The Info Sec community reacted loudly \u2013 denouncing their claim and stressing the dangers of mislabeling the problem as a \u201cbackdoor.\u201d To those outside of the community, this may sound like a debate over semantics, but the claims play into a bigger discussion around user security and reporting. If you are interested in learning about the controversy over the \u201cbackdoor\u201d claim, we wrote about it in-depth last week<\/a>.<\/p>\n [su_pullquote]”…there is a legitimate concern over WhatsApp\u2019s default settings, which do not notify users if their contact\u2019s key changes.”[\/su_pullquote]<\/p>\n But, underlying the outrage, there is a legitimate concern over WhatsApp\u2019s default settings, which do not notify users if their contact\u2019s key changes. WhatsApp uses public key cryptography, like SSL\/TLS and PGP, which protects messages by encrypting them a unique pair of keys that belongs to each user. When a user\u2019s key changes, it could be for legitimate reasons (they got a new cell phone) or dangerous ones (an attack is impersonating them).<\/p>\n However, with a simple change in the settings, you can partially protect yourself. By turning on \u201cSecurity Notifications,\u201d you can at least be notified when one of your contact\u2019s key changes. Messages that you sent, but have not yet been delivered (these are messages which only have a single checkmark next to them) will still be automatically resent to the new key, and there is no way to stop WhatsApp from doing this. So at best, this is a notification, not a prevention.<\/p>\n That being said, anyone using the messenger service should turn on WhatsApp security settings. There is no downside and it literally takes 4 taps of your finger. Here is how you do it\u2026<\/p>\n<\/span><\/span>\n Before we get to the instructions, which are incredibly simple as promised, I want to take a moment to talk to the high-risk user: If you think you may be at risk of physical harm or imprisonment, your best option is to switch to Signal<\/a>. That is not to say WhatsApp is insecure, but if there is a real risk to your freedom or safety, it is better to use Signal which was designed primarily for secure communication. For example, Signal has additional measures to block messages after a key change, while WhatsApp only notifies you.<\/p>\n It\u2019s incredibly simple to turn on WhatsAppSecurity Settings and enable Notifications. It is a three step process on iOS and Android:<\/p>\n On iOS, the Settings button is at the bottom right of the screen when you are on the main menu of the app<\/p>\n On Android, click the \u22ee \u00a0menu from the main menu of the app. Settings is the last option on the pop-up list.<\/p>\n Done<\/strong>! Next time any of your contacts\u2019 key changes, you will see a notification in the chat. The notification looks like this:<\/p>\n If your key changes, you contacts will only get a notification provided\u00a0they have also turned this setting on. So share these instructions so there will be an alert if either side has a key change.<\/p>\n If you do see this notification, you should check with your contact about the change. If you are a high-risk user, make sure you check with them in-person (if possible) or through another medium you trust (phone call, Signal, Facebook Messenger) \u00a0and verify that the key change was legitimate before exchanging any more sensitive information with them via WhatsApp.<\/p>\n If you want to go even further, you can verify keys with your contact. Verifying keys allows you to make sure that the public key you are encrypting your messages with really belongs to your contact. This protects you from man-in-the-middle or impersonation attacks where you may be delivered a key that is impersonating your contact.<\/p>\n Verifying keys (or fingerprints) has traditionally been seen as an essential step in public key systems. However in mass market applications like WhatsApp, it is seen as an optional security measure. If you are a high-risk user, you should do this with all your contacts that you consider sensitive.<\/p>\n Verifying keys is done on a contact-by-contact basis and is done the same way for iOS and Android. First select the chat you have with the contact (or start a chat, if you do not already have one) and then select their name from the top pane. Select the Encryption<\/strong> option to see their \u201cSecurity Code,\u201d which is a unique fingerprint that identifies their key.<\/p>\n If you can physically meet up with your contact, WhatsApp can automatically verify each other\u2019s code using your phone\u2019s camera. If you cannot meet up in person, you can share the number listed on the page through another medium you trust (phone call, Signal, Facebook Messenger).<\/p>\n So, you may be wondering what exactly is the threat from WhatsApp\u2019s behavior? The threat can be broken up into two main components<\/p>\n Component One<\/strong><\/p>\n Because WhatsApp\u2019s default behavior is not to notify you of a key change, your contact\u2019s key could be maliciously changed and you could start talking to someone impersonating them without knowing it. This can be fixed when you turn on WhatsApp security settings and enable notifications\u00a0(how-to explained above).Depending on how long this goes unnoticed, this could prove extremely dangerous. In a worst case scenario, a hostile key change is made and you continue talking to the wrong person for days\/weeks\/months without knowing it.<\/p>\n On the other end, immediate detection would allow you to know you are under attack and immediately start defending yourself.<\/p>\n Component Two<\/strong><\/p>\n Because WhatsApp resends in-transit messages to new keys automatically, there is no way to prevent an attacker who can initiate a key change from receiving these messages. There is no option to prevent this. If you turn WhatsApp security settings and enable notifications, you will at least know when this happens, though that won\u2019t fix the fact that your messages have just been sent to an attacker.<\/p>\n If you assume that the WhatsApp server can be hostile, it\u2019s possible that the server could intentionally \u201chold\u201d multiple messages in transit and then initiate a key change. This is a fairly serious problem as it could allow targeted attacks. While this is less likely \u2013 because it relies on the server being hostile \u2013 it should concern high-risk users. Think about the risk of any given message you send being received by an attacker. If you believe WhatsApp (or its parent company Facebook) to be unreliable or able to be influenced by your government, you should consider switching to Signal<\/a>.<\/p>\n What Does it Mean?<\/strong><\/p>\n If you are an everyday person using WhatsApp because that is where your friends are, or because you want more security than SMS, these threats probably do not apply to you. But if you are a political activist, reporter, hold dissenting opinions, or live in a country with a hostile government or a government known for human rights abuse, you may want to consider switching to Signal.<\/p>\n The Info Sec community maintains that the bigger threat is in The Guardian\u2019s reporting. Their \u201cbackdoor\u201d claim has continued to spread, and the Info Sec community fears that as a result many users will abandon WhatsApp for less secure options.<\/p>\nTurn on WhatsApp Security Settings: Notifications<\/h2>\n
\n
\n
![\"turn](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/01\/WhatsApp1.png\")
<\/p>\nWhat\u2019s The Threat?<\/h2>\n