feeding my own misguided insanity

Crypto Wars and Messaging: How Secure are Skype and WhatsApp?

September 25, 2015 Shem Radzikowski 14 Comments

Last year I updated my PGP public encryption key to 4096 bits since it now looks as though it may be possible to crack a 1024 bit key within my lifetime.  Not that I have many secretes, but those that I do, I intend to keep out of prying eyes.  And unless quantum computers start to enter the arena, 4096 should be enough to see me through to the grave.

Governments and Crypto

I’ve been pushing encryption and secure communication for as long as I can remember.  And I’m not talking about the crippled or back-doored varieties being flogged as secure-enough for the average schmo — all in the “interest of national security.  This news is almost two years old and I take my hat off to Mr Snowden for leaking the documents which alerted the wider public to the collusion between the National Security Agency (NSA) and RSA[1].

Of course, RSA was quick to respond to the accusations by stating that it “always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products.” Nevertheless, the weaknesses in the crypto propagated throughout many of its product lines without so much as a word at the time.  There are two scenarios here, either RSA collaborated and introduced the weaknesses, or they were incompetent and oblivious to what was happening under their very noses.

Thankfully, the recent disclosures have led to at least some change.  The National Institute of Standards and Technology (NIST), the government agency in charge of one of the cryptographic standards the NSA has alleged to have secretly weakened, has reopened public comment on its standard and has even gone as far as to recommend people do not use it anymore.

Crypto Wars

But it’s too little, too late.  It simply goes to show that we, as consumers of encryption technologies, can’t take for granted the security of algorithms which may have been fudged to enable the likes of the NSA or GCHQ[2] the ability to eavesdrop on our communications.

An old security adage goes something like this:

A young spy will try to break the encryption; An old spy will steal the keys.

We are in the midst of some pretty hefty Crypto Wars.  Government against government, corporation against corporation, East against West. On the one side we have paranoid, overzealous government regimes supported by their crony corporations, and on the other, private citizens and underfunded pro-privacy organizations such as the Electronic Frontier Foundation (EFF).

Are Skype and WhatsApp Secure?

Ubiquitous applications like Skype and WhatsApp have crossed over and are now under large corporate control — Skype owned by Microsoft[3] and WhatsApp by Facebook[4].  Every time a small company is bought by a larger fish, I find that we are slowly being herded towards products which may herald end-to-end security but will ultimately never deliver on that promise.  Underneath the thin security veneer hides a quagmire of red tape skewed against anyone trying to hold onto their rights to privacy.

Update 5 April 2016: Whisper Systems and WhatsApp announced that they have completed integrating the Whisper’s Signal protocol into WhatsApp software, giving WhatsApp full end-to-end encryption for text and voice.  This is great news for privacy and security.

If you ever took the time to read the small print, you’d realize that most organizations can and will hand over your chat history, audio/video calls and fried lists if compelled to do so by a court order.  And in a time when human rights and liberties are being eroded by police states, it is difficult to believe that any such court order was obtained by due process of law.

The excerpt below was taken on the 25th September 2015 from the Microsoft website regarding Skype’s Privacy Policy.  Oddly enough, it was filed under “Partner Companies.

Microsoft may access, disclose and preserve your data (including your private content, such as the content of your instant messages, stored video messages, voicemails or file transfers) to provide the service or to assist its local partner or the local operator facilitating your communication to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.

So, are Skype and WhatsApp secure? Yes and no.  They are secure from people who do not have access to the underlying encryption keys, like your family, neighbours and friends.  It stands to reason that if you’re only talking to the likes of your granny about her favourite cake recipe, I think you’re safe.

But if you’re trying to hide something from big brother, the recommendation is that you do NOT rely on these technologies alone.  I’m not advocating one software over another, I leave it to you to make up your own mind.

There are plenty of alternatives which have risen to prominence.  Telegram seems to have a solid security-focused mission statement, but there has been some recent criticism about Telegram’s protocol and their Crypto Challenge.[5] Time will tell.

For something with Mr Snowden’s endorsement, check out Open Whisper Systems, which develops Signal (for iPhone) and TextSecure (for Android).

Conclusion

Going back to the RSA crypto fiasco, even before these revelations hit the press, it was universally understood that vendor-controlled cryptos were subject to government legislation and secret backroom agreements.  As a result, it is next to impossible to tell whether private keys have been exchanged with big brother and to what extent information sharing is occurring.  It’s also important to note that I’m not just talking about governments with overt human rights violations.

“Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men.”

— Lord Acton

Don’t be fooled.  Your communications are neither protected nor anonymous.  It is up to you to start taking control of your privacy by educating yourself and those you care about.

