Month: October 2013
And it happens again to WhatsApp, being further embarrassed by researchers showing that they do not know how to implement encryption correctly. Recently Help-Net Security published an article about a Dutch Computer Science and Mathematics student (Thijs Alkemade) at Utrecht University has discovered how WhatsApp encrypts and authenticats its messages.
we know that not only does WhatsApp use the same (RC4) encryption key for the messages in both directions, but also the same HMAC key to authenticate messages.
The main problem being:
“But a MAC by itself is not enough to detect all forms of tampering: an attacker could drop specific messages, swap them or even transmit them back to the sender,”
But also points out that there is a simple solution which is using TLS. So in conclusion
- All WhatsApp users are still not safe
- Your messages can be sniffed out
- Your message can be decrypted
- Your only protection is to stop using WhatsApp
- Wait for WhatsApp to learn how Encryption works so they can implement it correctly
I’ll end this post with a quote from Thijs Alkemade:
“solution that has been reviewed, updated and fixed for more than 15 years, like TLS.”
Having worked software development in a bank before I know how important it is to work with proper data structures and enumerations.
I had a program I needed to write where I had to utilize ISO country codes and there was a lot of interoperability work that needed to be done. So I tried looking for some basic library that had the standard ISO-3166 country codes. Couldn’t find any. I really just needed something I could look up a country code quickly and get its description. Like saving “SLV” or “222” as a key in a database for El Salvador’s currency. Then I can retrieve it and do a look up on a table to get the country name. Or even vice-versa.