Users running the most recent versions of WhatsApp on any platform now get full end to end encryption for every message they send and every WhatsApp call they make when communicating with each other.
Once a client recognizes a contact as being fully e2e capable, it will not permit transmitting plaintext to that contact, even if that contact were to downgrade to a version of the software that is not fully e2e capable. This prevents the server or a network attacker from being able to perform a downgrade attack.
I’m curious to see how this goes over, given that it’s trading convenience for security, and that tends to be a hard sell.
The upside is that downgrading mobile software is an extremely painful operation, IME, and almost no users know how to do it.
Curious to see how other chat networks (Facebook’s Messenger, Skype, etc.) will react to this.
Based off of their previous reactions to similar events, not at all?
Zing! But seriously, I expect other services to start using (stronger) encryption in light of this and the Apple thing.
The problem is a) how does a user verify this without trusting an icon on the screen rendered by the app itself, and b) how do we verify that all data is being sent encrypted at all times?
I think the only way to do this is via rules enforced by the OS. Something like, the OS manages the certificates, the app is only allowed to connect via a special OS specific “encrypted communication api” that manages the certificates and connection. If you want end to end encryption the only good way to swap keys is offline/in person, not via the internet which is another hurdle.
The other question is how can we trust the OS? For closed source OSs I’d say we can’t.
None of those are good reasons not to celebrate a significant improvement in practical/applied security for half a billion people.