Discussion:
[whispersystems] Current WhatsApp and Signal
"Ahmad Youssef" (via whispersystems Mailing List)
2016-04-07 08:46:20 UTC
Permalink
Hi,

As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am pretty
happy of this mass encryption deployment.

From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?

Please explain clearly. To me, it looks the same IMO.

[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
/Regards/,
/Ahmad/
Michel Le Bihan
2016-04-07 08:55:37 UTC
Permalink
First of all WhatsApp is proprietary software and Signal is open source (only RedPhone is not).

Because Signal is open source, anyone can check the code...
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am pretty
happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
/Regards/,
/Ahmad/
Michel Le Bihan
2016-04-07 08:57:02 UTC
Permalink
I wanted to say RedPhone server...
Post by Michel Le Bihan
First of all WhatsApp is proprietary software and Signal is open source
(only RedPhone is not).
Because Signal is open source, anyone can check the code...
Le 7 avril 2016 10:46:20 GMT+02:00, Ahmad Youssef
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am
pretty
Post by "Ahmad Youssef" (via whispersystems Mailing List)
happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
/Regards/,
/Ahmad/
Johan Wevers
2016-04-07 08:59:09 UTC
Permalink
Post by Michel Le Bihan
First of all WhatsApp is proprietary software and Signal is open source
(only RedPhone is not).
Redphone is also open source, but the server is not. owever, with decent
e2e encryption that should not matter for the security.

Oh, and the WhatsApp apk can be decompiled like all Android apk's. The
resulting code is not as nice as the original but it can still be
checked if one wants to put the extra amount of time in it.
--
Met vriendelijke groet,

Johan Wevers
Michel Le Bihan
2016-04-07 09:02:42 UTC
Permalink
Post by Johan Wevers
Oh, and the WhatsApp apk can be decompiled like all Android apk's. The
resulting code is not as nice as the original but it can still be
checked if one wants to put the extra amount of time in it.

What about the .so libs?
Post by Johan Wevers
Post by Michel Le Bihan
First of all WhatsApp is proprietary software and Signal is open
source
Post by Michel Le Bihan
(only RedPhone is not).
Redphone is also open source, but the server is not. owever, with decent
e2e encryption that should not matter for the security.
Oh, and the WhatsApp apk can be decompiled like all Android apk's. The
resulting code is not as nice as the original but it can still be
checked if one wants to put the extra amount of time in it.
--
Met vriendelijke groet,
Johan Wevers
Johan Wevers
2016-04-07 09:12:17 UTC
Permalink
Post by Johan Wevers
Post by Johan Wevers
Oh, and the WhatsApp apk can be decompiled like all Android apk's. The
resulting code is not as nice as the original but it can still be
checked if one wants to put the extra amount of time in it.
What about the .so libs?
That will be more complicated, I agree. If it has to happen, there exist
still people who can read (and even some who can write) assembler code.
--
Met vriendelijke groet,

Johan Wevers
Michel Le Bihan
2016-04-07 16:12:50 UTC
Permalink
Post by Johan Wevers
Post by Johan Wevers
Post by Johan Wevers
Oh, and the WhatsApp apk can be decompiled like all Android apk's. The
resulting code is not as nice as the original but it can still be
checked if one wants to put the extra amount of time in it.
What about the .so libs?
That will be more complicated, I agree. If it has to happen, there exist
still people who can read (and even some who can write) assembler code.
A list of .so libs in the WhatsApp:
***@debian:~/Bureau/WhatsApp$ ls lib/armeabi-v7a
libcurve25519.so  libresample.so  libvlc.so  libwhatsapp.so

If you know how to check them...
#359
2016-04-07 08:56:15 UTC
Permalink
there are pluses and minuses of using any of the solutions mentioned and
everyone should decide for herself.

Signal: a very conservative policy of collecting metadata but a smaller user base.

WhatsApp: a huge userbase but you share your metadata with Facebook (a company owner) which lives from metadata. also a closed source application (only Signal libraries are open source).



