- WhatsApp uses reputable cryptography from reputable sources, but combines it with a UI so much designed for ease of use that it throws out the possibility of real security
- Telegram uses extremely questionable cryptography to begin with from people who probably shouldn't be designing cryptosystems
If you want real security, go use Signal or better, OTR where socialist millionaire's is still an option for key verification.
Other people already linked the wikipedia article, but basically the thing it allows for is verification of a key without trust of it and provides effective proof you're not being MITM'd.
I can ask a question or a series of questions to my friend and we can use zero knowledge proofs to determine we're talking about the same answer to verify his key without disclosing anything about that answer.
Telegram is actually not open, they just throw some sources to github or as zip files at their's langing page.
That's why i quit Telegram and built open source "Telegram" - https://actor.im and replaced spagetti-encryption with enhanced version of Signal's one.
We added one extra level based on Russian encryption. So if Curve25519 or AES encryption will be broken there are still be russian level. To break our crypto Russia and US need to cooperate that is impossible.
I've read up a while ago on the questionable cryptography (not an expert in that at all myself) but couldn't find a lot of actual substance. Certainly with claims [0] [1] being that Telegram offers nice sums for breaking it, which gives me as a consumer the idea that someone who actually knows this stuff would love to hit that down, if it was something in my area of expertise offering that I'd love to try and hit it.
I get that it might all be some kind of cheat, but an actual cryptography researcher publishing that it is would, obviously, get a lot of bad karma going in the HN circles (for example) about these contests.
What have you read about the questionable cryptography in Telegram that you found unpersuasive? That's a better starting point, because the formulation you use here is often used on message boards to bait people into doing research work that is then dismissed.
Your comment includes an assertion that there aren't substantial complaints about Telegram's security (there very much are, BTW). I think the onus is on you to defend that argument.
You're absolutely right if my goal was to get people to post these papers, which reading back can easily be how it is interpreted.
My point was more that, as a 'consumer' of this product without any background knowledge, their contests seem extremely convincing to the point of being slightly ridiculous. A 300,000 dollar bounty, while participants get quite some more access than they would normally get while attacking this system, gives me that feeling of it being actually quite secure, besides some possible attacks. If they're possible, if there are complaints, why can't they be made real and substantiated?
My first post is indeed not delivering the message I intended, hope this one shows it better.
This is one of the rare instances where me and Bruce Schneier agree unequivocally, so maybe you can just take Schneier's word for it --- remembering, when you do, that this happens so often in security that Schneier was moved to write a little article about it!
Thanks a lot, that was very insightful and exactly the kind of insight I was looking for.
I think for me as an outsider it's really easy to fall for that trap, where certainly point 3 in his article was a realization that I would look at it the same way, perhaps spend a bit of time in my evenings on it but never spend, say, 3 months of research on the off chance that they might pay and that I might be the first winner/best winner, compared to a good (hourly) pay.
Which reminds me of the announcement while ago about Whisper Systems is helping WhatsApp implementing E2E [0]. I don't think I've heard ever since about it, and not even sure if that functionality is built into WhatsApp now...
> Starting this year, we will test tools that allow you to use WhatsApp to communicate with businesses and organizations that you want to hear from. That could mean communicating with your bank about whether a recent transaction was fraudulent, or with an airline about a delayed flight.
Sounds a lot like what WeChat has been doing in China with their Official Accounts.
This. A messaging app like WhatsApp could become a platform. I'm not sure how the "apps" in this world would look like but I would find it great if text interactions (like on IRC, in the shell, or a text adventure) would have a comeback. Forget most of HTML/CSS and get back to basics ;-) In reality, some graphical UI will probably be necessary.
Yeah I visited china recently and I was very jealous seeing my girlfriend (grew up there) order taxis, pay for food and loads of other small tasks all through WeChat.
This should definitely be developed for WhatsApp (or something similar).
Telegram has its Bot API which, among many other things, makes it possible for any organization or individual to create applications that "allow you to use [Telegram] to communicate with businesses and organizations that you want to hear from".
WhatsApp asked me for money a few times but wasn't overly bullish about it after I ignored it for a few days.
Not using WhatsApp isn't any obstacle as everyone seems to have a few messengers. I just pressed a different button, others answered on the platform I swiched to.
