Earlier this week, WhatsApp enabled end-to-end encryption for all messages, photos, video, everything you send. It’s been reported over and over so many times, like TheVerge, Wired, and even BBC. Suddenly, it seems like we have this super cool channel for secret communications that no one can eavesdrop. But wait, it’s not all that secure just yet.
No one seems to be reporting this much. Not even WhatsApp’s own blog post. Your WhatsApp communication can’t yet be all that secure because, you know what, you can’t actually be sure you’re chatting with the party you think you are chatting with. Not until you do one more thing.
You need to verify the security code of your contacts.
You have to do that with everyone that you chat with.
Otherwise, how do you know you’re actually talking to the person that you think you’re talking to? Or more accurately, that your messages are being sent to the actual phone/device that you thought you were sending to?
Folks familiar with computer security will understand this as the man-in-the-middle attack. While WhatsApp end-to-end encryption is technically sound (I assume), it doesn’t actually take care of identifying parties in the communication. So if you thought you were talking to your best friend John, it’s entirely possible that the NSA, FBI, or whichever agency you hate or that wants to go after you, is actually whom you’re sending the messages to.. They then relay the messages to the real John, and whatever John sends back, they simply forward to you. Yup. That’s the gist of the man-in-the-middle attack.
Here’s what you need to do to verify you’re truly communicating with the legit person.
- Go into your chat, open the menu.
- Tap on “View contact”.
- Tap on “Encryption”.
- Your contact needs to do the same thing. Both of you should be seeing the exact same set of codes. WhatsApp can help verify the codes by scanning the QR-code displayed on the phone.
Oh yes, that means you probably should be doing this in-person, or at least be able to communicate the code comparison securely in such manner that you don’t fall into another man-in-the-middle attack.
Looks like we need to all organise a party or get-together with all our contacts to verify security codes. Like, you know, they used to have PGP key signing parties.
So much talk about end-to-end encryption, but we’re forgetting that identities themselves have not been verified.
You should know that those security codes might change if your contact reinstalls WhatsApp on their device, or moves to a new device, etc. WhatsApp does warn you if your contact’s security code changes. You should watch out for that. Otherwise, it could well be, ahem, a man-in-the-middle attack taking place.
Good security isn’t easy.
If you’re interested, WhatsApp has published their security white paper that explains the technical details of their end-to-end encryption.