- jure
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am
pretty happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
*Regards*,
*Ahmad*
Johan Wevers
2016-04-07 08:56:34 UTC
Permalink
Post by "Ahmad Youssef" (via whispersystems Mailing List)
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ?
The GUI. :-) And the privacy of your contacts and meta data. And of
course, voice messages work on WhatsApp while on Android I have to build
the source myself to get it working.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
What can stop me from switching to
WhatsApp with it's huge user base ?
Besides that, there is no need to switch, Signal and WhatsApp run
perfectly fine together on the same device. So you can keep using Signal
for contacts where metadata-privacy is (also) important and use WhatsApp
for those who don't want to install Signal with the added bonus that the
concversations are encrypted.
--
With kind regards,

Johan Wevers
#359
2016-04-07 09:16:42 UTC
Permalink
i think it's more than what Signal/WhatsApp NEEDS to send to the server.
it's what Signal/WhatsApp ACTUALLY sends to the server.

when you install Signal/WhatsApp you grant the app A LOT of permissions.
so it's important what the app actually do with all those permissions -
it's a matter of trust.

Signal is open source so you can audit/trust that it only needs e.g. the
location permission when you decide to send your location to your chat
buddy. on the other side WhatsApp is closed source so you don't know
what it's doing with your location and when. it's the same with other
permissions.

since WhatsApp is a Facebook company and Facebook is known as a privacy
hog i feel unconfortable to even install it on my phone as much as i
never use the default Facebook app.

but if you install WhatsApp (and you're comfortable with the privacy
concerns) then you maybe don't need Signal installed. security is the
same for both if you're not Ed Snowden.


- jure
Post by Johan Wevers
Post by "Ahmad Youssef" (via whispersystems Mailing List)
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ?
The GUI. :-) And the privacy of your contacts and meta data. And of
course, voice messages work on WhatsApp while on Android I have to build
the source myself to get it working.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
What can stop me from switching to
WhatsApp with it's huge user base ?
Besides that, there is no need to switch, Signal and WhatsApp run
perfectly fine together on the same device. So you can keep using Signal
for contacts where metadata-privacy is (also) important and use WhatsApp
for those who don't want to install Signal with the added bonus that the
concversations are encrypted.
--
With kind regards,
Johan Wevers
JusticeRage
2016-04-07 11:07:25 UTC
Permalink
Post by Johan Wevers
Besides that, there is no need to switch, Signal and WhatsApp run
perfectly fine together on the same device. So you can keep using Signal
for contacts where metadata-privacy is (also) important and use WhatsApp
for those who don't want to install Signal with the added bonus that the
concversations are encrypted.
Obviously, your privacy-conscious contacts may not be so grateful for
you uploading your whole address book (including their name and phone
number) to FaceBook.
#359
2016-04-07 11:11:27 UTC
Permalink
that's a tricky one! it's enough that you have a few friends that upload
their adressbooks to facebook and it's not really important anymore what
do you upload... ;)



- jure
Post by JusticeRage
Post by Johan Wevers
Besides that, there is no need to switch, Signal and WhatsApp run
perfectly fine together on the same device. So you can keep using Signal
for contacts where metadata-privacy is (also) important and use WhatsApp
for those who don't want to install Signal with the added bonus that the
concversations are encrypted.
Obviously, your privacy-conscious contacts may not be so grateful for
you uploading your whole address book (including their name and phone
number) to FaceBook.
Noir
2016-04-07 11:12:52 UTC
Permalink
Hi!

Only the content is encrypted. The metadata (who, when, where,how big)
is not. Further, WhatsApp grabs all your contacts. And don't forget:
WhatsApp === Facebook.

Cheers
Noir

Am 07.04.2016 um 10:46 schrieb Ahmad Youssef (via whispersystems Mailing
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am
pretty happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
/Regards/,
/Ahmad/
"Ahmad Youssef" (via whispersystems Mailing List)
2016-04-07 15:07:32 UTC
Permalink
Hi all,

Thank you all for your insights. From what I see, the replies have
revolved around three main points:

* Proprietary versus libre software
* WhatsApp is a Facebook company
* Meta-data collection and privacy of my contacts