FWIW, this was my biggest gripe with it too. I did not start using WhatsApp till 2014 while all of my friends had already switched a couple of years back. I was happy with Facebook messenger, but i was forced to switch to be in the loop. Although since Facebook messenger also needs your number to verify the phone, if I remember correctly, it hardly matters.
I have recently made the switch to Signal[1], and made my partner switch too. It's been a blessing.
I have two phone numbers (one in the US and one in Austria) and also spend a considerable amount of time in both countries each year. I'm usually reachable on both numbers (and usually only give the local number to people in each country), with one number forwarding to the other number.
With WhatsApp I can't link both numbers at the same time. Even worse, according to the FAQ there's a limit on how often you can change the phone number linked to the account, so it's not even an option to just always change it to the "local" number.
There's not much wrong with being the product as long as you are aware of that distinction. The problem arises when people aren't aware because this in essence takes away their right(option, if you will) to refuse to use the service.
So long as revenue sources other than subscription fees are more lucrative than the subscription fees, it remains the case that users are "the product", even if fees are charged.
For fees to change the balance, they have to have enough economic weight to swamp advertising and tracking revenue, so that losing users makes tracking unprofitable. But very few services like WhatsApp can charge so much that the balance is shifted.
They have an interesting way of donating: 'BitHub = Bitcoin + GitHub. An experiment in funding privacy OSS.'
You donate bitcoins to a pool. Everyone can commit to their repository. Every merged pull request gets 2% of the pool. Currently you get 26.98 USD per merged pull request.
From their description in the iTunes store: 'Pay Nothing - Signal is supported by a team of dedicated developers, community donations, and grants. There are no advertisements, and it doesn't cost anything to use.'
You say that as if is has less value for not being a business.
When ideals are involved (strong encryption, privacy, ad-free), being run as a lean, open-source project is worth much more than being owned by a megacorp like Facebook.
Paid business services for customer interaction, sound like a plausible business model for WhatsApp. However, I get the feeling this is only part of the story. I assume that data mined by WhatsApp are probably more valuable to Facebook.
I would agree. I think their user base has hit some tipping point which ensures other revenue streams. That's the only reason I can think they would throw the fees... out the window.
So I know internal figures from facebook regarding whatsapp. A large majority of our users are never actually charged a subscription fee.
The app is facing stiff competition in some markets against apps that don't have any subscription model. Even though whatsapp won't actually charge those users the presence of a subscription feature seems to be causing a growth hinderance.
Not sure how it will compete in these markets now given the entrenched nature of social platforms and how hard it is to convince people to switch but that remains to be seen.
Also, until recently whatsapp/facebook couldn't actually read any message sent by users to other users/groups because of the end to end encryption in place. Not sure why they would change that just to get a data mined revenue source, metadata is quite sufficient for that. Even with NSLs on fb in place, the impossibility of of us to read the messages in whatsapp is sufficient reason to deny a NSL request.
Zuck doesn't really interfere with whatsapp, but like with some other things this seems like a bid to increase DAUs and retention instead of any new source of revenue.
> until recently whatsapp/facebook couldn't actually read any message sent by users to other users/groups because of the end to end encryption in place
I couldn't resist to smile. Back on topic, it would be great if WhatsApp clarifies which data they share with Facebook and how that data is being used.
The announcement said handling payment was a big problem. Well, a support call costs $20 or so. If 5% of customers have a payment problem (don't have credit card any more etc) and 50% of those incidents require human attention, that's half of Whatsapp's revenue and a serious reason for churn and user dissatisfaction. 5% and 50% are random numbers, but you see the point, right?
I don't think I ever paid fees for Whatsapp, and I'm not sure how or why. But this also seems too late. Facebook own them, my family started using Facebook, and with Messenger as a separate app I more or less lost any incentive to use it.
When I signed up for WhatsApp in 2012, the iOS app cost 0.79 € (I believe it was a promotion, usually 1.79 €) and gave me a free lifetime license. I think the Android app already asked for a yearly fee after one year at that time, at least in theory.
And for those who didn't read the link, the punchline at the end of that post is:
"When people ask us why we charge for WhatsApp, we say 'Have you considered the alternative?'"
