[ad_1]
Facebook’s WhatsApp said on Friday that users will soon be able to store end-to-end (E2E) encrypted backups of their chat history on Google Drive on Android or Apple iCloud on iOS, with an option to automatically manage the encryption key.
This move makes the message privacy enforced by encryption – usually quite complicated – more viable for customer-facing messaging services, if you take for granted the technical integrity of WhatsApp’s encryption and the company’s claims regarding its practices. confidentiality.
“We’re adding another layer of privacy and security to WhatsApp: an end-to-end encryption option for the backups people choose to store in Google Drive or iCloud,” Facebook supremo Mark Zuckerberg said in a missive on its platform.
“WhatsApp is the first global messaging service of this scale to offer end-to-end encrypted messaging and backups, and achieving this was a very difficult technical challenge that required an entirely new framework for key storage and cloud storage. on all operating systems. “
WhatsApp, which has two billion users who send more than 100 billion messages a day, has beaten Apple in the market, if speculation about its intention to offer encrypted iCloud backups turns out to be true.
Apple recently announced plans to scan iCloud-related photos on customer devices, a move so contrary to the company’s privacy marketing that security experts have tried to explain the company’s self-harm. by suggesting that intrusive technology could represent a way to appease law enforcement. objections to the iCloud encryption offer. Apple, however, backtracked from its CSAM analysis plan after advocacy groups and the tech community criticized the privacy compromise.
WhatsApp’s encryption extension to cloud backups follows a recent report by ProPublica that attacked the integrity of WhatsApp’s encryption and its sharing of message metadata, only to clarify later that the app’s mechanism for reporting abuse does not break the app’s end-to-end encryption.
WhatsApp has applied E2E encryption to all messages, calls, video chats, and media since 2016. At that time, it also provided encryption for iCloud backups. But the key generation method used would have been susceptible to an impersonation technique whereby an attacker could obtain the key using a SIM card with the name number as the device of the WhatsApp user.
The FBI investigation into former Trump campaign chairman Paul Manafort (convicted in 2018, convicted in 2019, then pardoned in 2020) offers a lesson on the need for encrypted backups but also on their limits.
A court document [PDF] filed in connection with this case indicates that the FBI obtained some of Manafort’s WhatApp messages from Apple’s iCloud, where they had presumably been saved without encryption. But the document also says investigators obtained other messages from those who received them, rendering E2E encryption irrelevant.
The devil is in the details
WhatsApp’s current approach, described in a technical document [PDF], appears more secure, although just as vulnerable to exposure by those on the other end of the communication channel.
“The backups themselves are generated on the client as data files that are encrypted using symmetric encryption with the locally generated key,” explains the WhatsApp document.
“Once a backup is encrypted, it is stored in third-party storage (eg iCloud or Google Drive). Since the backups are encrypted with a key unknown to Google or Apple, the cloud provider is unable to read them. “
WhatsApp will offer two key management options. One involves a user-supplied password – unknown to WhatsApp or third-party backup services – which retrieves the user’s actual encryption key from a backup key vault based on a backup module. hardware security (HSM) in a WhatsApp data center.
The other ignores the password and asks the user to provide a 64-digit encryption key, without the intervention of the HSM Backup Key Vault, to access the encrypted backups. Typically, that means writing the key down on a piece of paper and storing it, or giving it to a password manager app, unless you’re particularly good at remembering dozens of digits.
Will Cathcart, Head of WhatsApp at Facebook, acknowledged that not everyone supported a wider use of encryption, but supported it nonetheless.
“Some governments continue to suggest using their powers to force companies to offer weaker security,” he said, via Twitter. “We think it’s backwards: we should demand more security from companies for people’s sensitive information, not less.”
We could also consider storing less data. The best security for message backups is not having them if you don’t really need them. ®
[ad_2]
Source link