WhatsApp fixes its biggest encryption flaw


If you choose to use the new feature, WhatsApp will encrypt your messages, images, videos, etc. with a random key generated on your device. You can either secure this key with a password or manually with a 64-digit encryption key. The password is almost certainly easier to remember, and if you go this route, WhatsApp will store your key in a backup safe that resides in a so-called hardware security module, a kind of digital safe that keeps your WhatsApp secret key. , Apple, Google and everyone else. Your password is what unlocks it and gives you access to your chat backups. The 64-digit encryption key can be more difficult to follow, but if you choose to manage it yourself, it won’t go to the HSM backup key vault, removing a potential, if not unlikely, point of failure.

WhatsApp has also integrated some additional protections. Too many bad password attempts, and the key will become “permanently inaccessible,” a measure designed to prevent brute force attacks. And the service replicates your key in HSM-based backup key vaults in five geographically disparate data centers, to make sure you can still access your chats even if one is down.

“Redundancy is important,” says Slavik Krassovsky, head of software engineering at WhatsApp. “If a data center, or even a network machine or switch in a data center, were theoretically going down, we don’t want that to impact someone’s ability to get their end-to-end encrypted backup.” bout and decipher its chat history.

And while it’s usually best to turn on the privacy and security features by default, in this case, signing up makes sense. “It’s easy to accidentally lock yourself into an account by forgetting a password, and if that means losing any conversations you’ve had on WhatsApp, you might not want to take that chance,” says Pfefferkorn. “For many people, not losing their backups is a more pressing concern than adding an extra layer of security.”

For those who need that level of security, however, WhatsApp’s end-to-end encrypted backups are a welcome development, which other messaging services will hopefully embrace as well. “We could see more and more companies deciding to build in an additional layer of security for their own users instead of depending on their cloud provider,” says Pfefferkorn. “Of course, not everyone has the resources that WhatsApp has, but with two billion users, WhatsApp also has many more people who depend on it than most services.”

Even with end-to-end encrypted backups, you can still have valid concerns about the amount of data WhatsApp share with Facebook, or the metadata it collects. And Signal secure messaging service does not use cloud backups at all, which eliminates the problem completely. But the step WhatsApp is taking today balances usability, scalability, and protection in a way that no other encrypted messaging service currently does.


More great WIRED stories



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *