The description of the WhatsApp messenger states that it works on the principle of end-to-end encryption. This feature is considered one of the main advantages of the program. But not all users understand what is behind such a name. For many people, the logical question will be: “What is WhatsApp end-to-end encryption?”
Peculiarities
In classic messengers, the following scheme of correspondence between users is as follows: a message is sent from the first device to the developer’s server, and from there it is delivered to the recipient. IN modern applications, which refers to WhatsApp, it has been slightly modified.
Now the message is encrypted on the smartphone before it is sent. It comes to the server not in the form of typed text, but in the form of symbols that are chaotic to humans. From there, the message is redirected to the recipient’s smartphone or tablet, where it is decrypted. An encryption key is a sequence of characters that defines the “alphabet” of the cipher. This is some form of alphabet. But in the case of WhatsApp, the key is unique for each device. More precisely, there are two of them: the first is responsible for converting text when sending, the second - when receiving.
It is possible to hack such a system only if you know this WhatsApp encryption key. And it is recorded directly on the user’s device. This is modern protection in the messenger.
Setting up end-to-end encryption
WhatsApp developers do not provide for disabling end-to-end encryption. This is even mentioned on the official website of the application. This decision is quite logical, because the safety and security of personal information has always been important to users. And if you deactivate this function, then the security will go away.
However, it is worth mentioning that not everything is so categorical. If you are looking for how to remove end-to-end encryption in WhatsApp, then there is such a way. It is enough to install the old version of WhatsApp on your smartphone or tablet, where this function was absent.
But in this case, no one can guarantee that strangers will not get into your correspondence. Please note that to install older versions of the program, you will need to disable protection on your mobile device.
In the case of Android, everything is simple, just activate the “Install from unknown sources” mode in the developer settings menu. But for iOS you will need a jailbreak - a hacking option - which can lead to damage to your iPhone or iPad.
Attention: on official page WhatsApp is missing a section where you can find old versions. This means that you will have to download the application from third-party resources that may contain viruses.
WhatsApp recently updated its encryption protocol to reassure even the most paranoid users. The so-called end-to-end encryption protocol promises that "only you and the person you're communicating with can read what's sent." No one, not even WhatsApp, has access to your content.
The security protocol is described in the blog:
When you send a message, the only person who can read it is the personal or group chat you send the message to. Nobody sees this message. Not cybercriminals. Not hackers. Not repressive bodies. Even us. End-to-end encryption helps make communication via WhatsApp private - sort of like face-to-face conversations.
The new feature is also available on a wide range of mobile platforms, including iPhone, Android, Windows and many more. You can even use the end-to-end encryption feature on WhatsApp Web, a messaging platform designed for PC or Mac.
Additionally, WhatsApp says in its FAQ that the feature is always enabled:
Important: end-to-end encryption is activated if all parties are using the latest whatsapp version. End-to-end encryption cannot be disabled.
Upgrade to end-to-end encryption
However, you will need to ensure that encryption is enabled. To do this: update WhatsApp to latest version and ask the person or group you are communicating with to do the same. No need for additional application or functions.
To make sure the feature is updated, start a chat and click on your friend or family members' name at the top. You'll then be taken to your contact information page, which will display whether your messages will be encrypted, as you can see in the highlighted portion in the image below.
If the chat is not encrypted, click on encryption to view a QR code and a unique 60-digit number. WhatsApp says the unique "key" is shared only between message recipients, with each key unique to each chat.
You can then share the numbers or code with friends or family. If your friend or family members are nearby, you're in luck. You can scan each other's code to make sure your chats are activated. If they are far away, send them a 60-digit code with via SMS, Email etc. Via button sharing on your iPhone, Android or Windows phone.
That's it, your chats are now encrypted.
WhatsApp still stores your data
Be careful. According to WhatsApp legal, date and time information is stored on WhatsApp servers for a short period of time:
WhatsApp can store date and time information associated with successfully delivered messages and numbers mobile phones involved in messages, as well as any other information that WhatsApp is legally forced to collect. Files that are sent through the WhatsApp service will reside on our servers for a short period of time after delivery, but will be deleted and stripped of any identifiable information for a short period of time in accordance with our publicly available retention policies.
