Klaus Jónsson Zimmermann (alternative acc)
1. WhatsApp has a backdoor that can be used to decrypt your "end-to-end encrypted" texts.
2. People discover said backdoor (I guess through poking around or reverse engineering, since it's proprietary and code inspection isn't possible) and warn WhatsApp about it.
3. WhatsApp acknowledges existence of backdoor, says it's intentional ("it's not a bug, that's our design!") and they won't bother fixing it.
4. Millions of people continue using communications that can be actively intercepted, because they were told that some "encryption" thing they know nothing about would protect them.

Why am I not surprised here?

https://gnusocial.club/url/40013

Don't use #WhatsApp. Just don't.

!privacy
Jan 20, 2017 at 1:13amWeb
Show threadMike GerwitzJan 20, 2017
@kzimmermann2 It's not a backdoor, but it's a terrible and vulnerability dismissed as a usability feature. (Which does fit the definition of some backdoors, granted.)

With that said, WhatsApp is proprietary and they can decide at any point to do something malicious without the user's knowledge or consent.
Show threadKlaus Jónsson Zimmermann (alternative acc)Jan 20, 2017
I think that's the key point: it's proprietary, and we cannot inspect or change the way it works.

If this was Free Software, with some effort I could understand this being defended as some kind of feature ("hey, you don't like it, fork it!"). However, since users have no choice and this behavior can be used to compromise security, I don't see how this is any different from how Microsoft leaves some vulnerabilities unpatched or, worse, even shares them with the NSA.

And sadly, just like with Windows computers, sometimes we have to use WhatsApp too.
Show threadMike GerwitzJan 21, 2017
@kzimmermann2 If you're defining any proprietary software as a potential backdoor, then I'm with you.
Show threadKlaus Jónsson Zimmermann (alternative acc)Jan 21, 2017
Well, I'm not defining proprietary software, but if I was, I would include "not giving users choice" somewhere in there. Including the choice to avoid / fix known backdoors.
Show threadFranko BuroloJan 20, 2017
@kzimmermann2 I don't. Never did. :-D
Show threadKlaus Jónsson ZimmermannJan 20, 2017
@franko great! What do you use instead? Do you even have a smartphone?
Show threadunivalence electronJan 20, 2017
@kzimmermann2 @hobbsc the EFF's explanation https://quitter.no/url/841522
Show threadKlaus Jónsson Zimmermann (alternative acc)Jan 20, 2017
@amsomniac @hobbsc yeah, that's the same link I referred to.
Show threadunivalence electronJan 20, 2017
@kzimmermann2 @hobbsc oops, sorry about the duplicate. #WhatsApp is proprietary, #Signal requires Google Cloud Messaging and won't allow #fdroid to distribute. I like #silence.im but everyone I know uses Signal.
Show threadKlaus Jónsson Zimmermann (alternative acc)Jan 20, 2017
@amsomniac No worries! But whoa, everyone you know uses Signal? That's pretty amazing, I thought its adoption rate was more or less that same as XMPP's.

I won't use Signal myself either because of that same problem (and their unwillingless to federate), so I guess the best approach still is plain old XMPP with OTR/OMEMO on top.

@hobbsc
Show threadunivalence electronJan 20, 2017
@kzimmermann2 @hobbsc *everyone I know who uses encrypted chat, which is only 10 or so people. Conversations is a great #XMPP client!
Show threadKlaus Jónsson Zimmermann (alternative acc)Jan 21, 2017
Agreed, it's a pretty good client indeed, especially for beginners as it mimics the behavior of other popular chat clients (starts on boot, runs on background, no need to sign