Open Whisper Systems, the company behind the encryption features at WhatsApp, has denied there is an open backdoor in its security, but didn’t address the main point of the article.
Writing on its blog, the team denied there was a fault in the end-to-end encryption, while also taking a pop at the Guardian itself, however it has not specifically addressed the fault which the University of California’s Tobias Boelter pointed out.
Boelter claims the encryption-flaw exists when the recipient of the message is currently offline, and therefore the message is temporarily undeliverable. When this happens, the message is sent back to the sender where the message is re-encrypted and rebroadcasted. At this point the message can be intercepted without the recipient being aware, and the sender only being notified if the settings are correctly configured, Boelter believes.
In the Open Whisper Systems response, it states: “The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a ‘double check mark,’ it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption.”
This sounds fine, but is in-fact talking about when a message has been delivered to the recipient (i.e. when two ticks appear in the conversation). The Guardian is in fact talking about when the recipient is offline and the message is temporarily undeliverable (i.e. only one tick appears in the conversation).
Telecoms.com is not stating there is or is not a flaw in the encryption technology; we just spotted the statement from Open Whisper Systems hasn’t explicitly addressed the fault raised by the Guardian and Boelter. It might be a case of lost-in-translation as the team put together the blog entry or it might be a case of creative language to appear to deny something without actually doing so. In any case, whether the encryption backdoor still exists remains an unanswered question.
At the time of writing, the Open Whisper Systems has not responded to Telecoms.com request for comment and/or clarification.