Shortest Thread ever

stewski · 6 May 2017 at 23:42

Hi All
Any network security professionals that think an end to end encryption system which also publishes all messages in plain text (without user intervention/choice) to a third party is not an oxymoron.

Post your linkin profiles below, I'm sure we can drum up a lot of work for you,both in Academia and in Business, hey UK business I can make your lan available via the internet and to some third party if you hire me...

jimjamuk · 6 May 2017 at 23:55

haha - someone needs attention....

still if you didnt understand the big words I'm sure someone will be along with the kids version if you wait long enough.... until then insist you know what you know what you are on about enough times and people will start to believe you

stewski · 7 May 2017 at 00:03

jimjamuk said:
haha - someone needs attention....

still if you didnt understand the big words I'm sure someone will be along with the kids version if you wait long enough.... until then insist you know what you know what you are on about enough times and people will start to believe you

Jim nothing you have posted suggests you could explain the difference between an SSL VPN and an L2TP IPSEC VPN. Frankly your post was along the lines of E2EE occurs and then the clever network guys sort it out.

If you want to make the case for End to End Encryption that also copies a plain text version to a third party, despite the it being contrary to the definition, I fully urge you to add your linked in profile and sell that to business clients.

In my dated experience, the UKHO, Ordnance Survey and our other clients would not have been interested!

Mynight · 7 May 2017 at 00:12

It was painful enough in the other thread

.

dowie · 7 May 2017 at 00:15

Oh jeeze... OP, you were wrong, it was shown quite clearly why you were wrong. I'm not sure what exactly you're trying to prove but seemingly it is bothering you a bit.

Thekwango · 7 May 2017 at 00:32

Mynight said:
It was painful enough in the other thread .

Oh linky please. I get the feeling the OP is having some sort of melt down. Would love to see why!

moogle · 7 May 2017 at 00:42

Thekwango said:
Oh linky please. I get the feeling the OP is having some sort of melt down. Would love to see why!

Starts from this post. Currently reading!

stewski · 7 May 2017 at 00:50

dowie said:
Oh jeeze... OP, you were wrong, it was shown quite clearly why you were wrong. I'm not sure what exactly you're trying to prove but seemingly it is bothering you a bit.

So feel free to post your linked in, and provide security advice on the basis that end to end encryption would include a plain text version to a third party.

stewski · 7 May 2017 at 00:55

On the basis of the thread title and post I'm astounded anyone has the balls to post to it.

Would love to see a supposed security professional put their name to the concept that end to end encryption systems would include plain text logs to a third party, have at it!

dowie · 7 May 2017 at 01:04

Yet one of the biggest companies in the world does it...

You're still not getting that whatsapp provides end to end encryption? They state it quite clearly, the Wikipedia article you linked to states it quite clearly. The fact that whatsapp backups can be stored unencrypted on google drive doesn't change the fact that whatsapp messaging now uses end to end encryption.

The bit that has confused you OP is that you're seemingly unable to distinguish between the messaging being E2EE and the backups not.

asim18 · 7 May 2017 at 01:10

stewski said:
Would love to see a supposed security professional put their name to the concept that end to end encryption systems would include plain text logs to a third party, have at it!

The fact is stewski, they don't. What you are saying is undeniable. It's fundamental

The fact also is, that Whatsapp simply is not really such a "system". It's a mass used instant messenger owned by Facebook (and any claims of user security shouldn't be taken too seriously anyway

) They are still need to answer to the courts. And if the courts have to go through two companies instead of one, they can easily do so.

dowie said:
Yet one of the biggest companies in the world does it...

You're still not getting that whatsapp provides end to end encryption? They state it quite clearly, the Wikipedia article you linked to states it quite clearly. The fact that whatsapp backups can be stored unencrypted on google drive doesn't change the fact that whatsapp messaging now uses end to end encryption.

The bit that has confused you OP is that you're seemingly unable to distinguish between the messaging being E2EE and the backups not.

Dowie what you are saying is also true. Whatsapp does "provide" end to end encryption, to a certain extent. But it's not a fully closed system like in stewski's ideal scenario.

