There is something about encryption that brings out the worst in journalists. Because to most of them it is magic, they are always searching desperately for the proverbial man behind the curtain, without knowing what to look for. Which may explain The Guardian’s recent bizarre attack on WhatsApp , which they accused, wrongly, of having a “backdoor.” And the security community erupted in rage.
To understand this story, why the Guardian was and is wrong, why they were forced to walk back their original “backdoor” headline , and why the security community is furious, you’ll need a little context. Sit down, my pretties, and let me tell you a little infosec fable:
Once upon a time there was PGP, which stands for Pretty Good Privacy, and it was good and strong. So good and strong that after its creator, Phil Zimmerman, released its source code 25 years ago, the US government opened a criminal investigation against him for arms trafficking. (The case was later dropped without indictment.)
For twenty years PGP was the gold standard of secure messaging. The NSA could not break it. Edward Snowden used it. But it had serious flaws. For one, it lacked forward secrecy ; if your key was compromised, so was every message it had ever encrypted. For another, key exchange was/is at best challenging.
But the worst thing about PGP, by far, is that it is fiendishly user-hostile, so only hardcore hackers ever really used it. (The Snowden revelations were delayed by a month because he couldn’t find a way to contact Glenn Greenwald securely .)
Just as the best workout routine is not the Rock’s but, rather, one that you will actually stick to, the most secure messaging system is one that you will actually use. Whether we like it or not, usability is an essential aspect of security. Any “secure” systems which pretend this is not true will fail from disuse.
Enter Signal , a mobile (and Chrome plug-in) secure messaging system. It is fast, slick, sexy, cross-platform, and battle-tested. It implements highly secure end-to-end messaging with a “ratchet” protocol which provides perfect forward secrecy. It is the choice of technically sophisticated, security-conscious people around the world. It is not perfect. No system is perfect. Every system requires compromises. But Signal is the best available alternative.
However, most of the world does not use Signal. Most of the world uses SMS, Facebook Messenger, and, especially, WhatsApp — which, until recently, was much less secure.
