Last year, we saw the end-to-end encryption get to WhatsApp Messenger and, for all intents and purposes, this would be the great security measure to keep the messages only among the participants of the conversation (not even the messenger could access). But does it really happen?
The newspaper The Guardian disclosed that the cryptography and security specialist Tobias Boelter discovered a vulnerability in the messenger, which would allow the company to have access to conversations. This created a big problem, mainly because the vehicle suggested that such a loophole could be used by the government in order to get the information it wanted.
You know that well, right? The messenger has already "suffered" in the hands of Brazilian justice, which has blocked the service several times to try to force Facebook to release conversations for investigative cases; however, the company claimed to be unable to access them. However, if this vulnerability really exists and is being used by the company, we can see many other blockages or even more serious things happening here in Brazil.
What was presented by Guardian as a backdoor it would be the modification of encryption keys. Imagine the following scenario: you send a message to a friend who has the phone turned off (no battery, for example). Sent messages are "stored" on your device until they are actually delivered; but at this moment, with the recipient's device turned off, with no signal or the like, someone (the government, for example), with the help of Facebook, could intercept the message, ?imitate? a new device (a new iPhone that the your friend bought) and ?fished? outgoing messages by generating new encryption keys.
The big question here is that this is apparently something well known to people in the area, being an extremely difficult maneuver to do as security researcher Alec Muffet explained to Gizmodo.
The protocol-based application structure Signal, created by Open Whisper Systems. The protocol is the most secure way that currently exists to protect messenger data. Fredric Jacobs (who worked on the creation of Signal and was hired by Apple recently) made his opinion on Twitter clear:
It's ridiculous that this is presented as a backdoor. If you don't verify keys, authenticity of keys is not guaranteed. Well known fact.
– Frederic Jacobs (@FredericJacobs) January 13, 2017
ridiculous that they presented this as a backdoor. If the keys are not verified, their authenticity is not guaranteed. That is already known.
Trying to refute the publication of Guardian, app representatives stated that they gave no backdoor to the government (which was not quite what the newspaper claimed), but that, in fact, this ?design decision? was something to ?prevent millions of messages from being lost? and that they send notifications whenever there are risks to the user.
Although it seems like just an "excuse" from the company, several experts agreed; Muffet added: ?It is not a bug, it is working as it was designed to work; they say it is a "failure" and they think that the sky is falling when, in fact, it is something ignoble. "
Some speak from here, others refute from there; but it seems, I don?t need all that dawn. For now, the only thing you need to worry about is sharing your data with Facebook. ?