Following widespread reports last week describing a “vulnerability” in WhatsApp, also referenced as a “backdoor,” Open Whisper Systems, the firm largely behind WhatsApps’s security protocol design, has described the claims as “false.”
The original report was from The Guardian, and was based on security researcher Tobias Boelter’s impressions that a change in security keys could make a man-in-the-middle attack scenario possible.
According to Moxie Marlinspike, the founder of Open Whisper Systems, “the WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a double check mark, it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption.”
The fact that WhatsApp handles key changes is not a “backdoor,” it is how cryptography works, stressed Marlinspike. “Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system,” he added.