Why WhatsApp will never be safe
Column author - Pavel Durov, founder of the Telegram messenger
The world seems shocked by the news that WhatsApp has turned any phone into a tracking device. Everything on your phone, including photos, emails and texts, was only available to attackers because you had WhatsApp installed.
')
However, this news did not surprise me. Last year, WhatsApp had to recognize a very similar problem - a hacker could get access to all your phone data through a single video call .
Every time WhatsApp fixes a critical vulnerability in its application, a new one appears in its place. All security issues are well suited for surveillance, they look and work like backdoors.
Unlike Telegram, WhatsApp does not open the source code, so security researchers cannot easily check if there are any backdoors. WhatsApp not only does not publish the code, they do exactly the opposite: WhatsApp specifically obfusts the binary files of its applications so that no one can study them carefully.
It is possible that WhatsApp and its parent company Facebook even have to implement backdoors — through secret processes such as FBI secret orders . It is not easy to run a secure messenger while in the US. For the week spent by our team in the USA in 2016, FBI agents tried to break into us three times. Imagine what will happen with the American company for 10 years of work in such an environment.
I understand that the security forces justify the installation of backdoors by antiterrorist efforts. The problem is that such backdoors can also be used by criminals and authoritarian governments. No wonder dictators seem to love whatsapp. The lack of security allows them to spy on their citizens, so WhatsApp is not blocked in countries such as Russia or Iran, where Telegram is banned by the authorities .
As a matter of fact, my work on Telegram was a direct response to personal pressure from the Russian authorities. Then, in 2012, WhatsApp was still transmitting messages in clear text. This is madness. Not only governments or hackers, but also WiFi mobile providers and administrators had access to all WhatsApp texts.
Later, WhatsApp added some encryption, which quickly turned out to be a marketing ploy: a key to decrypt messages was available to at least several governments, including Russia . Then, when Telegram began to gain popularity, the founders of WhatsApp sold their company to Facebook and said that they had “confidentiality embedded in DNA” . If this is true, then this is probably a sleeping or recessive gene.
Three years ago, WhatsApp announced that they had implemented end-to-end encryption, so "no third party can access the messages." This coincided with an aggressive call for all users to back up their chats in the cloud. At the same time, WhatsApp did not tell users that when backing up messages are no longer protected by end-to-end encryption and can be accessed by hackers and law enforcement. Brilliant marketing, as a result of which some naive people are now serving a prison sentence .
Those who do not succumb to the constant pop-ups recommending to create backup copies of their chats can still be tracked with a number of tricks - from accessing backup copies of contacts to imperceptible changes to the encryption key . The metadata generated by WhatsApp users — logs that describe who communicates with whom and when — is leaked to all agencies in large volumes through the parent company . In addition, you get a set of critical vulnerabilities, replacing each other.
WhatsApp has a stable and consistent history, from zero encryption during creation to current vulnerabilities that are strangely suitable for monitoring purposes. Looking back, there was not a single day for their ten-year history when this service was safe. That is why I do not think that a simple update of the WhatsApp mobile app will make it safe. To become a privacy-oriented service, WhatsApp must risk losing entire markets and run into authorities in their own country. They seem unprepared for this .
Last year, the founders of WhatsApp left the company because of concerns about user privacy . They are definitely linked by either secret orders or the NDA, so they cannot publicly discuss backdoors without risking losing their fortune or freedom. However, they were able to admit that they “sold the privacy of their users . ”
I can understand the reluctance of the founders of WhatsApp to provide more detailed information - it is not easy to jeopardize your comfort. Several years ago, I had to leave my country after refusing to comply with government-sanctioned violations of the privacy of VK users . It was unpleasant. But will I do something like that again? With pleasure. Each of us will die sooner or later, but we, as a species, will stay here for a while. That is why I think that the accumulation of money, fame or power does not matter. Serving humanity is the only thing that really matters in the long run.
