How do I verify that WhatsApp is using end-to-end encryption?
Is there any test that I can perform to verify that WhatsApp is indeed using end-to-end encryption between my and another Android phone?
An other way would be to tell one of your mates something like "next week we will attack the white house" and wait at home to see if feds will knock on your door, if they don't then WhatApp is secure. I would not recommend this test tho for obvious reasons
@Ulkoma good one! however in my idea it could be end-to-end encrypted but still feds knock on his door! ;)
Can not check this until you have access to WhatsApp source code to see how they manage message encryption. A public/private key exchange mechanism should be in place to create messages that can be used only on two devices.
LOL @ people thinking the Feds can't decrypt every encryption scheme available on Western technology compatible hardware on the planet right now.
@Ulkoma What if I text it to myself? (i.e. other device of mine) There's a law against that? Can I just say I was just taking a note about your comment?
My first thought was "It can't be, because then how would WhatsApp Web work?" I can see messages on WhatsApp Web, so my private key must have been transmitted either to the WhatsApp web server or to my browser. It looks like this works by establishing a connection between your browser and your phone (mediated by the WhatsApp servers) - http://whatsapp.com/faq/web/28080002 So this doesn't rule out end-to-end encryption Android-Android; it just means that if you use the web client, messages are being exchanged from your phone to the web client via a WhatsApp server.
There isn't any quick check you can perform in order to be sure that end-to-end encryption is used. Even if you manage to get this confirmation, then you have to make sure that the used encryption keys never left your device (and the device of your friend). If end-to-end encryption is used, but WhatsApp or someone else has access to the encryption keys, the chat is no longer confidential.
There is some available information which can allow a security researcher to start investigating the matter:
- The encryption software is known and the code is open source (even if we do not know what changes were made to the WhatsApp implementation)
WhatsApp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device
P.S.: There is at least one way to tell if they are not using end-to-end encryption and parsing the contents of your messages. Some time ago, a security researcher discovered that URLs sent in Skype messages are accessed from Microsoft IP addresses (link). You can try the same thing by setting up a web server and sending some unique URLs on WhatsApp.
Regarding the link sent on Skype, I would assume that Microsoft visits them in order to check if they're secure and if not, it blocks them, to prevent spam, scam or pishing attacks spreading via Skype. Of course it does not change anything.
@entropid in this scenario, though, end-to-end encryption would prevent them from being able to do so.