you if you want to enable them when you first launch an app.
Yes, though a better approach would be to make it visually obvious, such as all unencrypted recipients appearing with a red background, so that you know instantly that your communication with that person is not secure, along with a warning message when you add that person to a group chat, and notification to everyone in the group chat that future communication will not be secure.
Either way, the only reason security is even an issue is because these companies don't actually care about their users' privacy.
Re: (Score:2)
Real user choice would be to allow the user to decide if they want interoperability, side loading, etc. As part of the settings, have a toggle that lets you turn off features you don't want, such as interoperability. That would allow users that value security to continue as is while allowing others to make a different choice. You could have them set as OFF and a popup ask you if you want to enable them when you first launch an app.
Yes, though a better approach would be to make it visually obvious, such as all unencrypted recipients appearing with a red background, so that you know instantly that your communication with that person is not secure, along with a warning message when you add that person to a group chat, and notification to everyone in the group chat that future communication will not be secure.
You could do that and still allow users to chose whether or not they wanted to allow interoperability. It isn't an either or situation but a chance to satisfy both camps.
Sorry, but forcing their hands is the right call.
Only to the extent a user is still given a choice whether or not they want it. if enough choose to allow it then it'll be teh way of teh future, if not, it's clear users didn't want it. Government should give users teh chance to make teh choice, not dictate it.
Re: (Score:2)
Apple has no replacement for SMS, unless you mean iMessage, which obviously only works from Apple to Apple, and most users have it disabled as it does not work reliable cross devices.
Re: (Score:2)
Apple has no replacement for SMS, unless you mean iMessage, which obviously only works from Apple to Apple, and most users have it disabled as it does not work reliable cross devices.
Yes, iMessage is exactly what I mean. And I don't know anyone who has disabled iMessage (and I know a *lot* of iOS users), so I question your conclusion that most users disable it.
Re: (Score:2)
This is absolute insanity. Why would we want a single standard for encryption, designed for everyone, forever?
Presumably the actual encryption algorithms used would change over time, but why wouldn't we want a single standard for the actual communication and handshaking between clients and servers? HTTP/1.1 is still good enough for most purposes and entirely secure (when wrapped with TLS) after how long? Oh, yeah. 23 years, give or take.
It creates one huge attack surface.
Only if you assume everyone uses the reference implementation as-is.
It ossifies design.
It's a communications protocol. If it isn't designed to be extensible, it's crap, and if it is, then standard
Re: (Score:2)
Re: (Score:2)
Yes, though a better approach would be to make it visually obvious, such as all unencrypted recipients appearing with a red background, so that you know instantly that your communication with that person is not secure, along with a warning message when you add that person to a group chat, and notification to everyone in the group chat that future communication will not be secure.
The DMA not only requires interoperability, but requires it on an even playing field.
They already pointed out Apple would be breaking the law as-is where blue is encrypted and green is unencrypted SMS.
Giving unencrypted messages a red background would be the same thing, and also a crime in the EU under this law.
I'm fairly certain that's an incorrect interpretation of the law. Apple would be in violation of the proposed law, but only because they do not allow other companies to provide encrypted traffic in a manner that interoperates with their own encrypted traffic.
Apple should be okay as long as they A. treat any iPhone user who turns off iMessage with that same red background and B. allow other companies to provide encrypted traffic that appears without a red background. That's a level playing field at that po
Abusing Interoperability (Score:2)
"create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS -- which security experts worry will undermine hard-won gains in the field of message encryption."
Yeah, or for gaming, this means that PS5 owners should be able to play every indy PC game by tomorrow, right?
Come on. Comparing SMS to WhatsApp is like comparing Grandpappy's musket to an M-16. Much like my example above, not everything is going to be magically "interoperable" by passing this bill. If I need to travel across an ocean, I don't look for a car to do it.
This law, isn't about interoperability. It's about banning encryption.
Re: (Score:2)
I saw that sentence as a major red flag of lobbying group disinformation, it's absurd - but they want to fool you into believing this:
This law, isn't about interoperability. It's about banning encryption.
From what I've seen the law really is about interoperability, but industry groups likely want to fool users to believe it's about banning encryption so that they'll oppose a law that poses a threat to their walled gardens.
