( edit: a previous link here was replaced because of a consensus that it its characterization of Wire, a completely different private-messaging app, was unfair/inaccurate.) It’s that difference which the Guardian, strangely and wrongly, called a “back door.”įor the grotty details see “ A Trade-Off In Whatsapp Is Called A Backdoor” by the EFF, “ There Is No Whatsapp Backdoor” by Signal head honcho Moxie Marlinspike, “ WhatsApp Security Vulnerability” by Bruce Schneier, and “ On the ‘WhatsApp backdoor’, Trade-Offs and Opportunistic Authentication,” by Frederic Jacobs. However, even though it used the same protocol as Signal, the implementation was different. So the roll-out of the Signal protocol to WhatsApp, which commenced two years ago, was met with rejoicing. Most of the world uses SMS, Facebook Messenger, and, especially, WhatsApp - which, until recently, was much less secure. However, most of the world does not use Signal. But Signal is the best available alternative. It is the choice of technically sophisticated, security-conscious people around the world. It implements highly secure end-to-end messaging with a “ratchet” protocol which provides perfect forward secrecy. It is fast, slick, sexy, cross-platform, and battle-tested.
Any “secure” systems which pretend this is not true will fail from disuse.Įnter Signal, a mobile (and Chrome plug-in) secure messaging system. Whether we like it or not, usability is an essential aspect of security. Just as the best workout routine is not the Rock’s but, rather, one that you will actually stick to, the most secure messaging system is one that you will actually use. (The Snowden revelations were delayed by a month because he couldn’t find a way to contact Glenn Greenwald securely.) For another, key exchange was/is at best challenging.īut the worst thing about PGP, by far, is that it is fiendishly user-hostile, so only hardcore hackers ever really used it. For one, it lacked forward secrecy if your key was compromised, so was every message it had ever encrypted. (The case was later dropped without indictment.)įor twenty years PGP was the gold standard of secure messaging.
#SIGNAL VS WHATSAPP CODE#
So good and strong that after its creator, Phil Zimmerman, released its source code 25 years ago, the US government opened a criminal investigation against him for arms trafficking. Once upon a time there was PGP, which stands for Pretty Good Privacy, and it was good and strong. Sit down, my pretties, and let me tell you a little infosec fable: To understand this story, why the Guardian was and is wrong, why they were forced to walk back their original “backdoor” headline, and why the security community is furious, you’ll need a little context. Which may explain The Guardian’s recent bizarre attack on WhatsApp, which they accused, wrongly, of having a “backdoor.” And the security community erupted in rage. Because to most of them it is magic, they are always searching desperately for the proverbial man behind the curtain, without knowing what to look for. There is something about encryption that brings out the worst in journalists. Living and working in a worsening world.