5

I see this EFF tool guide, proposing WhatsApp as one of "our pick of the best, most secure applications" source.

How can WhatsApp be trusted as a secure application when it is not open-source (according to Wikipedia: "license: freeware"), in contrast to Signal (according to Wikipedia: "All Signal software are free and open-source")?

I know that WhatsApp uses the Signal Protocol library for implementing the Signal Protocol, but is this enough to consider it a trusted secure application, and place it at the same level of trust as the Signal opensource client?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Marinos An
  • 191
  • 6
  • As you can see in the following page, WhatsApp claims to have Signal implemented (that is an open-source secure protocol): https://en.wikipedia.org/wiki/Signal_Protocol. Crypto researchers can confirm that WhatsApp is indeed using Signal. – Filipe dos Santos Sep 09 '19 at 13:31
  • @Filipe dos Santos The fact that is implementing `Signal` is not an indicator that it does not contain vulnerable or malicious code, or that the implementation is correct. – Marinos An Sep 09 '19 at 15:14
  • You need to have some evidences to make such claims. The research so far has no evidences of such malicious code or vulnerabilities for WhatsApp. Without access to the application server and the production code, one can make such claims for any piece of software, and this is not productive for the argument, nor it’s how research is done. – Filipe dos Santos Sep 09 '19 at 15:17
  • @FilipedosSantos I have not claimed anything. Software that claim to be secure need some strong evidence. The same stands for whom qualifies such software as secure. – Marinos An Sep 09 '19 at 15:22
  • 3
    This looks like a question trying to drum up support for a position. EFF's decisions are theirs, and you need to ask them about their criteria. Also, the EFF explains their reservations about WhatsApp quite clearly. – schroeder Sep 09 '19 at 16:15
  • 1
    "Could such a choice, question EFF credibility regarding privacy software proposals?" is entirely an opinion-based question and off-topic. So, you have a question that needs to be asked of the source (EFF) and an opinion-based question. Both make this off-topic here. – schroeder Sep 09 '19 at 16:16
  • @FilipedosSantos what's app has had plenty of vulnerabilities disclosed, quite famously earlier this year there was this https://nvd.nist.gov/vuln/detail/CVE-2019-3568 – LTPCGO Sep 09 '19 at 19:21
  • @LTPCGO It's obvious that WhatsApp had vulnerabilities, and it will probably have more in the future, that is in the nature of building software these days, however I believe you missed my point badly. My point was that you need evidence to claim that a piece of software has vulnerabilities, you actually agrees with me, and confirmed my point of view. – Filipe dos Santos Sep 09 '19 at 19:24
  • @FilipedosSantos I'm not sure we did agree - 'the research so far has no evidences of such malicious code or vulnerabilities for WhatsApp', the CVE above shows that the research so far has found evidence of vulnerabilities – LTPCGO Sep 09 '19 at 19:31
  • @LTPCGO well, again, this is completely off-topic, this statement was in regards of the author's claims of lack of privacy, you're willingly taking my phrase out-of-context. If you have any evidences that this is not the case feel free to share. – Filipe dos Santos Sep 09 '19 at 19:35
  • A vulnerability on the client-side does not infer that messages are not end-to-end encrypted or that there are privacy concerns, nor support any claims for other non-disclosed vulnerabilities. – Filipe dos Santos Sep 09 '19 at 19:36
  • @MarinosAn said 'the fact that is implementing Signal is not an indicator that it does not contain vulnerable or malicious code, or that the implementation is correct', you suggested that they needed evidence to state that, I provided it - they weren't suggesting that Signal was compromised – LTPCGO Sep 09 '19 at 19:37
  • @schroeder Replacing opinion-based question. – Marinos An Sep 10 '19 at 11:03
  • This all comes down to EFF's criteria for inclusion. If you look at the criteria, it states that the WhatsApp code has been audited. That places it on the same level as open source, because the reason for open source is the public auditing. – schroeder Sep 10 '19 at 16:03
  • @schroeder But if this is an answer to my question, why the question is still closed? As said I have replaced the opinion-based part. – Marinos An Sep 11 '19 at 11:33
  • It would end up remaining closed, because, as I said, it's a question to the EFF about their criteria, and that criteria is openly available on their site. – schroeder Sep 11 '19 at 11:44

1 Answers1

5

They do have reservations:

WhatsApp does still provide end-to-end encryption, which ensures that a message is turned into a secret message by its original sender, and decoded only by its final recipient. We take no issue with the way this encryption is performed. In fact, we hope that the encryption protocol WhatsApp uses, the Signal Protocol, becomes more widespread in the future. Instead, we are concerned about WhatsApp’s security despite the best efforts of the Signal Protocol.

My emphasis. They provide a guide for making WhatsApp better privacy and security-wise. They do note that they see problems with it.

vidarlo
  • 12,850
  • 2
  • 35
  • 47