What allowing access to WhatsApp would actually mean would be just publishing some API details to allow other clients to log in, like back in the days when
Re: (Score:2)
Yep. WhatsApp uses the Signal protocol. It's open source, and interoperability does not impact it in the slightest.
Re: (Score:2)
If you think there ARE, then you must know about some flaw in WhatsApp's protocol that isn't public knowledge.
Re: (Score:2)
I don't know how old you are but most our grandpappy's would have probably been using an M1 and for the younger folks here grandpappy might have carried an M-14.
Either have a lot more in common with an M-15 than a musket.
Re: (Score:2)
Maybe - although Signal offers an example of what they (might) be going on about - even though they aren't affected by the law.
The Signal phone app can approximately replace your SMS app - it'll send SMS to people that don't have Signal, or else encrypt and send over the Signal network if they do. That looks like operability to me - one thing works with two networks.
If Whatsapp let (say) Pidgin have a Whatsapp plugin (possibly even a proprietary one), then that too might qualify as "interoperability" - I no
Re: (Score:2)
How are you thinking that a proprietary plug-in is somehow less trouble than the app? They control the code either way
Re: (Score:2)
Sure - but the data that gets leaked is at the control of Pidgin. If Pidgin doesn't (say) give contacts, or GPS, then Whatsapp/Facebook/Meta can't get their hands on it.
I agree it's hardly a panacea, and anything can be abused, but even a proprietary plugin would be better than what we have today. An open source plugin better still, and the complete destruction of Whatsapp the best of all. I'll take whatever I can get ;-)
Re: (Score:2)
WhatsApp actually uses the Signal protocol. They just don't allow the WhatsApp servers and the Signal servers to talk, or for any third party clients to connect.
Re: (Score:2)
The E2EE protocol is the same, but the rest of the protocol is completely different.
Its all layered, so think of it like two completely different chat protocols that just happen to generate the binary blob of ciphertext inside their respective message objects the same way.
Re: (Score:2)
This law, isn't about interoperability. It's about banning encryption.
Nonsense. There is no problem with interoperable end to end encryption. They just need to document the protocol. They may release some libraries if they want to be very nice.
Re: Abusing Interoperability (Score:2)
Depends. Often when people try to implement their own cryptography, they fuck it up.
https://security.stackexchange... [stackexchange.com]
So sure, the algorithm and PKI might be secure, but that doesn't say whether your implementation is.
Re: (Score:2)
Or WhatsApp could just implement an RCS client and give you a notification of visual cue that you're not using the WhatsApp backend when you message that person. Kind of like Apple's been doing for a decade with the "green bubble". Make it red with yellow stripes with a bit of text at the top of the message chain saying that this conversation isn't encrypted.
Problem solved. Except on iOS where the only possible SMS / MMS client is iMessage until this law forces Apple to remove that unnecessary brick wall
Re: (Score:2)
Problem solved. Except on iOS where the only possible SMS / MMS client is iMessage until this law forces Apple to remove that unnecessary brick wall.
And on other platforms you can vane non vendor provided SMS/MMS apps? Never heard about that. And why would anyone want that?
I don't think so (Score:2)
First - if Whatsapp displayed unsecure SMS messages in RED and asked before sending them, I don't see a security issue. Second - where there's a will, there's a way. Doesn't the article mention that WhatsApp actually uses the Signal protocol?
Re: (Score:2)
Am I hearing "if we regulate Big Tech, we are going to lose security"? Sorry, not buying that.
As with all these regulations it depends on the details. Sure, the GDPR and California laws on disclosure of leaks have lead to massive increases in security. On the other hand, the recent story about insecure mobile network systems left behind in Russia [slashdot.org] is entirely caused by government regulators in the US and Europe requiring access to communications.
First - if Whatsapp displayed unsecure SMS messages in RED and asked before sending them, I don't see a security issue. Second - where there's a will, there's a way. Doesn't the article mention that WhatsApp actually uses the Signal protocol?
Using red for SMSs which are unencrypted would be clear. However, what if Whatsapp has to send to Google chat or one of the Apple messaging protocols which i
Re: (Score:2)
However, what if Whatsapp has to send to Google chat or one of the Apple messaging protocols which is less secure because it's integrated with a picture scanning system?
This doesn't seem particularly complicated. Apple's iMessages already shows user of its own service in one color, and SMS users in another. Other systems might do something similar. Messages are sent within the service itself, one color. Sent to another service with E2E encryption, a slightly different shade of the same color and tiny bubble icon or whatever indicative of the protocol used. Sent to another service without encryption, such as plain-text SMS, or with MITM-only encryption, such as standard Tel
Re: (Score:2)
"blue" = same protocol and encrypted
"green" = different protocol but still encrypted
"orange or red" = not encrypted
I'd rather see green/yellow/red, though, like traffic lights.
There's also people with colour blindness to take into account.
Re: (Score:2)
My wife uses WhatsApp to communicate with her friends, as well as iMessage (and SMS), Google Chat, and Microsoft Teams for work. I use Google Chat for some friends, Slack for some others, a different Slack workspace for coworkers, SMS for base-level messaging. And then there's Facebook Messenger for some other friends and family. And then I have a millenial cousin who does the Snapchat thing. Then there's Signal and Telegram, as well as Discord.
It's beyond ridiculous that we need to have 8 different mess
Re: (Score:2)
But you yourself explain very clearly why we don't all use the same messaging service: it's because different messaging apps have different feature sets that make them valuable to different groups of people for different purposes, and trying to shoe-horn all of this together just isn't going to work. Your employers want you using secured enterprise chat services for work, not consumer services, because they want back-ups and archive and integrations with other enterprise services, and in many cases they als
Re: (Score:2)
Ok...what's the big need for this? At least in the US.
In the US it'd allow Android users to use a messenger application fully compatible with iMessages, so that when they entered your group chat they wouldn't cause everything to degrade into SMS/MMS limited features. Everyone would be blue, with the need to own an iPhone to be blue.
Why would I need access to that?
You I don't know, but a huge number of people use multiple apps to communicate.
I myself use, in this order of priority: Telegram, WhatsApp, Microsoft Teams, Discord, Steam Chat, Facebook Messenger, Skype, SMS (from my carrier), and
Re: (Score:2)
with -> without
features -> featured
Re: (Score:2)
That's a bit of a change of subject given that TFA is about the EU.
In the EU country where I live it costs something like 10 cents per SMS. Prices vary slightly, but I don't think that any operators include a quota of free SMS per month in their contracts. As a result it's only really businesses that send SMS: everyone else uses messaging services which take advantage of the free 4G data quota which is included in every operator's contracts, and the network effects in this country favour
Re: (Score:2)
You are wrong.
You basically have everywhere 100 free SMS - or completely free - regardless of country or network operator.
And i have no "free data" - I'm limited to 500MB and then it gets down scaled to LTG speed.
Re: I don't think so (Score:2)
I'm in a EU country and I have 2000 minutes/SMS per month as well as more data than I need. It costs me 10 euros per month.
Re: (Score:2)
And you are ridiculously hand-wavy about what the risks are. They're very straightforward and real.
So true. including your example, and a shame there aren't mod points going around to get these comments more visible. Interoperability and integration are complex nightmares. Reasonable security might be achieved with a fully standardised software stack and federation (e.g. imaging multiple federated signal networks) but the details really really matter. There are real differences in the security levels of the different systems and there's no reasonable way to communicate that to a user beyond the general v
Re: (Score:2)
I'm looking at the actual text of the proposed legislation [europa.eu], and I can't see what it has to do with messaging systems supporting SMS at all. The core is Article 5:
Re: (Score:2)
Note that this explicitly says that any services of a gatekeeper have to be available. This would include WhatsApp because Facebook also has business relations in other services. How about this bit of the DMA [europa.eu] (N.B. for the whole thing tl;dr, but to be sure whats in there you would have to go through it all, preferably with a team of lawyers):
Re: (Score:2)
I'm not sure exactly what metadata you have in mind. The actual article text which relates to that recital is 6(i):
Re: (Score:2)
They are talking about third party apps that use the WhatsApp network. They are saying that Facebook can't sabotage them by providing less access to the user's data than they themselves have.
There is no security or privacy risk here. In fact it could be a major gain for users, as they could choose to use an app that doesn't report so much metadata back to Facebook. It also makes it easier for them to switch to other networks, because they don't have to convince all their friends to.
Banks in the UK do someth
Re: (Score:2)
There is no security or privacy risk here. In fact it could be a major gain for users, as they could choose to use an app that doesn't report so much metadata back to Facebook. It also makes it easier for them to switch to other networks, because they don't have to convince all their friends to.
Before - one company might leak my data. After - ten companies, each of which got the data during some connection with another user - is able to leak my data. I just simply don't agree that, by default that isn't worse security. Definitely, this regulation can improve security if done right. Instead of the clause that data should be available equally to all companies, there should be a clause that each provider should only share the data that's actually needed for a transaction and ensure that they don't, t
Re: (Score:2)
In Europe the GDPR will prevent 10 companies getting your data.
Re: (Score:2)
If the company is involved in the billing of a communication interaction, even just potentially, that comes under "special purposes" and allows them to get (and thus, under this regulation demand) the information. It's true that they then should have very limited use of that data, however the worry isn't legitimate use, but instead that the data is in multiple databases and more likely to be compromised. The GDPR is good, but it's also practical and so can't be perfect for privacy.
Re: (Score:2)
The NSA, or at least the people controlling the NSA, on the other hand, seem to be directly responsible for the current situation where Russian malware and disinformation operatives are able to threaten basic infrastructure and food supplies in the USA and elsewhere.
Nope. Do you know who is responsible for that? Russian malware and disinformation operatives. If you want to blame it on a government? The Russian government, for refusing to enforce its laws against Russian criminals.
There is plenty of blame to go around. The NSA willfully sits on undisclosed vulnerabilities so that it can use them against Americans [vox.com]. But its stated mission is securing our nation's communications, and doing that is directly contrary to that mission. Instead, it is spending its time and our money on spying on us. This is a big reason why the NSA has headcount problems [npr.org], although low pay is another reason. They fund the NSA well enough to spy on Americans, but not well enough to pay their employees.
Obviousl
Re: I don't think so (Score:2)
The NSA has a duel mission. The first is, as you mention, defense of domestic systems. The second is intelligence gathering. Vulnerability disclosure only supports one of those missions, but it works against the other one.
Re: (Score:2)
The NSA has a duel mission. The first is, as you mention, defense of domestic systems. The second is intelligence gathering. Vulnerability disclosure only supports one of those missions, but it works against the other one.
The NSA's intelligence gathering is unconstitutional, since it is carried out against Americans without warrants.
Re: I don't think so (Score:2)
Only incidentally though. The FISA courts ruled on it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Vulnerability disclosure only supports one of those missions, but it works against the other one.
This is actually a mistake. When the NSA started with this belief, American and allied communication systems dominated to the extend that enemy militaries had to use them extensively. The knowledge that the NSA was keeping back vulnerabilities was a big part of what was used by enemy governments to justify forcing their own companies to start using non US communications systems. In the long run, as China especially works out how to build secure communications systems, this leads the NSA to have less and les
Re: (Score:2)
Imagine if...signal was an open standard that could be implemented by multiple vendors!!!
Interoperability *could* be a security issue if you don't have security and encryption standards associated with your communication protocol(s). That just means a robust protocol instead of security through obscurity (and we "promise") that plenty of platforms use.
But vendors crying "omg insecure SMS" is nothing but a straw man. Of course it is. Congrats and thank you for reminding the world. Now how about we secure
Who gives a fuck? (Score:2)
If whatsapp is forced to be more interoperable, it might actually finally let smaller actors like Signal to become more popular, and allow many of us for whom whatapp is "mandatory evil" kind of a thing to use because most people use it so we have to as well can finally uninstall the damn thing and stick to Signal and Telegram that will likely be interoperable with basic messaging features of whatsapp.
Whatsapp's "end to end encrypted chat, and yes we have all the keys and we scan your discussions and even c
Re: Who gives a fuck? (Score:2)
When I see them undo all those facebook-manipulated referendums and votes then I'll believe it. Till then - who gives a fuck indeed.
Re: (Score:2)
Reality is that will be a security disaster. The biggest problem with most of these messaging apps, is opsec. Even iMessage is probably secure enough that from a pure signit perspective its unlikely anyone will get enough information directly to even go to Apple for the additional meta data detail they can provide.
