Your Whatsapp conversations can be intercepted by a third party. This revelation came after The Guardian reported about a security vulnerability, a backdoor in the messaging app owned by Facebook.
The report issued on 13th January sais that company can actually read messages due to the way Whatsapp has implemented it end to end encryption protocol. The app’s end-to-end encryption relies on the generation of unique security keys but also has the ability to generate new keys for its offline users.
The generation of new keys unknown to the sender and recipient of the messages make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.
The security loophole was discovered by Tobias Boelter, cryptography and security researcher at the University of California, Berkeley. The company added end-to-end encryption last year and also was under fire lately for allegedly leaking the user information.
WhatsApp’s end-to-end uses the acclaimed Signal protocol, developed by Open Whisper Systems, but Signal doesn’t suffer the same fate. The Edward Snowden verified app would notify the sender about the failed sent message and the change in security keys without automatically resending the message and also its close to impossible to block access to Signal app.
After the article was published, many diplomats and activists showed disappointment as Whatsapp promises safety and privacy to its users. The company responded by issuing a statement that reads:
“WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”
After the response of the company, Guardian in another article published on 14th January revealed that it agrees that people can enable settings that will notify them about change in the security keys but the very nature of these notifications are also questionable.
There are two options when it comes to the notifications, Blocking or Non-Blocking. The blocking refers to requiring users to manually verify that a new key is legitimate and non-blocking simply notifies the user when a key has been changed. Whatsapp uses non-blocking notification whereas Signal app uses blocking notification, thus granting more privacy to people.
So is there a completely secure messaging application? Maybe No, but the level of security provided by different apps like Signal and Whatsapp can be reviewed by the users so they can choose the one that best suits their needs.