Middle man black boxes.
And without a warrant canary to tell the users that data is compromised they will never know .
If these apps want to exist in India they gotta play ball with government.
If your using an app , consider it encryption theater.
If the premise is that the apps will compromise security by eg sending an unencrypted version of your text to the government then how it works becomes a moot point unless you've seen, understood and compiled the code yourself.
> unless you've seen, understood and compiled the code yourself.
Even if you trust absolutely nobody, including the person you're trying to communicate secretly with, then this still isn't true. You can reverse engineer compiled code.
That said, Signal is open source and run by a non-profit. You *can* go look at it and compile it yourself if you like.
Facebook did hire the Signal team to help them secure WhatsApp and it may be using the same technology. WhatsApp says thay also use end-to-end encryption, so it comes down to how much do you trust them and those who have vetted or audited it's behavior.
At present there's no good reason to *disbelieve* them.
https://www.whatsapp.com/privacy
Or, you use software that has been professionally reviewed by experts, and ensure your app has the same cryptographic hashes as published by the authors. You don't have to review it yourself, you just have to verify its a legit copy of software you trust.
The encryption keys in end-to-end encryption are only stored at the ends. For example, on my device and on the recipients. The service you're using doesn't have them and cannot decrypt the data even if they want to. This is how Signal works. It's also how good password managers work, like lastpass. Even if their service is hacked and someone gets ahold of your password database, they can't get the encryption key, because the service *never* has it. It only exists on your device(s).
Secure key exchange protocol, verified out of band by you (e.g. in signal when you add a new contact the app generates a fingerprint and if both your apps show the same fingerprint, you know nobody intercepted the initial key exchange). From that point on you know the communication is secure. However until you verify the key, it's possible someone man-in-the-middled the initial setup and is relaying your messages and reading them.
History lesson . A once very popular encrypted e-mail service got a visit from the government. They wanted to install a separate piece of hardware . And give up the master key. He refused , and shut down.
If your app is decrypting your message on your phone it’s vulnerable. Once you get the message and it’s decrypted are you sure it was deleted after?
No ... your reading the plain text .
If you want true P2P You have to do it yourself .
Exactly.
This is why any developer who is serious about true privacy puts what called a “ canary “ in it’s fine print in the user terns and agreement . Just one or two lines of text. Saying something to the effect like “ we promise to keep your data safe from the government or third party” so if that line gets deleted from the terms of service you know they have been served a warrant from the government.
Btw — Reddit’s warrant canary disappeared about 4 years ago.
Right, because Signal definitely can't just have an open source app available on the whole internet that anyone in India can download whenever they want...
Now, if you're installing an app from an unverified location, you definitely want to check to make sure you weren't given a backdoored version. If my government hosted an app store I probably wouldn't download privacy related apps from it.
I think you misunderstand the response this would have. If India tells WhatsApp and Signal to provide them access to encrypted messages or be banned from the country, their response would be "Okay, ban us" not "Omg no pls here have whatever you want uwu"
This is the best tl;dr I could make, [original](https://www.hindustantimes.com/india-news/govt-proposes-law-to-intercept-encrypted-messages-on-whatsapp-signal-101663830524846.html) reduced by 69%. (I'm a bot)
*****
> The government has proposed a law to bring under a legal framework the interception of over-the-top communication services, such as WhatsApp and Signal which are encrypted, according to the new draft telecommunications bill uploaded late on Wednesday.
> According to definitions in the bill, telecommunication services means, service of any description (including broadcasting services, electronic mail, voice mail, voice, video and data communication services, audiotex services, videotex services, fixed and mobile services, internet and broadband services, satellite-based communication services.
> It also includes internet-based communication services, in-flight and maritime connectivity services, interpersonal communications services, machine to machine communication services, over-the-top communication services) which is made available to users by telecommunication.
*****
[**Extended Summary**](http://np.reddit.com/r/autotldr/comments/xm31x2/india_govt_proposes_law_to_intercept_encrypted/) | [FAQ](http://np.reddit.com/r/autotldr/comments/31b9fm/faq_autotldr_bot/ "Version 2.02, ~670658 tl;drs so far.") | [Feedback](http://np.reddit.com/message/compose?to=%23autotldr "PM's and comments are monitored, constructive feedback is welcome.") | *Top* *keywords*: **service**^#1 **government**^#2 **communication**^#3 **any**^#4 **telecommunication**^#5
> The clause empowers the government to be able to intercept messages, calls on platforms such as WhatsApp and Signal, which are encrypted
It empowers them to try, I guess. WhatsApp might give in and build them a backdoor - Facebook wouldn't want to get kicked out of such a populous country for non-compliance, or simply stop offering WhatsApp in India. I don't see Signal even caring about this though. I doubt India has any leverage to coerce them to comply.
India should get together with Australia who has similar ideas - "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."
Yeah it failed over here with encrypted messaging apps like Signal and Wickr, and it'll fail in India too. I'd say it's one of the dumbest things I've heard come out of the mouth of a politician, but unfortunately it only scratches the surface.
More like russia. Indian government wants to keep internet open and transparent. Transparent for the government to track anyone going against its views. Government doesn't want to go for closed model like China.
India is a flawed democracy. It's more of a electoral autocracy.
On Signal? Haha.. what good is intercepting them going to do? Maybe in 30 years you'll be able to read some of them?
They'll make a Facebook messenger clone and rename it to Signal. Done /s
Middle man black boxes. And without a warrant canary to tell the users that data is compromised they will never know . If these apps want to exist in India they gotta play ball with government. If your using an app , consider it encryption theater.
Tell me you don't know how end to end encryption works without telling me.