I don't even see why this is an argument/debate/whatever!

Thekwango · 7 May 2017 at 01:15

moogle said:
Starts from this post. Currently reading!

Cheers. Certainly is interesting from all parties involved.

Rroff · 7 May 2017 at 01:16

Um am I missing something? end to end encryption by definition should defeat any mid point logging? you could argue about the end to end encryption between client A, backend and then separately end to end encryption between the backend and client B but that is kind of not what you'd normally talk about with end to end encryption.

I've not looked at what WhatsApp claim but if they are professing end to end encryption that should be between clients unless specifically stated otherwise.

dowie · 7 May 2017 at 01:20

asim18 said:
Dowie what you are saying is also true. Whatsapp does "provide" end to end encryption, to a certain extent. But it's not a fully closed system like in stewski's ideal scenario.

Why does it need to be a 'fully closed system'? What does that have to do with anything?

The point raised by @Tefal was simply that governments don't need to break the end to end encryption as they could compel say google or apple to handover the WhatsApp backups. He then mentioned a scenario where there wasn't an option to not have cloud backups, that's all.

The argument from @stewski was that that wasn't end to end encryption - but he seems to have missed that end to end encryption refers to the messaging, the storage of the messages by the sender or recipient (whether locally or in the cloud) has nothing to do with whether the messaging service is providing end to end encryption,

dowie · 7 May 2017 at 01:21

Rroff said:
Um am I missing something? end to end encryption by definition should defeat any mid point logging? you could argue about the end to end encryption between client A, backend and then separately end to end encryption between the backend and client B but that is kind of not what you'd normally talk about with end to end encryption.

I've not looked at what WhatsApp claim but if they are professing end to end encryption that should be between clients unless specifically stated otherwise.

no one is talking about any interception of messages being transmitted, the conversation was about messages being stored afterwards in a backup - which has nothing to do with end to end encryption

Rroff · 7 May 2017 at 01:21

dowie said:
The argument from @stewski was that that wasn't end to end encryption - but he seems to have missed that end to end encryption refers to the messaging, the storage of the messages by the sender or recipient (whether locally or in the cloud) has nothing to do with whether the messaging service is providing end to end encryption,

Assuming that is is the end points that are backing upto the cloud then sure - there seems to be some mix up from several people over that aspect though.

dowie · 7 May 2017 at 01:25

Rroff said:
Assuming that is is the end points that are backing upto the cloud then sure - there seems to be some mix up from several people over that aspect though.

they're aware of that/not mixing that up. What they are mixing up though is considering the backups to somehow be a part of the end to end encryption too. End to end encryption doesn't imply that the data, once decrypted at the other end is going to also be stored in an encrypted backup - and that is the bit that seems to throw them.

asim18 · 7 May 2017 at 01:26

Rroff said:
Um am I missing something? end to end encryption by definition should defeat any mid point logging? you could argue about the end to end encryption between client A, backend and then separately end to end encryption between the backend and client B but that is kind of not what you'd normally talk about with end to end encryption.

I've not looked at what WhatsApp claim but if they are professing end to end encryption that should be between clients unless specifically stated otherwise.

It's not mid-point....

Sender-------------Reciever--------------Google

The green part is the end-end encryption, and the red part is what is being disputed.

Should the red part be included in any security specifications for e2e encrypted message transmission? In a professional world Yes, yes they are.

If a client requires absolute integrity there wont be an extra backup option to google servers on the receiver's end. Not in a MILLION years!

In a mass used application where most people would like a backup of all their messages, they don't care about proper and continuous integrity.

dowie · 7 May 2017 at 01:32

But this whether it should in the 'professional world' etc.. isn't relevant to what was discussed. The silly argument was simply relating to where this messaging is still end to end encryption - it is.

Though as you bring it up, strangely enough plenty of large companies do outsource their emails to google and rely on their gmail service!

FoxEye · 7 May 2017 at 01:36

Not used WhatsApp so I don't know... are the backups mandatory or can you disable that function?

Would seem to me that encryption is utterly pointless if you're then going to back up to a cloud storage provider, unencrypted.