Pando

WhatsApp turns to Open Whisper Systems for end-to-end encryption that actually works

By Nathaniel Mott , written on November 18, 2014

From The News Desk

Securing digital communications isn't easy. But that's not stopping WhatsApp from trying to make it harder to snoop on messages sent via its platform. The company has released an update to its Android application that enables end-to-end encryption by default, and it plans to encrypt messages sent via iOS in the future, making it the world's largest secure communication service.

WhatsApp doesn't have the best track record when it comes to securing its users' messages. As Pando detailed when the service was acquired by Facebook earlier this year, WhatsApp didn't even bother to encrypt its messages until three years after its launch, and even then it relied on a "half-baked encryption method that can be easily cracked" from 2012 until this new update. (A WhatsApp spokesperson declined Pando's request for comment on this story.)

So it's a good thing the company isn't asking users to trust that it was able to add end-to-end encryption on its own. Instead, it partnered with Open Whisper Systems, a security company that develops open source encryption software that can be used by anyone who wants to add it to their messaging platforms. (It also offers its own secure software for Android smartphones.)

There are several advantages to Open Whisper Systems' software: The fact that it's open source means anyone can inspect its source code to search for vulnerabilities or backdoors; it creates a new encryption key for every message sent, making it harder to snoop on communications; and it was made by reputable developers instead of people incapable of using basic encryption.

Some have worried about WhatsApp mucking up those benefits by using its own proprietary software, but Open Whisper Systems' Moxie Marlinspike tells Pando that his company worked with WhatsApp on the integration for the last six months, leading him to think it's sound. "We've been pretty involved in this integration, so I actually feel great about how this particular integration is done," he says. " I’ve been really impressed with WhatsApp’s commitment and thoroughness. They’re not cutting any corners, and they’re really focused on doing this right.”

Still, there are going to be ongoing concerns about WhatsApp's security simply because it doesn't make its source code available for scrutiny. Marlinspike recognizes this and says that there are some groups -- such as journalists -- which will always want to use open source tools. But in general, he says, WhatsApp's decision to support end-to-end encryption is a big deal.

All of which means this is good news for anyone who cares about encrypted communications. Secure tools still have a long way to go in terms of usability, and too many of our activities are still vulnerable to snooping, But a platform as ubiquitous as WhatsApp's support of secure messaging is no small thing.

[illustration by Brad Jonas]