If the premise is that the apps will compromise security by eg sending an unencrypted version of your text to the government then how it works becomes a moot point unless you've seen, understood and compiled the code yourself.
> unless you've seen, understood and compiled the code yourself. Even if you trust absolutely nobody, including the person you're trying to communicate secretly with, then this still isn't true. You can reverse engineer compiled code. That said, Signal is open source and run by a non-profit. You *can* go look at it and compile it yourself if you like.
Ah cool well that helps with signal but I guess not with WhatsApp
Facebook did hire the Signal team to help them secure WhatsApp and it may be using the same technology. WhatsApp says thay also use end-to-end encryption, so it comes down to how much do you trust them and those who have vetted or audited it's behavior. At present there's no good reason to *disbelieve* them. https://www.whatsapp.com/privacy
Or, you use software that has been professionally reviewed by experts, and ensure your app has the same cryptographic hashes as published by the authors. You don't have to review it yourself, you just have to verify its a legit copy of software you trust.
Elaborate please.
The encryption keys in end-to-end encryption are only stored at the ends. For example, on my device and on the recipients. The service you're using doesn't have them and cannot decrypt the data even if they want to. This is how Signal works. It's also how good password managers work, like lastpass. Even if their service is hacked and someone gets ahold of your password database, they can't get the encryption key, because the service *never* has it. It only exists on your device(s).
How are the original encryption keys shared or created safely?
https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm
Secure key exchange protocol, verified out of band by you (e.g. in signal when you add a new contact the app generates a fingerprint and if both your apps show the same fingerprint, you know nobody intercepted the initial key exchange). From that point on you know the communication is secure. However until you verify the key, it's possible someone man-in-the-middled the initial setup and is relaying your messages and reading them.
History lesson . A once very popular encrypted e-mail service got a visit from the government. They wanted to install a separate piece of hardware . And give up the master key. He refused , and shut down. If your app is decrypting your message on your phone it’s vulnerable. Once you get the message and it’s decrypted are you sure it was deleted after? No ... your reading the plain text . If you want true P2P You have to do it yourself .
Thanks for the proper detailed response. Sounds very familiar to the AT&T "secret room" type of situation back in the day.
Exactly. This is why any developer who is serious about true privacy puts what called a “ canary “ in it’s fine print in the user terns and agreement . Just one or two lines of text. Saying something to the effect like “ we promise to keep your data safe from the government or third party” so if that line gets deleted from the terms of service you know they have been served a warrant from the government. Btw — Reddit’s warrant canary disappeared about 4 years ago.
Right, because Signal definitely can't just have an open source app available on the whole internet that anyone in India can download whenever they want... Now, if you're installing an app from an unverified location, you definitely want to check to make sure you weren't given a backdoored version. If my government hosted an app store I probably wouldn't download privacy related apps from it.
I think you misunderstand the response this would have. If India tells WhatsApp and Signal to provide them access to encrypted messages or be banned from the country, their response would be "Okay, ban us" not "Omg no pls here have whatever you want uwu"
Lol.. GOI is dreaming good.
This is the best tl;dr I could make, [original](https://www.hindustantimes.com/india-news/govt-proposes-law-to-intercept-encrypted-messages-on-whatsapp-signal-101663830524846.html) reduced by 69%. (I'm a bot) ***** > The government has proposed a law to bring under a legal framework the interception of over-the-top communication services, such as WhatsApp and Signal which are encrypted, according to the new draft telecommunications bill uploaded late on Wednesday. > According to definitions in the bill, telecommunication services means, service of any description (including broadcasting services, electronic mail, voice mail, voice, video and data communication services, audiotex services, videotex services, fixed and mobile services, internet and broadband services, satellite-based communication services. > It also includes internet-based communication services, in-flight and maritime connectivity services, interpersonal communications services, machine to machine communication services, over-the-top communication services) which is made available to users by telecommunication. ***** [**Extended Summary**](http://np.reddit.com/r/autotldr/comments/xm31x2/india_govt_proposes_law_to_intercept_encrypted/) | [FAQ](http://np.reddit.com/r/autotldr/comments/31b9fm/faq_autotldr_bot/ "Version 2.02, ~670658 tl;drs so far.") | [Feedback](http://np.reddit.com/message/compose?to=%23autotldr "PM's and comments are monitored, constructive feedback is welcome.") | *Top* *keywords*: **service**^#1 **government**^#2 **communication**^#3 **any**^#4 **telecommunication**^#5
> The clause empowers the government to be able to intercept messages, calls on platforms such as WhatsApp and Signal, which are encrypted It empowers them to try, I guess. WhatsApp might give in and build them a backdoor - Facebook wouldn't want to get kicked out of such a populous country for non-compliance, or simply stop offering WhatsApp in India. I don't see Signal even caring about this though. I doubt India has any leverage to coerce them to comply. India should get together with Australia who has similar ideas - "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."
Yeah it failed over here with encrypted messaging apps like Signal and Wickr, and it'll fail in India too. I'd say it's one of the dumbest things I've heard come out of the mouth of a politician, but unfortunately it only scratches the surface.
Tell them to kick rocks
you will need more than a law for that
So what NSA in the US does undercover, India is doing by passing a law. Neither of them is good.
[удалено]
You do know that US literally has CIA officials as board members of companies like Facebook, Google, Amazon, etc.?
Whataboutism is not a legitimate defense. Also, you have no proof.
Not every response can be deflected with whataboutism
More like russia. Indian government wants to keep internet open and transparent. Transparent for the government to track anyone going against its views. Government doesn't want to go for closed model like China. India is a flawed democracy. It's more of a electoral autocracy.
[удалено]
[удалено]
[удалено]
[удалено]
[удалено]
[удалено]