All points are enough for me in a WhatsApp vs. Signal argument. However,
Post by Noir
Only the content is encrypted. The metadata (who, when, where,how big)
is not.
As far as I understood, It seems that some meta-data (if not all) are
encrypted according to WhatsApp. Here is a quote from the recent
Post by Noir
Transport Security
All communication between WhatsApp clients and WhatsApp servers is
layered within a separate encrypted channel. On Windows Phone,
iPhone, and Android, those end-to-end encryption capable clients use
Noise Pipes with Curve25519, AES-GCM, and SHA256 from the Noise
Protocol Framework for long running interactive connections.
1. Extremely fast lightweight connection setup and resume.
2. Encrypts metadata to hide it from unauthorized network
observers. No information about the connecting user’s identity is
revealed.
3. No client authentication secrets are stored on the server. Clients
authenticate themselves using a Curve25519 key pair, so the server
only stores a client’s public authentication key. If the server’s user
database is ever compromised, no private authentication credentials
will be revealed.
Hi!
Only the content is encrypted. The metadata (who, when, where,how big)
WhatsApp === Facebook.
Cheers
Noir
Am 07.04.2016 um 10:46 schrieb Ahmad Youssef (via whispersystems
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am
pretty happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
/Regards/,
/Ahmad/
--
/Regards/,
/Ahmad/
Noir
2016-04-07 15:15:26 UTC
Permalink
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Post by Noir
Only the content is encrypted. The metadata (who, when, where,how
big) is not.
As far as I understood, It seems that some meta-data (if not all) are
encrypted according to WhatsApp. Here is a quote from the recent
What I wanted to say: Metadata is not subject to E2E encryption.
Shankar Kulumani
2016-04-07 15:15:12 UTC
Permalink
I think the issue is that Whatsapp has access to the meta-data. While
everything is well-secured against outside threats Whatsapp must have
access to the meta-data in order to correctly route the message.

Signal has a similar issue but we have a promise from the developers that
the servers are written to not collect this information. Whatsapp however
has the exact opposite claim in their privacy terms.



On Thu, Apr 7, 2016 at 11:08 AM Ahmad Youssef <
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi all,
Thank you all for your insights. From what I see, the replies have
- Proprietary versus libre software
- WhatsApp is a Facebook company
- Meta-data collection and privacy of my contacts
All points are enough for me in a WhatsApp vs. Signal argument. However,
Only the content is encrypted. The metadata (who, when, where,how big) is
not.
As far as I understood, It seems that some meta-data (if not all) are
encrypted according to WhatsApp. Here is a quote from the recent *WhatsApp
Transport Security
All communication between WhatsApp clients and WhatsApp servers is layered
within a separate encrypted channel. On Windows Phone,
iPhone, and Android, those end-to-end encryption capable clients use Noise
Pipes with Curve25519, AES-GCM, and SHA256 from the Noise Protocol
Framework for long running interactive connections.
1. Extremely fast lightweight connection setup and resume.
2. Encrypts metadata to hide it from unauthorized network observers.
No information about the connecting user’s identity is revealed.
3. No client authentication secrets are stored on the server. Clients
authenticate themselves using a Curve25519 key pair, so the server only
stores a client’s public authentication key. If the server’s user database
is ever compromised, no private authentication credentials will be revealed.
Hi!
Only the content is encrypted. The metadata (who, when, where,how big) is
not. Further, WhatsApp grabs all your contacts. And don't forget: WhatsApp
=== Facebook.
Cheers
Noir
Am 07.04.2016 um 10:46 schrieb Ahmad Youssef (via whispersystems Mailing
Hi,
As you may have already seen, Integration of the Signal Protocol (formerly
Axolotl [1]) in WhatsApp is now completed [2] and I am pretty happy of this
mass encryption deployment.
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to WhatsApp
with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
*Regards*,
*Ahmad*
--
*Regards*,
*Ahmad*
Stephen Michel
2016-04-07 15:29:02 UTC
Permalink
There are three other points that I am surprised nobody has brought up:

1. Signal can use an encrypted database.
2. On android, Signal can send both encrypted messages and SMS. This
means you don't have to maintain yet another app, and makes it easier
to convince others, particularly those who care less for privacy, to
switch. "Just use it as your texting app, and your messages to me and
other Signal users will happen to get encrypted."
3. Privacy from other users. When you send a Whatsapp message, one
checkmark appears when the server receives your message, a second
appears when the message is delivered, and the double check gets
colorized when the recipient reads the message. Whatsapp also shows
contacts when you are online, by default. These features make it
difficult to stay accessible for emergencies without feeling compelled
to answer all messages *immediately.*