And yet, despite our intentions, I feel that we have failed mankind in this whole spy story of WhatsApp. Many people cannot stop using WhatsApp because their friends and family are still there. This means that we at Telegram did a poor job of persuading people to switch. Although over the past five years we have attracted hundreds of millions of users, this has not been enough. Most Internet users are still held hostage by the Facebook / WhatsApp / Instagram empire. Many of those who use Telegram are also on WhatsApp, that is, their phones are still vulnerable. Even those who completely abandoned WhatsApp probably use Facebook or Instagram, both of whom think that it’s ok to store your passwords in cleartext (I still can’t believe that a tech company can do something like that and exit dry out of water).
In almost six years of its existence, Telegram has not had any serious data breaches or security flaws that WhatsApp shows every few months. In the same six years, we opened exactly zero data bytes to third parties, while Facebook / WhatsApp shared any information with almost everyone who claims to work for the government .
Few outside the Telegram fan community understand that most of the new messaging features first appear in Telegram, and then WhatsApp is copied to the smallest detail. Most recently, we witnessed Facebook’s attempt to borrow Telegram’s entire philosophy when Zuckerberg suddenly declared the importance of confidentiality and speed, practically quoting word on Telegram’s application in an F8 conference speech.
But whining about the hypocrisy of FB and the lack of creativity will not help. We have to admit that Facebook is implementing an effective strategy. See what they did with Snapchat .
We at Telegram must recognize our responsibility in shaping the future. Either we or monopoly Facebook. Either freedom and privacy, or greed and hypocrisy. Our team has been competing with Facebook for the past 13 years. We already beat them once, on the Eastern European social networking market . We will beat them again in the global messaging market. We have to.
It will not be easy. Facebook's marketing department is huge. And we in Telegram do not do marketing. We do not want to pay journalists and researchers to tell the world about Telegram. For this we rely on you - millions of our users. If you like Telegram enough, you will tell your friends about it. And if each Telegram user persuades three of his friends to remove WhatsApp and use Telegram on an ongoing basis, Telegram will become more popular than WhatsApp.
The age of greed and hypocrisy will end. The era of freedom and privacy will begin. It is much closer than it seems.
The world seems shocked by the news that WhatsApp has turned any phone into a tracking device. Everything on your phone, including photos, emails and texts, was only available to attackers because you had WhatsApp installed.
')
However, this news did not surprise me. Last year, WhatsApp had to recognize a very similar problem - a hacker could get access to all your phone data through a single video call .
Every time WhatsApp fixes a critical vulnerability in its application, a new one appears in its place. All security issues are well suited for surveillance, they look and work like backdoors.
Unlike Telegram, WhatsApp does not open the source code, so security researchers cannot easily check if there are any backdoors. WhatsApp not only does not publish the code, they do exactly the opposite: WhatsApp specifically obfusts the binary files of its applications so that no one can study them carefully.
It is possible that WhatsApp and its parent company Facebook even have to implement backdoors — through secret processes such as FBI secret orders . It is not easy to run a secure messenger while in the US. For the week spent by our team in the USA in 2016, FBI agents tried to break into us three times. Imagine what will happen with the American company for 10 years of work in such an environment.
I understand that the security forces justify the installation of backdoors by antiterrorist efforts. The problem is that such backdoors can also be used by criminals and authoritarian governments. No wonder dictators seem to love whatsapp. The lack of security allows them to spy on their citizens, so WhatsApp is not blocked in countries such as Russia or Iran, where Telegram is banned by the authorities .
As a matter of fact, my work on Telegram was a direct response to personal pressure from the Russian authorities. Then, in 2012, WhatsApp was still transmitting messages in clear text. This is madness. Not only governments or hackers, but also WiFi mobile providers and administrators had access to all WhatsApp texts.
Later, WhatsApp added some encryption, which quickly turned out to be a marketing ploy: a key to decrypt messages was available to at least several governments, including Russia . Then, when Telegram began to gain popularity, the founders of WhatsApp sold their company to Facebook and said that they had “confidentiality embedded in DNA” . If this is true, then this is probably a sleeping or recessive gene.