This means that your metadata or information about your data is potentially vulnerable to hackers - this is one of the problems that makes users worry.
What does it mean? This means that information - such as when the image was taken, when it was taken, etc. - may be stored on WhatsApp servers for a short period of time. And while the image itself is likely not present, information about the image, document, video, etc. remains.
Additionally, your metadata can also be shared with marketing teams, in line with another recent update that allows the chat app to "communicate with businesses and organizations." This bit of information was made when the app was announced as free for all users in the world.
WhatsApp announced with the update that there will be no third-party ads or spam, but the vague phrase "communication with businesses and organizations" still leaves the gates of interpretation open.
In particular, changes have been made. And most users seem to be very happy with the update, which promises to protect your information.
Is there any cause for concern?
Previously, a Dutch developer discovered that the app's timeline information was available using software called WhatSpy Public, which can apparently "show a timeline of the online status of the user being tracked."
Software designer Maikel Zwerink has caused a lot of concern by proving that he can "spy" on users with his application.
It remains to be seen whether the app can track users with the latest end-to-end encryption update. But users should be warned: the encryption is not completely secure.
What do you think of it? You are using WhatsApp? Are you concerned about data security while using the application? Do you update the application regularly? Let us know in the comments below.
End-to-end encryption (E2EE) is considered a panacea for persistent attempts by hackers and law enforcement agencies to access online communications. The meaning of E2EE often comes down to the fact that the keys are stored only on the devices of the interlocutors and do not go to the server... but this is not entirely true. Let's see how things really stand with E2EE, using the example of popular instant messengers.
Encryption in messengers
I was prompted to write this article by research Obstacles to the Adoption of Secure Communication Tools (PDF). As its authors found, “the vast majority of survey participants do not understand the basic concept of end-to-end encryption.” Simply put, people usually choose a messenger with their heart, not their brain.
Let's start with the fact that E2EE has its own characteristics in each messenger. In Signal it is almost exemplary. WhatsApp is formally the same as Signal, except for one very important moment: Changing a WhatsApp subscriber's primary key does not block sending messages to him. At most, you can enable a useless notification (which is disabled in the default settings). In Viber, end-to-end encryption is inactive by default, and it only appeared in the sixth version. In Telegram, E2EE is also used only in secret chats, and they are implemented rather strangely.
The conflict between Roskomnadzor and Telegram generally created excellent advertising for the latter. Ordinary users now consider Durov’s creation a real thorn in the back of the intelligence services (or a little lower than it), which cannot do anything with a bulletproof innovative service. Fans of Telegram compare it with Signal and claim the superiority of the first.
However, there are no miracles in cryptography, and especially in applied cryptography. Many mathematically beautiful ideas turn out to be hopelessly spoiled by implementation, when convenience and controllability are put above security and privacy (and this happens almost always).
Initially, messengers used the OTR (Off-the-Record) protocol. It uses AES symmetric encryption in CTR mode, DH key exchange protocol and SHA-1 hash function. The AES-CTR scheme provides so-called “debatable” (in a good way) encryption and the ability to deny the authorship of the text if it is intercepted. You can always argue that the interceptor of the traffic himself changed the ciphertext so that it corresponds to another decryption option of the same length. For example, instead of “go buy bread” it turned out to be “poison the queen” - this is technically possible, and this property is specially built into the algorithm.
The OTR protocol authenticates interlocutors and encrypts correspondence between them. It is secure as long as the participants in the conversation regularly check each other's public key fingerprints and resist attacks from other vectors (including social engineering).
The main disadvantage of OTR is that after sending a new key you need to wait for confirmation from the interlocutor. If he is offline, then communication will be temporarily impossible. One solution was the Double Ratchet (DR) algorithm, developed five years ago by Trevor Perrin and Moxie Marlinspike at Open Whisper Systems. Today, DR is used in Signal, WhatsApp, Viber and many other instant messengers that support end-to-end encryption by default or as a separate option (secret chats).