Footnotes
  1. RSA Security LLC, formerly RSA Security, Inc. and doing business as RSA, is an American computer and network security company. RSA was named after the initials of its co-founders, Ron Rivest, Adi Shamir and Len Adleman, after whom the RSA public key cryptography algorithm was also named. ^
  2. The Government Communications Headquarters (GCHQ) is a British intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance to the British government and armed forces. ^
  3. In May 2011, when Microsoft announced its planned purchase of Skype for $8.5bn ^
  4. Facebook acquired mobile-messaging application WhatsApp Inc. for $22 billion — a startup that generated $10.2 million in revenue in 2013. ^
  5. Telegram is a messaging app with a focus on speed and security, it’s super fast, simple and free. You can use Telegram on all your devices at the same time — your messages sync seamlessly across any number of your phones, tablets or computers. ^

Bibliography

1.
After NSA Backdoors, Security Experts Leave RSA for a Conference They Can Trust [Internet]. Electronic Frontier Foundation. [cited 2015 Sep 25]. Available from: https://www.eff.org/deeplinks/2014/01/after-nsa-backdoors-security-experts-leave-rsa-conference-they-can-trust
2.
An Open Letter to the Chiefs of EMC and RSA – F-Secure Weblog: News from the Lab [Internet]. [cited 2015 Sep 25]. Available from: https://www.f-secure.com/weblog/archives/00002651.html
3.
Encryption, But With Backdoors? The FBI Has Business Running In Circles [Internet]. Forbes. [cited 2015 Sep 25]. Available from: http://www.forbes.com/sites/timsparapani/2015/05/21/encryption-but-with-backdoors-the-fbi-has-business-running-in-circles/
4.
Exclusive: Secret contract tied NSA and security industry pioneer. Reuters [Internet]. 2013 Dec 21 [cited 2015 Sep 25]; Available from: http://www.reuters.com/article/2013/12/21/us-usa-security-rsa-idUSBRE9BJ1C220131221
5.
Facebook $22 Billion WhatsApp Deal Buys $10 Million in Sales [Internet]. Bloomberg.com. [cited 2015 Sep 25]. Available from: http://www.bloomberg.com/news/articles/2014-10-28/facebook-s-22-billion-whatsapp-deal-buys-10-million-in-sales
6.
Facebook Closes $19 Billion WhatsApp Deal [Internet]. Forbes. [cited 2015 Sep 25]. Available from: http://www.forbes.com/sites/parmyolson/2014/10/06/facebook-closes-19-billion-whatsapp-deal/
7.
Ackerman S. FBI chief wants “backdoor access” to encrypted communications to fight Isis. The Guardian [Internet]. 2015 Jul 8 [cited 2015 Sep 25]; Available from: http://www.theguardian.com/technology/2015/jul/08/fbi-chief-backdoor-access-encryption-isis
8.
GCHQ Home page [Internet]. [cited 2015 Sep 25]. Available from: http://www.gchq.gov.uk/Pages/homepage.aspx
9.
Government Communications Headquarters [Internet]. Wikipedia, the free encyclopedia. 2015 [cited 2015 Sep 25]. Available from: https://en.wikipedia.org/w/index.php?title=Government_Communications_Headquarters&oldid=682734904
10.
Friedersdorf C. How Dangerous Is End-to-End Encryption? The Atlantic [Internet]. 2015 Jul 14 [cited 2015 Sep 25]; Available from: http://www.theatlantic.com/politics/archive/2015/07/nsa-encryption-ungoverned-spaces/398423/
11.
Bright P. Microsoft Buys Skype for $8.5 Billion. Why, Exactly? [Internet]. WIRED. 2011 [cited 2015 Sep 25]. Available from: http://www.wired.com/2011/05/microsoft-buys-skype-2/
12.
Microsoft Privacy Statement [Internet]. [cited 2015 Sep 25]. Available from: http://www.microsoft.com/en-us/privacystatement/default.aspx?intsrc=client-_-windows-_-7.9-_-go-privacy&setlang=en
13.
Zetter K. New Reports Describe More Mass Surveillance and Schemes to Undermine Encryption [Internet]. WIRED. 2015 [cited 2015 Sep 25]. Available from: http://www.wired.com/2015/09/karma-police-encryption/
14.
On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng – 15-shumow.pdf [Internet]. [cited 2015 Sep 25]. Available from: http://rump2007.cr.yp.to/15-shumow.pdf
15.
RSA Security [Internet]. Wikipedia, the free encyclopedia. 2015 [cited 2015 Sep 25]. Available from: https://en.wikipedia.org/w/index.php?title=RSA_Security&oldid=682424534
16.
The NSA is Making Us All Less Safe [Internet]. Electronic Frontier Foundation. [cited 2015 Sep 25]. Available from: https://www.eff.org/deeplinks/2013/10/nsa-making-us-less-safe

, , , , , , , , Security, Thoughts

14 Comments → “Crypto Wars and Messaging: How Secure are Skype and WhatsApp?”

  1. HM 8 years ago   Reply

    Interesting article. It raises more questions than answers. :-)

    You have advice on how to make Skype and WhatsApp more secure? I don’t do WhatsApp but some friends do.

    I understand you use PGP but how trustworthy is that? Just because it is not from a big corporation or government doesn’t mean it is less likely to be corrupted by an entity.

