https://tobi.rocks/ https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/ _________________________________________________ https://gizmodo.com/theres-no-security-backdoor-in-whatsapp-despite-report-1791158247
Plausible user-convenience trade-off or plausible deniability? Is it even possible to distinguish one from the other? If/when there is a legitimate security vs convenience decision to be made, should a developer silently default to "convenience" and require users to locate and opt-in to "security"?
Heads up: http://arstechnica.com/security/201...e-umbrage-at-report-its-crypto-is-backdoored/ (posted above) https://www.theguardian.com/technology/2017/jan/14/whatsapp-vulnerability-secure-messaging-apps (new) The HN discussion about WhatsApp contains constructive criticism that might serve as a reference.
I think you'd need a scoring system in order to rate the safety/security of WhatsApp and similar tools. With bullet points for each of the specific technical requirements that one would want such an application to meet. Which would include whether any messages can be MITM'd, whether users can be alerted to recipient key changes, whether users can be alerted before the new key is used (so they have a chance to verify or abort), whether there is a third-party server in the middle that can collect contact info and/or metadata about messages sent/received, whether the app can be used in a way that protects messages from platform leaks (cloud backups, sync, etc), and so forth.