Three years ago, WhatsApp announced that they had implemented end-to-end encryption, so "no third party can access the messages." This coincided with an aggressive call for all users to back up their chats in the cloud. At the same time, WhatsApp did not tell users that when backing up messages are no longer protected by end-to-end encryption and can be accessed by hackers and law enforcement. Brilliant marketing, as a result of which some naive people are now serving a prison sentence .
Those who do not succumb to the constant pop-ups recommending to create backup copies of their chats can still be tracked with a number of tricks - from accessing backup copies of contacts to imperceptible changes to the encryption key . The metadata generated by WhatsApp users — logs that describe who communicates with whom and when — is leaked to all agencies in large volumes through the parent company . In addition, you get a set of critical vulnerabilities, replacing each other.
WhatsApp has a stable and consistent history, from zero encryption during creation to current vulnerabilities that are strangely suitable for monitoring purposes. Looking back, there was not a single day for their ten-year history when this service was safe. That is why I do not think that a simple update of the WhatsApp mobile app will make it safe. To become a privacy-oriented service, WhatsApp must risk losing entire markets and run into authorities in their own country. They seem unprepared for this .
Last year, the founders of WhatsApp left the company because of concerns about user privacy . They are definitely linked by either secret orders or the NDA, so they cannot publicly discuss backdoors without risking losing their fortune or freedom. However, they were able to admit that they “sold the privacy of their users . ”
I can understand the reluctance of the founders of WhatsApp to provide more detailed information - it is not easy to jeopardize your comfort. Several years ago, I had to leave my country after refusing to comply with government-sanctioned violations of the privacy of VK users . It was unpleasant. But will I do something like that again? With pleasure. Each of us will die sooner or later, but we, as a species, will stay here for a while. That is why I think that the accumulation of money, fame or power does not matter. Serving humanity is the only thing that really matters in the long run.
And yet, despite our intentions, I feel that we have failed mankind in this whole spy story of WhatsApp. Many people cannot stop using WhatsApp because their friends and family are still there. This means that we at Telegram did a poor job of persuading people to switch. Although over the past five years we have attracted hundreds of millions of users, this has not been enough. Most Internet users are still held hostage by the Facebook / WhatsApp / Instagram empire. Many of those who use Telegram are also on WhatsApp, that is, their phones are still vulnerable. Even those who completely abandoned WhatsApp probably use Facebook or Instagram, both of whom think that it’s ok to store your passwords in cleartext (I still can’t believe that a tech company can do something like that and exit dry out of water).
In almost six years of its existence, Telegram has not had any serious data breaches or security flaws that WhatsApp shows every few months. In the same six years, we opened exactly zero data bytes to third parties, while Facebook / WhatsApp shared any information with almost everyone who claims to work for the government .
Few outside the Telegram fan community understand that most of the new messaging features first appear in Telegram, and then WhatsApp is copied to the smallest detail. Most recently, we witnessed Facebook’s attempt to borrow Telegram’s entire philosophy when Zuckerberg suddenly declared the importance of confidentiality and speed, practically quoting word on Telegram’s application in an F8 conference speech.
But whining about the hypocrisy of FB and the lack of creativity will not help. We have to admit that Facebook is implementing an effective strategy. See what they did with Snapchat .
We at Telegram must recognize our responsibility in shaping the future. Either we or monopoly Facebook. Either freedom and privacy, or greed and hypocrisy. Our team has been competing with Facebook for the past 13 years. We already beat them once, on the Eastern European social networking market . We will beat them again in the global messaging market. We have to.
It will not be easy. Facebook's marketing department is huge. And we in Telegram do not do marketing. We do not want to pay journalists and researchers to tell the world about Telegram. For this we rely on you - millions of our users. If you like Telegram enough, you will tell your friends about it. And if each Telegram user persuades three of his friends to remove WhatsApp and use Telegram on an ongoing basis, Telegram will become more popular than WhatsApp.
The age of greed and hypocrisy will end. The era of freedom and privacy will begin. It is much closer than it seems.
Source: https://habr.com/ru/post/452054/
All Articles