The (implied) alternative here is advertising; the author just spent the previous 8 paragraphs discussing all the unpleasantness and creepiness that that entails.
When I very recently started using WhatsApp, the client displayed a link to a blog post[0] they wrote about why charging subscription fees was important and a good thing:
"At every company that sells ads, a significant portion of their engineering team spends their day tuning data mining, writing better code to collect all your personal data, upgrading the servers that hold all the data and making sure it's all being logged and collated and sliced and packaged and shipped out... And at the end of the day the result of it all is a slightly different advertising banner in your browser or on your mobile screen.
"Remember, when advertising is involved you the user are the product.
...
"When people ask us why we charge for WhatsApp, we say 'Have you considered the alternative?'"
Given that this new blog post carefully talks about not introducing "third-party ads", presumably first-party ads are still on the table? Which would make this new model the alternative that they warned us about earlier.
Heh, I guess it's not particularly surprising that making the founders billionaires changed their minds - although it really did read as if they had principles at the time!
"These days companies know literally everything about you, your friends, your interests, and they use it all to sell ads."
There really is only one company this could be describing isn't there? Facebook.
I'm not sure how true that ever was. I've been using WhatsApp for years and never paid anything. They'd always just extend the subscription. None of my friends ever paid anything either (most of the people who use WhatsApp here don't even have a CC on file at Google Play).
I'm just going to stick to Email :) I'm old enough to see all these messaging applications come and go (ICQ, MSN Messanger anyone?). I'd rather see a company try and improve email's flaws then try and force new protocols and undefined encryption down our throats.
Yes I sound grumpy, but that's because all my family are on WhatsApp and I don't want to be :)
For the 5 years I've been using WhatsApp, I've never been charged anything. I always get a "trial extension", even after changing numbers many times and changing countries 3 times.
I don't know if this happens frequently, or I'm just lucky
87 comments
[ 4.5 ms ] story [ 154 ms ] thread- WhatsApp uses reputable cryptography from reputable sources, but combines it with a UI so much designed for ease of use that it throws out the possibility of real security
- Telegram uses extremely questionable cryptography to begin with from people who probably shouldn't be designing cryptosystems
If you want real security, go use Signal or better, OTR where socialist millionaire's is still an option for key verification.
Can you explain the socialist millionaire comment? I don't get it.
I can ask a question or a series of questions to my friend and we can use zero knowledge proofs to determine we're talking about the same answer to verify his key without disclosing anything about that answer.
I get that it might all be some kind of cheat, but an actual cryptography researcher publishing that it is would, obviously, get a lot of bad karma going in the HN circles (for example) about these contests.
[0] https://telegram.org/blog/winter-contest-ends
[1] https://telegram.org/blog/cryptocontest-ends
Your comment includes an assertion that there aren't substantial complaints about Telegram's security (there very much are, BTW). I think the onus is on you to defend that argument.
My point was more that, as a 'consumer' of this product without any background knowledge, their contests seem extremely convincing to the point of being slightly ridiculous. A 300,000 dollar bounty, while participants get quite some more access than they would normally get while attacking this system, gives me that feeling of it being actually quite secure, besides some possible attacks. If they're possible, if there are complaints, why can't they be made real and substantiated?
My first post is indeed not delivering the message I intended, hope this one shows it better.
https://www.schneier.com/crypto-gram/archives/1998/1215.html...
I think for me as an outsider it's really easy to fall for that trap, where certainly point 3 in his article was a realization that I would look at it the same way, perhaps spend a bit of time in my evenings on it but never spend, say, 3 months of research on the off chance that they might pay and that I might be the first winner/best winner, compared to a good (hourly) pay.
The best opsec advice for normal people seems to be not to op.
[0]: https://whispersystems.org/blog/whatsapp/
Sounds a lot like what WeChat has been doing in China with their Official Accounts.
Best explanation I could find quickly: http://knowledge.ckgsb.edu.cn/2016/01/13/ecommerce/welcome-t...
Instead of, say, downloading the Uber app to get a ride, you'd open up WeChat and message its app account.
Or Line, not sure which one was the first.
This should definitely be developed for WhatsApp (or something similar).
Telegram offers this for free.