On Thu, Apr 7, 2016 at 11:07 AM, Ahmad Youssef
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi all,
Thank you all for your insights. From what I see, the replies have
Proprietary versus libre software
WhatsApp is a Facebook company
Meta-data collection and privacy of my contacts
All points are enough for me in a WhatsApp vs. Signal argument.
Post by Noir
Only the content is encrypted. The metadata (who, when, where,how
big) is not.
As far as I understood, It seems that some meta-data (if not all) are
encrypted according to WhatsApp. Here is a quote from the recent
Post by Noir
Transport Security
All communication between WhatsApp clients and WhatsApp servers is
layered within a separate encrypted channel. On Windows Phone,
iPhone, and Android, those end-to-end encryption capable clients use
Noise Pipes with Curve25519, AES-GCM, and SHA256 from the Noise
Protocol Framework for long running interactive connections.
1. Extremely fast lightweight connection setup and resume.
2. Encrypts metadata to hide it from unauthorized network
observers. No information about the connecting user’s identity is
revealed.
3. No client authentication secrets are stored on the server. Clients
authenticate themselves using a Curve25519 key pair, so the server
only stores a client’s public authentication key. If the
server’s user database is ever compromised, no private
authentication credentials will be revealed.
Hi!
Only the content is encrypted. The metadata (who, when, where,how
big) is not. Further, WhatsApp grabs all your contacts. And don't
forget: WhatsApp === Facebook.
Cheers
Noir
Am 07.04.2016 um 10:46 schrieb Ahmad Youssef (via whispersystems
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am
pretty happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between
the current WhatsApp and Signal ? What can stop me from switching
to WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
Regards,
Ahmad
--
Regards,
Ahmad
Noir
2016-04-07 15:45:09 UTC
Permalink
Post by Stephen Michel
1. Signal can use an encrypted database.
This feature will be deprecated when Android has a better full disk
encryption and moxie doesn't change his mind.
Post by Stephen Michel
2. On android, Signal can send both encrypted messages and SMS. This
means you don't have to maintain yet another app, and makes it easier
to convince others, particularly those who care less for privacy, to
switch. "Just use it as your texting app, and your messages to me and
other Signal users will happen to get encrypted."
SMS are not encrypted anymore. And if you have to convince users for
another App it's not the SMS App but WhatsApp or similar. If you want to
convince SMS users you also must tell them to always turn the data
services and/or WLAN on to get messages and communicate with others.
Post by Stephen Michel
3. Privacy from other users. When you send a Whatsapp message, one
checkmark appears when the server receives your message, a second
appears when the message is delivered, and the double check gets
colorized when the recipient reads the message. Whatsapp also shows
contacts when you are online, by default. These features make it
difficult to stay accessible for emergencies without feeling compelled
to answer all messages *immediately.*
This features can be turned off.
Stephen Michel
2016-04-07 16:01:38 UTC
Permalink
Post by Noir
Post by Stephen Michel
1. Signal can use an encrypted database.
This feature will be deprecated when Android has a better full disk
encryption and moxie doesn't change his mind.
This feature won't be necessary when Android has better FDE. But right
now, for users who are worried about an adversary with physical access
to the phone (eg, going through customs), it's very important.
Post by Noir
Post by Stephen Michel
2. On android, Signal can send both encrypted messages and SMS. This
means you don't have to maintain yet another app, and makes it easier
to convince others, particularly those who care less for privacy, to
switch. "Just use it as your texting app, and your messages to me and
other Signal users will happen to get encrypted."
SMS are not encrypted anymore. And if you have to convince users for
another App it's not the SMS App but WhatsApp or similar. If you want to
convince SMS users you also must tell them to always turn the data
services and/or WLAN on to get messages and communicate with others.
I that was poor phrasing on my part; I did not mean to imply SMS were
encrypted.
I have never had trouble explaining that Signal-android can send
unencrypted SMS and automatically switch to encrypted Signal messages
if the other person also has Signal.
If my friend installs Signal alongside their SMS app, I am going to
send them Signal messages instead of SMS. So they will need to keep
their WLAN or data services on all the time, anyway if they want to
receive messages in real time from me and other Signal users. The same
would be true if they wanted to use Whatsapp as their primary
messenging service instead of SMS.
Signal uses very little data, though keeping data services enabled
allows other apps to use up your data, if you don't restrict background
data.
Post by Noir
Post by Stephen Michel
3. Privacy from other users. When you send a Whatsapp message, one
checkmark appears when the server receives your message, a second
appears when the message is delivered, and the double check gets
colorized when the recipient reads the message. Whatsapp also shows
contacts when you are online, by default. These features make it
difficult to stay accessible for emergencies without feeling
compelled
to answer all messages *immediately.*
This features can be turned off.
Okay, that's much less bad. If I can nitpick, though: it's still on by
default. I don't have to crawl through Signal's settings to turn off an
anti-feature.
Johan Wevers
2016-04-07 19:49:51 UTC
Permalink
Post by Stephen Michel
Okay, that's much less bad. If I can nitpick, though: it's still on by
default. I don't have to crawl through Signal's settings to turn off an
anti-feature.
For nitpick, Signal's password protaction is off by default too: you
have to go through the settings to activate it.
--
Met vriendelijke groet,

