Home Messaging Apps thomwithoutanh's bookmarks whatsapp, signal | security in-a-box

whatsapp, signal | security in-a-box

thomwithoutanh's bookmarks 2016-08-10

Summary:

While WhatsApp relies on the Signal protocol, which is an open standard, to encrypt its users' communications, the app itself is closed source. We trust Open Whisper Systems to have properly integrated the Signal protocol into WhatsApp, but the closed source nature of the app prevents us from identifying other aspects of the app that could impact our security. Signal, on the other hand, is open source. As a result, we can verify that our communications are properly encrypted and review the overall security of the app.

 

 

It's well-known that advertising is at the heart of Facebook's business model, which is fueled by the vast quantities of data that users hand over to the company through its various services. Open Whisper Systems, on the other hand, is a non-profit, grant-funded group of free software developers whose mission is to “advance the state of the art for secure communication, while simultaneously making it easy for everyone to use”.

 

That said, it’s worth noting that Signal’s reliance on the Google Cloud Messaging platform means that Google — which is, of course, in the data business — does have access to someof the metadata produced by Signal. They know the current IP address of any device that receives a Signal message, for example, but Signal’s architecture hides as much of this metadata as possible. The Signal protocol can be used independently from Google Play Services via LibreSignal, a fork of Signal, which can be installed from F-Droid, a free and open source Android app repository.

While it's not clear whether and to what extent WhatsApp users' metadata feeds into Facebook's advertising business model, it remains an important question. As Open Whisper Systems is not in the data business, we believe Signal is more likely to protect our metadata.
 
An essential component of digital security is the ability to verify that we are actually sending data to, and receiving data from, the person with whom we believe we are communicating. Without this ability, it is possible for someone to sit between us on the network when we first get in touch, decrypt our messages, record them, re-encrypt them and relay them back and forth. This is called a man-in-the-middle attack.

In this scenario, merely recognizing our correspondent's voice is not enough to guarantee that our communication is properly encrypted. For that, we need some kind of cryptographic identity verification mechanism.

Both WhatsApp and Signal support identity verification for messages and voice calls. For messages, they rely on the same mechanism: users compare identity key fingerprints, then flag a contact as verified. For voice calls, however, the two apps work differently. Signal’s voice encryption protocol makes it easy for users to verify each call by reading off two words and making sure they match. WhatsApp’s voice call verification, however, depends on users having previously verified one another for messaging by comparing fingerprints.

Link:

https://securityinabox.org/en/blog/23-05-2016/why-we-still-recommend-signal-over-whatsapp

From feeds:

Messaging Apps » thomwithoutanh's bookmarks

Tags:

signal whatsapp

Date tagged:

08/10/2016, 06:22

Date published:

08/10/2016, 02:22