Whatsapp integrates Moxie Marlinspike's Textsecure end-to-end crypto


#1

[Permalink]


#2

Dude looks like the Kai the hatchet guy (has dreads)


#3

If it’s running on a phone, then there are backdoors. They are in the baseband operating system that runs under the user OS (ie under Android or iOS).


#4

This is great news. I still prefer TextSecure, but this way my chats with my family will be secure too.


#5

Interesting… at least one such backdoor has been discovered in the wild: http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor

They found it in the vendor-supplied Radio Interface Layer that talks to the proprietary code running on the baseband. Using key stretching to store credentials as described here would defeat it, although it’s always possible that the baseband could do some sort of “tap” logging, analagous to a keylogger on a PC.


#6

Now if only they’d release OSX and iPad versions of their app.
A texting app is most useful when you can use it across all your devices and locations.

Heck even Apple with iMessage, Skype, Facebook and most other major players in this marketspace understand this.

I’d love to use Whatsapp as my primary texting app, but i won’t if i have to use multiple apps on different platforms because there is no single way to reach me.


#7

If you want secure IM including desktop, you can use OTR with XMPP.

Adium on OS X, ChatSecure on Android, Pidgin or Telepathy on Linux, and [insert iOS app name here] on iOS.


#8

I get three different flavors of ChatSecure and two other offerings from a <a href=https://play.google.com/store/search?q=ChatSecure>search for “ChatSecure” on Google Play. I’m guessing it’s the first result, and the other two apps are add-ons…


#9

Yes.

It’s a bit buggy with Facebook’s XMPP server, but works nicely with Google’s.


#10

Except that little word, “assuming”…


#11

I think that’s part of my problem as well. For me, I recognize that there are programmers out there writing code to ensure private communications, but who do I trust if that code isn’t released to the public for verification and further testing?
And besides that, given the NSA’s budget (or any other spy agency in the world) coupled with their abundantly shouted need to see everything because terrorism, I have to wonder how difficult it would be to keep the NSA out of your files once they’ve targeted you as a potential threat (which is how I would think they’d see Mr. Marlinspike and his work).


#12

Probably impossible, but that’s not the point. The point is to prevent them from casually eavesdropping on everyone illegally even when those people aren’t potential threats.


#13

Agreed on the casual eavesdropping bit. My thought had more to do with NSA being able to, for instance, infiltrate Whatsapp or Textsecure coder computers to intercept raw, uncompiled code and better enable them to work on strategies to defeat the product.


#14

He said “texting” not “IM.” The main difference being the former works with SMS on phones as well.


#16

I’m not aware of any unified texting and IM solution for Android and desktop which offers any kind of security.


#17

Probably rather difficult.

Less difficult (but still not so trivial) is engineering an access-evident system, where unauthorized accesses (including NSA) can be audited for and detected. The very existence of such can serve as a certain level of deterrent; you have to balance the fallout of being seen/caught (with increased probability) vs the benefit of having access to the data.


#18

This topic was automatically closed after 5 days. New replies are no longer allowed.