Johan Wevers
Benedikt Geißler
2016-04-07 21:43:24 UTC
Permalink
Post by Noir
Post by Stephen Michel
3. Privacy from other users. When you send a Whatsapp message, one
checkmark appears when the server receives your message, a second
appears when the message is delivered, and the double check gets
colorized when the recipient reads the message. Whatsapp also shows
contacts when you are online, by default. These features make it
difficult to stay accessible for emergencies without feeling compelled
to answer all messages *immediately.*
This features can be turned off.
That might be true but I still think that the default setting has quite an
impact: if sharing your reading and writing status is enabled by default you
have to justify yourself when you disable it.

Regards, Benedikt
Johan Wevers
2016-04-07 19:47:26 UTC
Permalink
Post by Stephen Michel
1. Signal can use an encrypted database.
Only on Android, and probably most people use a (very) weak password
because typing (without errors) on a phone keyboard is not very fast.
Post by Stephen Michel
2. On android, Signal can send both encrypted messages and SMS. This
means you don't have to maintain yet another app,
After the drop of encrypted sms, this argument has lost significant
value. Now I need an EXTRA app (SMSSecure, fork of TextSecure) to
encrypt sms messages when one of the recipients has no internet connection.
Post by Stephen Michel
3. Privacy from other users. When you send a Whatsapp message, one
checkmark appears when the server receives your message, a second
appears when the message is delivered, and the double check gets
colorized when the recipient reads the message. Whatsapp also shows
contacts when you are online, by default.
You can switch that off completely, or only for non-contacts. This used
to be quite easily hackable, I don't know if that is still the case.
--
With kind regards,

Johan Wevers
Stephen Michel
2016-04-07 21:53:54 UTC
Permalink
Post by Johan Wevers
Post by Stephen Michel
1. Signal can use an encrypted database.
Only on Android, and probably most people use a (very) weak password
because typing (without errors) on a phone keyboard is not very fast.
If this discussion is about the average user and not Snowden or
journalists, this is fair.
Post by Johan Wevers
Post by Stephen Michel
2. On android, Signal can send both encrypted messages and SMS. This
means you don't have to maintain yet another app,
After the drop of encrypted sms, this argument has lost significant
value. Now I need an EXTRA app (SMSSecure, fork of TextSecure) to
encrypt sms messages when one of the recipients has no internet connection.
This conversation started at "Why Signal instead of Whatsapp?" not "Why
Signal instead of Whatsapp or SMSSecure?" Therefore, I assume that the
relevant users are looking for an app with features that SMSSecure does
not provide, like encrypted calls, group chats, international
communications and picture messages without Data.

Some messaging apps provide additional features. If you switch from
Textra to Signal as your default app, you'll lose the ability to send
time-delayed messages, but you'll gain the ability to reduce the number
of apps you use. If you switch from SMSSecure, you'll lose the ability
to send encrypted SMS.

Some people might not be willing to give up time-delayed messages and
some might not be willing to give up encrypted SMS. For everyone else,
a unified messenger is a huge boon, and it's been a major factor in my
ability to convince friends to install Signal, because unless your
current SMS app has a feature Signal doesn't, there's really no harm in
switching. It's actually a particularly effective argument for people
who are already on Whatsapp: there's no harm in starting to use Signal,
too, and if you can get a critical mass of your friends using Signal,
everybody can drop Whatsapp. One fewer messenger!

Giovanni Testa
2016-04-07 17:09:42 UTC
Permalink
Hi all,

Now that WA (FB) has shifted the focus from single court orders (Apple
v. FBI) to a BILLION divices with e2e encrypted conversation of which
they do not have the key, don't you guys think that NSA & Co. now have a
HUGE incentive to break Signal's encryption?