    I am interested to know how you deal with lost keys etc. to get your data back? PGP or similar are ok but what kind of mechanisms can an individual put in place to have a fall back? Definitely not a safe deposit box in a bank :-)

  2. Mikey 8 years ago   Reply

    Hi HM,

    I’m also an IT security professional of far, far too many years in the business.

    To answer your questions, it all depends on what you are protecting, and from whom. Security is Hard – if you’re doing it right that is.

    If you’re trying to protect yourself from colleges, curious snooping friends/relatives/strangers, or low to medium skilled hackers, then PGP is good enough. PGP does stand for “Pretty Good Privacy” and like the name suggests – it’s not perfect and it doesn’t try to be.

    If you’re trying to hide your conversations from a spouse or relative that may have physical access to your device, security tricks aren’t going to help much. If someone can get their hands on your phone/laptop/tablet and they can use your login, then they will be using the same system you have configured and will see/send the decrypted messages anyway – because they will see exactly what you are seeing.

    If you’re trying to protect yourself from dedicated, high-skilled hackers then it’s not good enough. To be honest reading blog articles is not going to every give you the information you need to protect yourself as you have to look quite deeply into how computers work. There are no quick fixes. A good place to start would be here with this book – https://www.schneier.com/books/secrets_and_lies/ but there are heaps of others out there too.

    If you’re trying to protect yourself from Government bodies – you have no chance with apps like WhatsApp or Skype. All – and I mean ALL – major companies WILL hand over any information they have on you to any government agency that asks, provided that government agency as the authority to ask. That’s not because they’re nasty, evil corporate shills, but for the exact opposite reason – because they’re good, law abiding companies that will do what the law requires them to do.

    If you’re trying to protect yourself from secret agencies, or spy agencies – don’t even try. It requires extensive training, considerable resources, and special skills to out spy the professional spies. Even then you won’t succeed for long.

    Regarding what happens if you lose your PGP key – if it’s lost, it’s lost. As Phil Zimmermann (the guy that created PGP) put it: “I’m sorry, you’re hosed.” All you can do is “revoke” your old key to flag it as unusable, get a new PGP key and tell everyone you know that you’ve lost the old one and here’s your new Public Key to use to encrypt messages. Anything encrypted with the old PGP key is lost as well, you won’t ever be able to decrypt it.

    hope this helps
    Mikey

  3. Pierre 8 years ago   Reply

    Skype was always assumed to be safe because of its end-to-end encryption.

    • Dr. Shem 8 years ago   Reply

      Pierre, unless you own the end-to-end encryption keys it will never be secure because the company (Skype) can always decrypt the traffic because they control the keys. Sorry, but in this case it’s fairly well understood that Skype, although convenient, isn’t “secure” from a privacy perspective. Yes Skype will protect you from the bad people on the internet, but who is to say that the bad people won’t be a government, as an example. The US for instance, can issue a warrant, and Skype (Microsoft) will need to comply. That isn’t security as far as I’m concerned.

      • Pierre 8 years ago   Reply

        Thank you for your reply, but i also understand even while tapping you can can a bit of Metadata, but not everything else, like no friends list, and no attachments…..

        • Dr. Shem 8 years ago   Reply

          Unfortunately Skype’s privacy/usage policy doesn’t explicitly state that these won’t be provided if requested by a legitimate warrant. Omission of such details from a policy, at least min my mind, usually means it is implied

          • Pierre 8 years ago  

            Agree, but this is a different story, while lots of countries are looking to implement such a technology in order to get all

  4. Jose 8 years ago   Reply

    Don’t know how many of you read this… this issue was fixed but who knows how many are still out there.
    http://www.cnbc.com/2015/09/09/whatsapp-hack-attack-puts-200000-at-risk.html

    • Dr. Shem 8 years ago   Reply

      Yes, I did read it a few weeks back. Not exactly a growing review for WhatsApp.

  5. EricG 8 years ago   Reply

    Curious to know what the author thinks of Bleep, the IM app produced by Bittorrent, or of Bittorent in general.

    • Dr. Shem 8 years ago   Reply

      Erik. Haven’t compared it seriously yet but I will do some digging on the back end and maybe put together a more comprehensive comparison.

  6. BerniceN 8 years ago   Reply

    BitTorrent can by-pass intellectual and copyrights. What happens when information is shared that shouldn’t be shared.

    • Dr. Shem 8 years ago   Reply

      Bernice, unfortunately we can’t do anything about that, as Edward Snowden can attest to. What we can do is have properly configured and managed Data Loss Prevention (DLP) technologies which will safeguard some of what you’re talking about. In the end though, nothing is 100% bulletproof. It pays to engage multiple layers of protection, or as is commonly referred to, Defense in Depth.

      • BerniceN 8 years ago   Reply

        I agree with you about SKYPE. Unless you have your own private / secret keys, that are inaccessible to untrusted parties, including the company, you don’t have confidentiality or privacy.
        Any computer system is accessible by someone with the means, the motivation, and the opportunity.

Leave a Reply