WhatsApp asked me for money a few times but wasn't overly bullish about it after I ignored it for a few days.
Not using WhatsApp isn't any obstacle as everyone seems to have a few messengers. I just pressed a different button, others answered on the platform I swiched to.
I have recently made the switch to Signal[1], and made my partner switch too. It's been a blessing.
[1] https://whispersystems.org/
I am just annoyed that I cannot choose and control my 'identity' but instead am bound to the provider's number.
I have two phone numbers (one in the US and one in Austria) and also spend a considerable amount of time in both countries each year. I'm usually reachable on both numbers (and usually only give the local number to people in each country), with one number forwarding to the other number.
With WhatsApp I can't link both numbers at the same time. Even worse, according to the FAQ there's a limit on how often you can change the phone number linked to the account, so it's not even an option to just always change it to the "local" number.
Obviously you don't need to "be the product". Selling a shortcut to a bit of your attention makes a lot of money, too.
Edit: And you are always in the position to choose how much attention you grant the apps you use.
Products are sold
For fees to change the balance, they have to have enough economic weight to swamp advertising and tracking revenue, so that losing users makes tracking unprofitable. But very few services like WhatsApp can charge so much that the balance is shifted.
https://itunes.apple.com/gb/app/signal-private-messenger/id8...
https://play.google.com/store/apps/details?id=org.thoughtcri...
You donate bitcoins to a pool. Everyone can commit to their repository. Every merged pull request gets 2% of the pool. Currently you get 26.98 USD per merged pull request.
Source: https://www.whispersystems.org/blog/bithub/
When ideals are involved (strong encryption, privacy, ad-free), being run as a lean, open-source project is worth much more than being owned by a megacorp like Facebook.
No, I did not :-P
I am a happy signal user BTW, but I can't see how they are making money off me.
(nice user name)
The app is facing stiff competition in some markets against apps that don't have any subscription model. Even though whatsapp won't actually charge those users the presence of a subscription feature seems to be causing a growth hinderance.
Not sure how it will compete in these markets now given the entrenched nature of social platforms and how hard it is to convince people to switch but that remains to be seen.
Also, until recently whatsapp/facebook couldn't actually read any message sent by users to other users/groups because of the end to end encryption in place. Not sure why they would change that just to get a data mined revenue source, metadata is quite sufficient for that. Even with NSLs on fb in place, the impossibility of of us to read the messages in whatsapp is sufficient reason to deny a NSL request.
Zuck doesn't really interfere with whatsapp, but like with some other things this seems like a bid to increase DAUs and retention instead of any new source of revenue.
Does that mean they can now?
That statement is based on my latest information, which is a few months dated, that they couldn't. Things could have changed but it's unlikely.
The announcement said handling payment was a big problem. Well, a support call costs $20 or so. If 5% of customers have a payment problem (don't have credit card any more etc) and 50% of those incidents require human attention, that's half of Whatsapp's revenue and a serious reason for churn and user dissatisfaction. 5% and 50% are random numbers, but you see the point, right?
https://newsroom.fb.com/news/2015/12/introducing-transportat...
"When people ask us why we charge for WhatsApp, we say 'Have you considered the alternative?'"
The (implied) alternative here is advertising; the author just spent the previous 8 paragraphs discussing all the unpleasantness and creepiness that that entails.
"At every company that sells ads, a significant portion of their engineering team spends their day tuning data mining, writing better code to collect all your personal data, upgrading the servers that hold all the data and making sure it's all being logged and collated and sliced and packaged and shipped out... And at the end of the day the result of it all is a slightly different advertising banner in your browser or on your mobile screen.
"Remember, when advertising is involved you the user are the product.
...
"When people ask us why we charge for WhatsApp, we say 'Have you considered the alternative?'"
Given that this new blog post carefully talks about not introducing "third-party ads", presumably first-party ads are still on the table? Which would make this new model the alternative that they warned us about earlier.
[0] https://blog.whatsapp.com/245/Why-we-dont-sell-ads
"These days companies know literally everything about you, your friends, your interests, and they use it all to sell ads."
There really is only one company this could be describing isn't there? Facebook.
Yes I sound grumpy, but that's because all my family are on WhatsApp and I don't want to be :)
I don't know if this happens frequently, or I'm just lucky