WhatsApp now enabled end-to-end encrypted at all times. This will ensure that all user’s messages, videos, photos sent over WhatsApp, can’t be read by anyone else: not WhatsApp, not cyber-criminals, not law-enforcement agencies. Even calls and group chats will be encrypted.
WhatsApp co-founder Jan Koum announced the update on his Facebook page, stating that the company has been working on the feature for the last two years.
Communications on WhatsApp are now fully end-to-end encrypted, the company announced on 05-04-2016, completing an integration that has lasted for nearly a year and a half.
The company began rolling out encrypting text messages in November 2014, as part of a partnership with Open Whisper Systems, but those protections now extend to voice calls, video, and multi-party chat rooms, for users on both iOS and Android.
Deploying universal encryption allows for a number of new protections. Once communications with a user are encrypted, the WhatsApp client will now notify the user and refuse to send any unencrypted messages, addressing previous concerns that the system might be vulnerable to a downgrade attack.
The result is strong security for WhatsApp users, and potentially a template that could be applied to other services going forward. Open Whisper’s protocol is open source, and the group has pledged to help other messenger services employ the same protections going forward.
“Over a billion monthly active users across the world are now using the Signal Protocol for end to end encryption,” Open Whisper wrote in its blog post announcing the change. “Over the next year, we will continue to work with additional messengers to amplify the impact and scope of private communication even further.”
So what is end-to-end encryption and how exactly does it work in WhatsApp?
WhatsApp is using “The Signal Protocol”, designed by Open Whisper Systems, for its encryption.
In its White Paper, explaining the technical details of the end-to-end encryption, WhatsApp says that “once the session is established, clients do not need to rebuild a new session with each other until the existing session state is lost through an external event such as an app reinstall or device change.”
The paper explains how messages are encrypted as well. It reads, “clients exchange messages that are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication.
The Message Key changes for each message transmitted, and is ephemeral, such that the Message Key used to encrypt a message cannot be reconstructed from the session.” It also says that calls, large file attachments are end-to-end encrypted as well.
Note the ever-changing message key can mean a delay in some messages getting delivered, according to the paper.
It should be noted that feature is enabled by default in WhatsApp, which means that if you and your friends are on the latest version of the app, all chats will be end-to-end encrypted.
Unlike say Telegram where users have to start a secret chat to enable the feature, WhatsApp has the feature on at all times. Users don’t have the option of switching off end-to-end encryption.
Users need to be on the same versions of WhatsApp to ensure that their chats get end-to-end encrypted. If you’ve recently updated the app, and you start a chat with someone else (also on the new version) you are likely to see a message saying, “Messages you send to this chat and calls are now secured with end-to-end encryption. Tap for more info.”
Once you tap on the message, WhatsApp has a pop-up menu explaining what end-to-end encryption means. Users can verify if the encryption is working as well. If a user taps on verify, they will be taken to a page with a QR code, followed by a string of 60 numbers.
If your friend is nearby, take their phone scan the code from your phone (the option is there at the bottom of the same page) and if the QR code matches, then the chat is encrypted.
When the codes match, a green tick appears; when it doesn’t there’s an exclamation mark in red alerting a user that the chat is not secure.
So does the end-to-end encryption work all the time?
We tried verifying some chats that had the message saying encryption was enabled. In some cases, the verification failed for us. In the first case, we tried to verify a chat between an Android and iPhone 6s device (running iOS 9.3.1), and the QR codes didn’t match.
We also tried matching QR codes on an two Android phones, and once again we got the red alert indicating no end-to-end encryption. Both Android phones are on the latest version of the app from the Google Play Store.
However, a verification between a chat on two iOS devices, (iPhone 6s, iPhone 5s) worked for us and showed the green tick.
We’re not sure why the verification failed, even though the chat says it is end-to-end encrypted. We might have to wait for another app update that could fix this issue.
Let us know in the comments if you’ve managed to get the end-to-end encryption verified on some of your chats.