Its all the things people do with the message, decisions they make about backups, leaving their unlocked devices out in the open etc, that will undo your confidentiality. Short version is
Re: (Score:2)
>The biggest problem with most of these messaging apps, is opsec.
Let's test this claim against reality. If the biggest problem with messaging apps is opsec, than the app that offers the best opsec would also be the most popular.
So something like Line, Silence, or Threema.
And if there's a solution addressing "the biggest problem with most of these messaging apps", people would be flocking to these existing solutions. Yet they aren't.
Ergo, it's not "the biggest problem", or even a "major problem". Arguably
Why would this break encryption? (Score:2)
It seems to me that WhatsApp would have to shut off encryption only for messages to/from other messaging systems. This is reasonable if the user understands that it's the price of interoperability. Signal does something similar already.
Re: (Score:2)
The key thing is "if the user understands". The Eternal September indicates that most people are, in fact, stupid and clueless when it comes to technology. (This includes policy makers.)
To quote George Carlin: "Think of how stupid the average person is, and realize half of them are stupider than that."
Re: (Score:2)
In general this is wrong. He would be correct though if he were talking about the median [wikipedia.org] person.
Re: (Score:2)
Your confusing "average" with "mean".
Average can mean mean, it can mean medium, and rarely it can mean mode.
For instance when we say "Average monthly income", we measure that with medium, the point which half are under, and half are over. That can be a useful correction when you have a distribution thats kinda all over the place.
IQ generally is indeed measured as a mean, however in principle its designed so that its a very bell like distribution meaning that the medium and the mean are pretty close. Althoug
Re: (Score:2)
For reference, 160 would be someone like Einstein, not l33tGamer420 on reddit.
Gosh, I have to kick that guy from my friend list.
Re: (Score:2)
You are correct - "median" is the more correct term for the joke that Carlin was trying to make.
On the other hand, Carlin was a comedian, not a statistician. If he'd used "median" instead of "average", a large number in the audience wouldn't get the joke, because they'd be ignorant of wha
Re: (Score:2)
Basically we need the equivalent of an SSL standard for encrypted messaging. Then interoperability would come via adopting the same standard, as happens with SSL. Still, it would make things easier for bad actors.
Re: (Score:2)
Bad design assumptions break encryption... (Score:2)
Because they offer bad solutions, and expect the worst out of companies. From the article...
"Making different messaging services compatible can lead to a lowest common denominator approach to design, Bellovin says, in which the unique features that made certain apps valuable to users are stripped back until a shared level of compatibility is reached. For example, if one app supports encrypted multi-party communication and another does not, maintaining communications between them would usually require that
Re: (Score:2)
But that isn't what is asked for. What is asked for it that other apps can implement WhatsApp messaging, including encryption, not bridging to other less secure systems. The vendors are deliberately misrepresenting the law to defeat it as a strawman.
Re: (Score:2)
No, it doesn't suggest they can break the encryption.
It means that the process of "reporting a thread" likely involves sending in your already received and decrypted copy of the message content from your phone to the people who manage abuse reports.
Bullshit! (Score:2)
Interoperability means documenting your protocol and allowing other people to use it. WhatsApp is already based on the Signal protocol, but has some additional proprietary requirements that prevent Signal users from conversing with WhatsApp users.
This law would allow me to create a client that insecurely mixes SMS and WhatsApp. Nothing in the law compels WhatsApp to make their own client insecure or to support SMS in their own client
Re: (Score:2)
Someone mod this ^ up.
XMPP with OMEMO [1] is an example of that. I use 5 different clients on 2 different domains running different software, all is e2e encrypted, because: documented agreed upon protocol.
Now, OMEMO still has its issues, but that is being worked on.
Matrix might have a similar feature in the protocol. I don't know enough about that.
In fact, this might help e2e encryption, because 3rd party clients might choose to ignore "reencrypt with this new key" commands (which whatsapp has)
[1] https://x [xmpp.org]
Re: (Score:2)
What makes E2EE hard to get right, isn't just the success path (which I'm sure OMEMO has already figured out). Its how you deal with all those obscure corner cases and failure modes, and whether you do it in a way that keeps the product usable by normal everyday people.
There are decisions to make when doing this, and sometimes the "most strictly secure" choice isn't the "most usable choice". So there are middle grounds, key change notifications, etc.
Re: (Score:2)
Exactly. And this is just one of the many practical issues with the proposals.
Re: (Score:2)
Yeah, stuff like this is why even Signal decided to stop doing federation.
When you control the whole system, you can manage these sorts of changes. It happens all the time in the real world, and the users rarely notice. But if you don't control the whole system, you can get stuck for an uncomfortably long period of time.
Especially since a lot of people won't upgrade or fix their broken stuff until they're cut off and forced to.
Let the FUD games commence! (Score:2)
This is just FUD ahead of implementing the DMA.
But, very problem has a solution.
I invite everyone on Slashdot to post possible solutions.
Two I can think of in seconds:
1
Part of interoperability could be agreement about a shared security/privacy/encryption protocol.
With the advantage that Meta/Facebook is not able to snoop on all WhatsApp messages anymore (which they can do now).
2
Every messenger app shows whether the message is certain to be properly encrypted end2end (ie between two Signal clients) or not (i
Re: (Score:2)
Like what happens in iMessage. Blue bubble if the message is going over the iMessage network, green bubble if it is going over the SMS network.
Re: (Score:2)
That's great for messages you receive. But interoperability means you can't be sure that the message you *send* is opened in a sufficiently secure client by the other party. Instead of opening it in Snapchat, they open it in WhatsApp. Or more sharply, instead of opening the message about the patient's condition from their clinical colleague in Epic Secure Chat, they open it in WhatsApp.
WTF? (Score:2)
Interoperability does not mean broken encryption...
SSL has multiple interoperable implementations.
SSH has multiple interoperable implementations.
PGP has multiple interoperable implementations.
This is just propaganda, telling lies to convince people that interoperability is a bad thing.
"there's no simple fix" (Score:2)
Annd we are focusing on whatsap? (Score:2)
This is actually good news (Score:2)
the sky is falling ... (Score:2)
So? (Score:2)
Signal already interoperates with SMS as well as plain telephony. If Signal to Signal, encrypted, if not, not and it lets you know. What's the problem?
Signal has 3 layers of security not 2 (Score:2)
Signal can send end to end encrypted messages to other Signal users
Signal can send end to end encrypted and authenticated messages to other Signal users that you have shared safety numbers with
Signal and WhatsApp should mostly be able to work with each other at the middle level of security. I'm sure both Signal and WhatsApp though will implement new features like how they do video calls that will break compatibility. You really can't have innovation if you don
Re: (Score:2)
Is this actual interoperability? Or is it just "the Signal app can use the phone's SMS APIs" (and guess what? So can FB Messenger). I've seen no reason to not assume its the latter.
Typical Euro-weenies (Score:2)
Also Europe: Stop using strong end-to-end encryption
Encryption should be optional in Whatsapp... (Score:2)
What security experts actually think this? (Score:2)
letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS
No, that's not what it means. WhatsApp provides encrypted messaging, SMS does not. The two are not the same.
WhatsApp -- which uses the Signal protocol...
Ah, now we come to it. If WhatsApp actually, faithfully implemented the Signal protocol, then it would be interoperable with Signal, as well as any other app that implements that protocol. Since they do, supposedly, use Signal as their base, all they have to do is remove their proprietary changes. Then they would then be compliant with the new law, problem solved.
Re: (Score:2)
They can't implement the Signal protocol completely, because that would mean their ability to read all the 'end to end (HAHAHA)' encryption would disappear.
Re: (Score:2)
To be fair they'd lose a bit more than that.
One biggie being easy history transfer to a new device, along with redelivery to new peer's device (meaning automagic reencryption, which makes their e2e claims dubious at best).
Re: (Score:2)
Ah, now we come to it. If WhatsApp actually, faithfully implemented the Signal protocol, then it would be interoperable with Signal, as well as any other app that implements that protocol
No, it doesn't work like this.
The Signal protocol has to do with session management, key exchanges, and how that blob of message ciphertext is generated and decoded.
But how does that blob actually get sent from one phone to another?
By being wrapped in a protocol that's completely proprietary to either Signal or WhatsApp.
And what data does that blob contain once its decrypted?
A message structure that's also a completely proprietary format to either Signal or WhatsApp.
