Popular chat service WhatsApp has built end-to-end encryption into the latest Android version of its app. It's part of a growing trend to toughen up web security
THE internet is wising up. Companies and consumers are turning to encryption to boost levels of privacy and security on the web.
On Tuesday, WhatsApp, the world's most popular mobile chat service, announced that it has built end-to-end encryption into the latest Android version of its app. Previously, all messages sent via the app were decrypted on a server before being re-encrypted and sent to their destination. At this intermediate stage they were vulnerable to surveillance from the likes of the US National SecurityAgency.
Now, the billions of messages sent through the app every day make the whole journey in total privacy, readable only by the sender and the recipient.
The update is based on an encryption system designed for a messaging app called TextSecure, created by security researcher Moxie Marlinspike. Many privacy-conscious people have chosen to download TextSecure, but the WhatsApp update brings private communication to hundreds of millions without them needing to lift a finger.
It's not before time. Whether we realise it or not, we all leave trails of personal information when using the internet – and without encryption, it could easily fall into the wrong hands. "The amount of info you are inadvertently sending in plain text would horrify most people," says Alex Halderman, a security researcher at the University of Michigan.
Another big step to improve internet security was launched on the same day as WhatsApp's update. Let's Encrypt is a non-profit certificate authority – an organisation that hands out digital certificates that verify websites are who they say they are. If you access a site that doesn't have a valid certificate, a red padlock and warning sign are displayed in your browser. Other certificate authorities make websites pay for verification, but Let's Encrypt is giving it away for free, backed by a consortium of technology companies.
Verification and encryption are most powerful when used together – encryption makes sure data can only be seen by the sender and recipient, while verification stops the data being sent to someone fraudulently posing as the intended recipient.
Encrypted connections are great, but a whole swathe of the internet is still unprotected. That's changing too. Last week, the Internet Architecture Board recommended that every new protocol built for the web, whether designed to pull data from smart fridges or to handle payments, should use encryption by default.
Smartphone payment systems like Apple Pay and Google Wallet Credit are ahead of the times, protecting credit card numbers with encryption. These apps use cryptography to generate a unique payment token every time you use your card through them, keeping your number private.
With wide enough adoption, this would mean retailers would not have a large database of credit card numbers that could be stolen, as they were recently at Target and Home Depot.
Halderman says there's a clear trend. "The technology is evolving so that encryption is becoming much easier to use," he says. "More and more the typical user is recognising the importance of privacy and security."
This article appeared in print under the headline "A little privacy, please"
- New Scientist
- Not just a website!
- Subscribe to New Scientist and get:
- New Scientist magazine delivered every week
- Unlimited online access to articles from over 500 back issues
- Subscribe Now and Save
If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.
