Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love”

WhatsApp, the mobile messaging app developer that Facebook is acquiring for $19 billion, may be an attractive addition to the social network, thanks to WhatsApp's 450 million active users and en vogue status. It may also be attractive to government spies and criminal hackers, thanks to several weaknesses in the encryption WhatsApp uses to protect messages from eavesdropping, researchers say.

Among the most serious problems with WhatsApp's implementation of secure sockets layer (SSL) encryption is its support of version 2 of the protocol, according to a blog post published Thursday by a researcher from security consultancy Praetorian. That version is susceptible to several well-known attacks that allow people monitoring a connection between the two end points to decipher and in some cases manipulate the traffic as it passes through.

Put a pin in it

WhatsApp has also failed to implement a technique known as certificate pinning that's designed to block attacks using forged certificates to bypass Web encryption. Pinning allows an app to work only when communicating with a server using a specific certificate. Because the certificate fingerprint is hardcoded into the app, it will reject connections with any impostor certificates—even if they're signed by one of the 500 or so authorities trusted by major browsers and operating systems.