I fear that they are rushing to develop software and hardware capable of
decrypt WA chats, because it's not something they can do without
anymore.

Is it possible in theory to break into it? Or is it THAT safe?

Thank you,
G.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am pretty
happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
_Regards_,
_Ahmad_
Shankar Kulumani
2016-04-07 17:16:27 UTC
Permalink
Rather than trying to break the actual protocol (which is very
difficult/impossible) they would simply compromise the phone or user.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi all,
Now that WA (FB) has shifted the focus from single court orders (Apple
v. FBI) to a BILLION divices with e2e encrypted conversation of which
they do not have the key, don't you guys think that NSA & Co. now have a
HUGE incentive to break Signal's encryption?
I fear that they are rushing to develop software and hardware capable of
decrypt WA chats, because it's not something they can do without
anymore.
Is it possible in theory to break into it? Or is it THAT safe?
Thank you,
G.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am pretty
happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
_Regards_,
_Ahmad_
Giovanni Testa
2016-04-07 17:23:16 UTC
Permalink
I think this solution would work best if you needed to access a single
user's conversations. It would not work if you needed to deploy mass
surveillance programs activated by trigger words.

G.
Rather than trying to break the actual protocol (which is very difficult/impossible) they would simply compromise the phone or user.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi all,
Now that WA (FB) has shifted the focus from single court orders (Apple
v. FBI) to a BILLION divices with e2e encrypted conversation of which
they do not have the key, don't you guys think that NSA & Co. now have a
HUGE incentive to break Signal's encryption?
I fear that they are rushing to develop software and hardware capable of
decrypt WA chats, because it's not something they can do without
anymore.
Is it possible in theory to break into it? Or is it THAT safe?
Thank you,
G.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am pretty
happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
_Regards_,
_Ahmad_
Michel Le Bihan
2016-04-07 17:39:37 UTC
Permalink
On iOS they can force Apple to distribute modified versions of Signal-
iOS in the AppStore.
Post by Giovanni Testa
I think this solution would work best if you needed to access a
single user's conversations. It would not work if you needed to
deploy mass surveillance programs activated by trigger words.
G.
 
Post by Shankar Kulumani
Rather than trying to break the actual protocol (which is very
difficult/impossible) they would simply compromise the phone or user.
 
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi all,
Now that WA (FB) has shifted the focus from single court orders (Apple
v. FBI) to a BILLION divices with e2e encrypted conversation of which
they do not have the key, don't you guys think that NSA & Co. now have a
HUGE incentive to break Signal's encryption?
I fear that they are rushing to develop software and hardware capable of
decrypt WA chats, because it's not something they can do without
anymore.
Is it possible in theory to break into it? Or is it THAT safe?
Thank you,
G.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal
Protocol
Post by "Ahmad Youssef" (via whispersystems Mailing List)
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I
am pretty
Post by "Ahmad Youssef" (via whispersystems Mailing List)
happy of this mass encryption deployment.
From a Signal user perspective, what are the differences
between the
Post by "Ahmad Youssef" (via whispersystems Mailing List)
current WhatsApp and Signal ? What can stop me from switching
to
Post by "Ahmad Youssef" (via whispersystems Mailing List)
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
_Regards_,
_Ahmad_
rhodey orbits
2016-04-07 17:45:19 UTC
Permalink
y'all... cmon now 🙄

keep this kinda stuff to Reddit or whatever.

-- rhodey
On Apr 7, 2016 12:40 PM, "Michel Le Bihan" <***@lebihan.pl> wrote:

On iOS they can force Apple to distribute modified versions of Signal-
iOS in the AppStore.
Post by Giovanni Testa
I think this solution would work best if you needed to access a
single user's conversations. It would not work if you needed to
deploy mass surveillance programs activated by trigger words.
G.
Post by Shankar Kulumani
Rather than trying to break the actual protocol (which is very
difficult/impossible) they would simply compromise the phone or user.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi all,
Now that WA (FB) has shifted the focus from single court orders (Apple
v. FBI) to a BILLION divices with e2e encrypted conversation of which
they do not have the key, don't you guys think that NSA & Co. now have a
HUGE incentive to break Signal's encryption?
I fear that they are rushing to develop software and hardware capable of
decrypt WA chats, because it's not something they can do without
anymore.
Is it possible in theory to break into it? Or is it THAT safe?
Thank you,
G.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal
Protocol
Post by "Ahmad Youssef" (via whispersystems Mailing List)
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I
am pretty
Post by "Ahmad Youssef" (via whispersystems Mailing List)
happy of this mass encryption deployment.
From a Signal user perspective, what are the differences
between the
Post by "Ahmad Youssef" (via whispersystems Mailing List)
current WhatsApp and Signal ? What can stop me from switching
to
Post by "Ahmad Youssef" (via whispersystems Mailing List)
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
_Regards_,
_Ahmad_
Shankar Kulumani
2016-04-07 17:45:20 UTC
Permalink
Do you have more information on how that would work? I always assumed the
code is signed by the developer and then sent to the respective app store.
The app on the phone (assuming an update) then checks to make sure that the
next version has not been modified.
Post by Michel Le Bihan
On iOS they can force Apple to distribute modified versions of Signal-
iOS in the AppStore.
Post by Giovanni Testa
I think this solution would work best if you needed to access a
single user's conversations. It would not work if you needed to
deploy mass surveillance programs activated by trigger words.
G.
Post by Shankar Kulumani
Rather than trying to break the actual protocol (which is very
difficult/impossible) they would simply compromise the phone or user.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi all,
Now that WA (FB) has shifted the focus from single court orders (Apple
v. FBI) to a BILLION divices with e2e encrypted conversation of which
they do not have the key, don't you guys think that NSA & Co. now have a
HUGE incentive to break Signal's encryption?
I fear that they are rushing to develop software and hardware capable of
decrypt WA chats, because it's not something they can do without
anymore.
Is it possible in theory to break into it? Or is it THAT safe?
Thank you,
G.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal
Protocol
Post by "Ahmad Youssef" (via whispersystems Mailing List)
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I
am pretty
Post by "Ahmad Youssef" (via whispersystems Mailing List)
happy of this mass encryption deployment.
From a Signal user perspective, what are the differences
between the
Post by "Ahmad Youssef" (via whispersystems Mailing List)
current WhatsApp and Signal ? What can stop me from switching
to
Post by "Ahmad Youssef" (via whispersystems Mailing List)
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
_Regards_,
_Ahmad_
Michel Le Bihan
2016-04-07 17:55:31 UTC
Permalink
https://whispersystems.discoursehosting.net/t/rsa-panel-with-moxie/192/7
Post by Shankar Kulumani
Do you have more information on how that would work? I always assumed the
code is signed by the developer and then sent to the respective app store.
The app on the phone (assuming an update) then checks to make sure that the
next version has not been modified.
Post by Michel Le Bihan
On iOS they can force Apple to distribute modified versions of
Signal-
Post by Michel Le Bihan
iOS in the AppStore.
Post by Giovanni Testa
I think this solution would work best if you needed to access a
single user's conversations. It would not work if you needed to
deploy mass surveillance programs activated by trigger words.
G.
Post by Shankar Kulumani
Rather than trying to break the actual protocol (which is very
difficult/impossible) they would simply compromise the phone or user.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi all,
Now that WA (FB) has shifted the focus from single court orders (Apple
v. FBI) to a BILLION divices with e2e encrypted conversation of which
they do not have the key, don't you guys think that NSA & Co.
now
Post by Michel Le Bihan
Post by Giovanni Testa
Post by Shankar Kulumani
Post by "Ahmad Youssef" (via whispersystems Mailing List)
have a
HUGE incentive to break Signal's encryption?
I fear that they are rushing to develop software and hardware capable of
decrypt WA chats, because it's not something they can do
without
Post by Michel Le Bihan
Post by Giovanni Testa
Post by Shankar Kulumani
Post by "Ahmad Youssef" (via whispersystems Mailing List)
anymore.
Is it possible in theory to break into it? Or is it THAT safe?
Thank you,
G.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal
Protocol
Post by "Ahmad Youssef" (via whispersystems Mailing List)
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I
am pretty
Post by "Ahmad Youssef" (via whispersystems Mailing List)
happy of this mass encryption deployment.
From a Signal user perspective, what are the differences
between the
Post by "Ahmad Youssef" (via whispersystems Mailing List)
current WhatsApp and Signal ? What can stop me from switching
to
Post by "Ahmad Youssef" (via whispersystems Mailing List)
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
_Regards_,
_Ahmad_
Johan Wevers
2016-04-07 20:01:05 UTC
Permalink
Post by Michel Le Bihan
On iOS they can force Apple to distribute modified versions of Signal-
iOS in the AppStore.
On Android they could try it too, because both Google and Whyspersystems
are US companies. They could try to use the same law they used against
Apple to force Moxie to sign a weakened version.

