Home Security Guardian slammed over 'false' WhatsApp backdoor report

Guardian slammed over 'false' WhatsApp backdoor report

Well-known cryptographer Moxie Marlinspike has slammed the Guardian for publishing what he described as a "false" report claiming that the end-to-end encryption used by WhatsApp has a backdoor.

Marlinspike was moved to comment because WhatsApp uses the Signal Protocol developed by his company, Open Whisper Systems, that created the secure Signal messaging app.

Like every other secure messaging app, WhatsApp relies on private and public keys to encrypt a message to a user. When a new device is used or when the app is reinstalled, new keys are generated. The user will be notified of such changes if he/she has changed the settings accordingly.

Any messages that have been backed up for sending while a phone is offline will be sent once it comes back online.

In its report, the Guardian claimed that when a change like this took place, the re-encryption and rebroadcasting allowed WhatsApp to intercept and read messages.

But Marlinspike pointed out that "the WhatsApp clients have been carefully designed so that the WhatsApp server has no knowledge of whether users have enabled the change notifications, or whether users have verified safety numbers. WhatsApp could try to 'man in the middle' a conversation, just like with any encrypted communication system, but they would risk getting caught by users who verify keys".

He said in normal circumstances, when communicating with someone who had changed devices or reinstalled WhatsApp, it might be possible to send a message before the sending client discovered that the receiving client has new keys.

"The recipient's device immediately responds, and asks the sender to re-encrypt the message with the recipient's new identity key pair. The sender displays the 'safety number has changed' notification, re-encrypts the message, and delivers it," Marlinspike said.

He added that the WhatsApp clients had been carefully designed so that they would not re-encrypt messages that had already been delivered.

"Once the sending client displays a 'double check mark', it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption.

"The fact that WhatsApp handles key changes is not a 'backdoor', it is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system," Marlinspike said.

He pointed out that while the Guardian had put very little effort into verifying its technical claims, adding "even though we are the creators of the encryption protocol supposedly 'backdoored' by WhatsApp, we were not asked for comment".

"Instead, most of the quotes in the story are from policy and advocacy organisations who seem to have been asked 'WhatsApp put a backdoor in their encryption, do you think that's bad?'"

This does not mean that WhatsApp user data is not shared with its owner Facebook, with the social media announcing last year that this would be the case.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.