Whatsapp and Open Whisper Systems announced that the Whatsapp app, which is currently used by over a billion people, has started supporting end-to-end encryption for texts, calls, and group chats on all platforms by default. The app also supports verification of users to ensure that integrity of the encryption between multiple users remains intact.
In a blog post about the announcement, Whatsapp’s Ukrainian co-founder, Jan Koum, said private communications are of great importance to him. This is probably why he could implement these new features for Whatsapp despite the company now being owned by Facebook, a company that isn’t the most privacy-focused.
“The desire to protect people's private communication is one of the core beliefs we have at WhatsApp, and for me, it's personal. I grew up in the USSR during communist rule, and the fact that people couldn't speak freely is one of the reasons my family moved to the United States,” said Jan Koum in the latest announcement.
Whatsapp Fully Embraces “Signal” Protocol
Back in November, 2014, Open Whisper Systems announced that it had been working with Whatsapp to enable the same kind of end-to-end encryption that the group’s TextSecure app (which later became Signal) had been using. At the time, Whatsapp enabled end-to-end encryption only for texts between two parties, but not for group chats or calls (which Whatsapp didn’t support then anyway). The end-to-end encryption also only worked between Android users, but not between Android and iOS or other platforms.
Whatsapp and Open Whisper Systems announced that starting with the latest version of the client, all users will have enabled by default end-to-end encryption for texts, group chats, and voice calls. The encryption is provided by the open source Signal protocol, which uses state-of-the-art cryptography to make conversations private.
This has been enabled for all platforms, but there will be a transition period in which messages won’t be encrypted until all users have the new version of Whatsapp. When two or more users can use end-to-end encryption, they will be notified in the app, making it easier to understand if their messages as well protected.
How Whatsapp’s New Encryption Works
Whatsapp said that the end-to-end encryption being used in its app now won’t allow even the company itself to see what two or multiple people say to each other. This is unlike most other popular chat applications wherein the messages are encrypted only in transit, but decrypted on the companies’ servers.
“The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation,” said Whatsapp in its announcement.
To ensure the integrity of the encrypted connections and that no one is tampering with them in transit, the users can also verify themselves through a QR code (when meeting each other), or by speaking a 60-digit “security code” to each other.
Beyond the end-to-end encryption layer, there’s an additional brand-new TLS-replacement protocol, called “Noise,” invented by Trevor Perrin, a member of Open Whisper Systems and the creator of Signal’s main design for end-to-end encrypted texts.
Noise offers the following properties:
Extremely fast lightweight connection setup and resume. Encrypts metadata to hide it from unauthorized network observers. No information about the connecting user’s identity is revealed. No client authentication secrets are stored on the server. Clients authenticate themselves using a Curve25519 key pair, so the server only stores a client’s public authentication key. If the server’s user database is ever compromised, no private authentication credentials will be revealed.
E2E Encryption A Needed Feature For Whatsapp
In many countries, Whatsapp has become not just a cheaper and more advanced alternative to SMS, but also a tool used by professionals where the conversations can be of a highly sensitive nature, such as discussions between patients and doctors, or even between police officers.
Some of the countries in which Whatsapp became popular because SMS texts were too expensive may also have more oppressive regimes, which makes this end-to-end encryption feature even more important for the people living there. End-to-end encryption provides them strong privacy by default without them even having to think about it (although verifying users with the security codes is still highly encouraged).
With iMessage’s end-to-end encryption now fundamentally broken, Whatsapp has become the only mass-market chat application that employs strong end-to-end encryption. The open source Signal app itself should still be preferable to privacy activists or people who could be in real danger without using the most secure app around, but its userbase is much smaller, which can be an inconvenience for many. Other mainstream chat apps either don’t use end-to-end encryption at all, or if they do, it’s usually not enabled by default.
Signal Protocol To Be In More Chat Apps Soon
Moxie Marlinspike, the founder of Open Whisper Systems, said in another blog post that the group would be working with other chat applications in the future to enable the Signal protocol for them as well.
"Over a billion monthly active users across the world are now using the Signal Protocol for end to end encryption. Over the next year, we will continue to work with additional messengers to amplify the impact and scope of private communication even further. We're excited about the future of the Signal Protocol and the places it is going," he said.
Some apps such as Silent Phone, ChatSecure, and Wire have already adopted it (or a version of it). However, it would be great to see other popular apps such as iMessage, Hangouts, Skype, Snapchat, Telegram, and perhaps Facebook’s own Messenger adopt it for truly private communications.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.