Fortunately I build from source.
--
Met vriendelijke groet,

Johan Wevers
Stephen Michel
2016-04-07 17:47:20 UTC
Permalink
You can watch Moxie explain the protocol here:


Also, I second Rhodey. The way this conversation has moved, it would be
better on the unofficial forums:
https://whispersystems.discoursehosting.net/
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi all,
Now that WA (FB) has shifted the focus from single court orders
(Apple v. FBI) to a BILLION divices with e2e encrypted conversation
of which they do not have the key, don't you guys think that NSA &
Co. now have a HUGE incentive to break Signal's encryption?
I fear that they are rushing to develop software and hardware capable
of decrypt WA chats, because it's not something they can do without
anymore.
Is it possible in theory to break into it? Or is it THAT safe?
Thank you,
G.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am
pretty happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between the
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
_Regards_,
_Ahmad_
Johan Wevers
2016-04-07 19:58:32 UTC
Permalink
Post by Giovanni Testa
Is it possible in theory to break into it? Or is it THAT safe?
The currently public key algorithm (elleptic curve) is vulnerable to a
functional quantum computer. If such a device is ever built it would be
required to switch to a quantum-computer resistant algorithm. See
https://en.wikipedia.org/wiki/Post-quantum_cryptography for an introduction.

Those algorithms are not as well tested as the ones currently in use,
and have often some disadvantages (for example, most require a very
large key to be safe against conventional brute force attacks).

Further, one could always attack the weakest point in the chain with a
cheap $5 wrench: http://xkcd.com/538/ .
--
Met vriendelijke groet,

Johan Wevers
Michel Le Bihan
2016-04-07 17:36:31 UTC
Permalink
-------- Message d'origine --------
De : Michel Le Bihan <***@lebihan.pl>
Envoyé : 7 avril 2016 19:35:37 GMT+02:00
À : Giovanni Testa <***@avvnet.it>
Objet : Re: [whispersystems] Current WhatsApp and Signal

On iOS they can force Apple to distribute modified versions of Signal-iOS in the AppStore.
Post by Giovanni Testa
I think this solution would work best if you needed to access a single
user's conversations. It would not work if you needed to deploy mass
surveillance programs activated by trigger words.
G.
Post by Shankar Kulumani
Rather than trying to break the actual protocol (which is very
difficult/impossible) they would simply compromise the phone or user.
Post by Shankar Kulumani
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi all,
Now that WA (FB) has shifted the focus from single court orders
(Apple
Post by Shankar Kulumani
Post by "Ahmad Youssef" (via whispersystems Mailing List)
v. FBI) to a BILLION divices with e2e encrypted conversation of
which
Post by Shankar Kulumani
Post by "Ahmad Youssef" (via whispersystems Mailing List)
they do not have the key, don't you guys think that NSA & Co. now
have a
Post by Shankar Kulumani
Post by "Ahmad Youssef" (via whispersystems Mailing List)
HUGE incentive to break Signal's encryption?
I fear that they are rushing to develop software and hardware
capable of
Post by Shankar Kulumani
Post by "Ahmad Youssef" (via whispersystems Mailing List)
decrypt WA chats, because it's not something they can do without
anymore.
Is it possible in theory to break into it? Or is it THAT safe?
Thank you,
G.
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Hi,
As you may have already seen, Integration of the Signal Protocol
(formerly Axolotl [1]) in WhatsApp is now completed [2] and I am
pretty
Post by Shankar Kulumani
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Post by "Ahmad Youssef" (via whispersystems Mailing List)
happy of this mass encryption deployment.
From a Signal user perspective, what are the differences between
the
Post by Shankar Kulumani
Post by "Ahmad Youssef" (via whispersystems Mailing List)
Post by "Ahmad Youssef" (via whispersystems Mailing List)
current WhatsApp and Signal ? What can stop me from switching to
WhatsApp with it's huge user base ?
Please explain clearly. To me, it looks the same IMO.
[1]: https://whispersystems.org/blog/signal-inside-and-out/
[2]: https://whispersystems.org/blog/whatsapp-complete/
--
_Regards_,
_Ahmad_
Loading...