So yeah, being interoperable means implem
Isn't that the point? (Score:2)
Civilian access to good encryption has always been a problem. The police cannot do its job without mass surveillance of the population. They can, but you know, they have become lazy, and this is easier. And if we catch a killer, or a low level street dealer, we want to have full access to their phones, and all their contacts. We would even like to have "expanded" access to their contact's data as well. No more dealing with warrants and such.
So it is a "win-win". Civilians lose encryption, WhatsApp is vilifi
Huh? (Score:2)
Let's say WhatsApp published the complete specifications for their encryption and supplied a BSD-licensed library for communicating with WhatsApp. The law is 100% complied with. Anyone can then interoperate with WhatsApp. What's more, security experts can verify that WhatsApp uses properly secured encryption. All this without weakening WhatsApp itself. You'd still have end-to-end encryption, as the apps would link to the library to do the decryption.
Ok, could you do this via an intermediate service? Say, se
What appears to be an "unintended consequence" (Score:2)
Is probably the real intent, a feature, not a bug. Of course who really believes that whatsapp can't read your messages? I find it difficult to believe such big companies are protecting your privacy
Fearmongering is making it unnecessarily difficult (Score:2)
WhatsApp won't need to implement less secure encryption, they'd just need to publish an API/spec for 3rd party clients and/or networks to use. If Signal wanted to allow its users to communicate directly with WhatsApp's userbase, it would be up to Signal to do the work to make it happen. They would have to develop against the spec, including the encryption algorithms, to be compatible.
Interoperability is good. Years ago we were headed down that path, Google chat/hangouts was using XMPP (Jabber) protocol,
Encrypted email has been around forever (Score:2)
They'll sort it out (Score:2)
Fake news (Score:2)
Steven Bellovin, an acclaimed snake oil (Score:2)
Apparently has no idea what multi-protocol clients were. They died painful death on account of Meta, Snapchat et al nuking alt client implementations from app storres (who are complicit) with extreme prejudice to guard their garden.
The only notable exception is Telegram (Nekogram etc available on play store). Signal is sketchy, as Moxie is keen to talk a lot of bullshit, instead of opening signal GMS push to 3rd parties.
Sounds like FUD (Score:2)
This argument sounds dishonest. He pretends the law says something totally different from what it says. The law says WhatsApp has to allow interoperability. He turns that into, "WhatsApp has to support every protocol anyone else uses, even insecure ones like SMS." No they don't. They just have to support some protocol that other people can support. He wants you to think end-to-end encryption is only possible if you keep the whole thing proprietary. That's absurd.
Sounds like nonsense again ... (Score:2)
WhatsApp to WhatsApp would still be encrypted.
Only WhatsApp to SMS would be unencrypted, and SMS is not encrypted anyway.
And: you can not sent an SMS to an WhatsApp user, how the fuck would that be even possible?
By writing: "Sent to WhatsApp" as first line of text?
What with other text messaging programs? Does the sender now need to know what the other party is using as text messaging app/program?
If I sent an SMS, the other party gets it at SMS, simple.
Re: (Score:2)
I don't know what the point is you're trying to make, but the question is whether this legislation forces WhatsApp to allow third party apps to be able to send and receive WhatsApp messages, and specifically this is much less about someone using iMessage to send a message to someone else using WhatsApp, and much more more about someone using an app from an exciting new European startup whose potential is now unleashed to send or get a message to or from someone else using WhatsApp, and whether WhatsApp is a
Re: (Score:2)
This'll be the same Putin who's mighty army can't even win against a relatively poor country with frankly knackered soviet equipment other than what the west is supplying them. Against NATO forces the russians would last about a day.
Re: (Score:2)
Element...
I guess I'm old when I say "reinvented GAIM/Pidgin , MirandaIM, Kopete, XMPP bridges, but in the browser"
Re: (Score:2)
Yeah, encryption is only part of the puzzle. There's also the expectation of client behavior once the message has been received and decrypted. That's everything from delivery and read receipts (e.g. colored checkmarks), to message retraction and auto-delete, to how backups and local data is managed. When these things don't behave exactly as expected, both "security experts" and normal users absolutely do raise hell over it and bloggers gladly fill the Internet with articles discussing it.