End-to-end encryption
The E2EE scheme uses a combination of open and open cryptographic systems. private key. It is obvious in general terms and quite complex at the level of detail. It uses a lot of interconnected keys, some of which necessarily end up on the server and, moreover, are necessarily loaded onto it before the start of correspondence, so that it can be started at any moment. Let's take a closer look at it.
You probably know the beginning of the scheme, since it is standard for all asymmetric encryption systems - a pair of keys is generated. This is necessary because single-key cryptosystems (like AES) are too difficult to use in correspondence in their pure form. They would have to somehow organize a secure channel for transferring the key (for example, meet in person), and then do it again every time it is changed.
Everything is just like in the usual PGP: there are two interlocutors (Alice and Bob), each of whom generates their own pair of keys. They then exchange public keys, keeping their paired secret keys secret. Public keys are transmitted over an open channel (that’s why they are public, let them be intercepted for good measure) and serve two purposes: they allow you to encrypt a message and verify its signature. Accordingly, secret keys are used for decryption and signature generation.
INFO
The term "message" is used here in a broad sense. A message can be text, a media file, or service metadata that the messenger exchanges with the server. Some of this data contains timestamps, client application state, and new keys.
Unfortunately, the pure asymmetric encryption scheme is also not suitable for instant messengers, since these services are focused on intensive online correspondence in the form of a chain of short messages. They must be displayed in a strictly defined order, and the interlocutor can be offline at any time and disrupt the structure of the dialogue.
Moreover, encrypting many short messages with one key is a bad idea. In just one day of correspondence, hundreds (if not thousands) of them are created. In many messages, the amount of ciphertext is minimal and predictable (smiley, sticker). They also have standard headers that make cryptanalysis easier.
The peculiarity of correspondence in instant messengers is that, due to typical metadata, an attacker can intercept a large volume of predictable ciphertext in a short time. The lion's share of it will correspond to the known plaintext. If it is encrypted with one key, then in the event of a successful attack, all previously written messages and even those that the interlocutors will write in the future will be compromised.
To prevent this from happening, messengers provide such properties as forward and reverse secrecy. They imply the inability to read messages sent previously and written in the future, having only the current encryption key in hand. For this, multilayer encryption is used with the transition from asymmetric to symmetric cryptography and additional keys with different lifetimes.
Many of you have noticed that after the WhatsApp update, a notification about encryption protection appeared in some chats:
Messages you send to this chat and calls are now protected by encryption. To learn more.
We invite you to consider this topic in more detail. Messenger has enabled encryption of calls, messages, photos, videos and any other information by default for all its users, i.e. your entire personal life will now be inaccessible to eavesdropping or hacking by hackers, authorities, and even employees of WhatsApp itself.
How to enable WhatsApp encryption on iPhone
Encryption is already enabled by default for all users and does not require separate activation, but if you want to check whether all my messages in a certain chat are encrypted, do the following:
How to activate WhatsApp encryption on Android
Encryption is enabled by default, but to be sure, do the following:
If in a chat you see the message “The messages you send to this chat are not encrypted,” then most likely your interlocutor old version application and needs to install the latest update.
Many of you have noticed that after the WhatsApp update, a notification about encryption protection appeared in some chats:
Messages you send to this chat and calls are now protected by encryption. To learn more.
We invite you to consider this topic in more detail. Messenger has enabled encryption of calls, messages, photos, videos and any other information by default for all its users, i.e. your entire personal life will now be inaccessible to eavesdropping or hacking by hackers, authorities, and even employees of WhatsApp itself.
How to enable WhatsApp encryption on iPhone
Encryption is already enabled by default for all users and does not require separate activation, but if you want to check whether all my messages in a certain chat are encrypted, do the following:
How to activate WhatsApp encryption on Android
Encryption is enabled by default, but to be sure, do the following:
If in a chat you see the message “The messages you send to this chat are not encrypted,” then most likely the person you are talking to has an old version of the application and needs to install the latest update.