End-to-end encryption has just gone massively mainstream. In an update on March 31st, the Facebook-owned messaging platform WhatsApp quietly pushed an update adding end-to-end encryption enabled by default to its chat and call functionality. They announced the change publicly on Tuesday, allowing the app's over 1 billion monthly active users to message each other with the guarantee of strong encryption—whether they're exchanging messages, sending files, participating in group chats, or calling each other directly. Let us be clear: this means that WhatsApp has in one fell swoop moved the user base of end-to-end encryption from those protecting trade secrets, enthused crypto-hobbyists, and whistleblowers to an actually significant portion of the world population. It is difficult to overstate the importance of this move for the security and privacy of ordinary users. As of this week, there are hundreds of millions of users communicating with each other using end-to-end encryption for the very first time.

Not only are the app's users protected by encryption, but it's strong encryption. In a technical white paper released on April 4, WhatsApp describes in detail the underlying cryptographic exchange that occurs when users message each other. It's based on The Signal Protocol (née Axolotl) developed at Open Whisper Systems, and utilizes double ratcheting to provide forward secrecy even if session keys are compromised. This means that if an adversary is able to uncover the cryptographic keys being used by the app, this will not compromise communications made with contacts in the past—these will still be protected. The Signal Protocol uses strong and well-vetted cryptographic building blocks (or 'primitives') to construct and transmit messages, including ECDH using Curve25519. In addition to the service's strong end-to-end offerings, all communications between the client app and the WhatsApp server are encrypted using Noise Pipes from the Noise Protocol Framework.

Those familiar with using Signal will find the encryption workflow on WhatsApp similar. Both apps aim for ease of use, hiding the underlying cryptographic functionality away from the end user and integrating it as seamlessly as possible into the normal, intuitive app user interface. There are a few differences, though. The main differences have to do with how authenticity is established.

Traditionally, end-to-end applications have relied on manually verifying fingerprints. If Alice wants to verify Bob's identity, Alice would have Bob read off (or display the QR code for) his 'fingerprint'—the digest form of his public encryption key. If Alice has the same fingerprint for Bob, she can be assured that when she retrieved Bob's key from the Internet it wasn't tampered with or replaced by the key of someone else, perhaps someone with malicious intent. Bob would then have Alice read her key as well.

WhatsApp has made the interesting decision not to repeat this workflow in its app. Instead, it presents a distinct QR code per interaction that is shared so that both Alice and Bob will be scanning the same QR code on each other's devices. Presumably, their reasoning is that it is more intuitive for both parties to be verifying the same exact image (which actually just consists of both Alice and Bob's fingerprints concatenated together.) What's interesting about this decision is that it indicates some consideration was given to introducing the concept of key verification to millions of people. In contrast, Apple's iMessage platform, which gained notoriety last year for its own use of end-to-end encryption, does not allow users to verify each others keys at all. WhatsApp is showing the world that you don't need to sacrifice usability in order to provide meaningful features such as ways to verify contact authenticity.

In order to verify the identity of a contact, first you'll want to ensure that your contact is using the latest update of WhatsApp that actually supports the new security features. You can do this on Android by viewing the contact's details:

You'll see a green lock to indicate your communications are encrypted. Then, you can tap the lock to verify a security code as described above:

From this screen, you can have your contact scan your code, and you can scan your contact's code.

One of the settings the security-conscious should be sure to change is enabling security notifications. This ensures that if the encryption key for your contact changes, you will be notified of this change so that you'll know you have to verify security codes again. With Signal these notifications are always shown, but with WhatsApp they are optional and are switched off by default. To change this in Android, go into Settings → Account → Security, and slide 'Show security notifications' to the right:

Another setting the security-conscious should watch out for is that they aren't storing unencrypted backups to the cloud. In Android, WhatsApp gives the option to send these backups to Google Drive; for iOS the option is to send it to iCloud. Navigate to Settings → Chats → Chat backup to ensure cloud backups are turned off:

We've updated our Secure Messaging Scorecard to give WhatsApp 6 out of 7 stars. Unfortunately, WhatsApp remains closed source, which means that an independent reviewer can not review the code and its security. For this reason, if you're using Signal to communicate with contacts already, keep it. It's better to use a fully free and open source product. But because of the wide adoption of WhatsApp, you may have contacts you would have never expected using end-to-end encryption already. For the sake of their and your privacy and security, install WhatsApp and use it when communicating with them. You'll be glad you did.

Update 4/18: Added an explainer and screenshot for turning off cloud backups.

Related Issues