End-To-End Encrypted Signal App Now Includes Snapchat-Like 'Disappearing Messages'

[Lucian Armasu]

End-to-end encrypted Signal messaging app received a "disappearing messages" feature, as well as support for a new format for cryptographic user verification.

End-To-End Encrypted Signal App Now Includes Snapchat-Like 'Disappearing Messages' : Read more

 

[tom10167]

Sick. But can someone explain the value of the QR scan thing? If we're in person can't I just verify by sending them a message and seeing if they got it?

 

[adgjlsfhk]

Theoretically the message you send them could be intercepted and changed, whereas changing a qr code requires device access.

 

[Lucian Armasu]

Sick. But can someone explain the value of the QR scan thing? If we're in person can't I just verify by sending them a message and seeing if they got it?

You can. Or you can spell out your security code over the phone, too, and see if it matches with the one they have for you.

But you'd have to do this every time, because someone could still hack the encrypted channel connection, and then pretend it's your friend (while you'd still be seeing your friend's picture and number, and so on).

What the QR code scanning does is that after you do it, the app will warn you if you're not talking to the same person for which you verified the code (strangely enough, you have to enable this manually in WhatsApp's account settings). If another person interposes between you and your friend, they would have a different security code, so you will be warned that the person you're now talking to has a different code.

However, you may also get this warning if your friend uninstalls and then reinstalls the app, as they will get a new code. So you'll have to talk to them to make sure it's still them, and then verify the code again.

If you can't meet in person, you could take a screenshot of each other's qr codes as well, and send them over what you believe is a secure connection, such as the app itself (which should use TLS or Noise encryption, in WhatsApp/Signal's case), and then put that picture on your PC and scan it. You may try doing it over email as well, but preferably over PGP, or at least if you both have Gmail, which tends to have better TLS encryption than most other email services.

But to ensure someone else didn't hack that connection, you'd have to check with them right then if they received the qr code.

If your connection is actively monitored and the attacker is prepared, they may still be able to capture the screenshot, and verify themselves with it, while sending your friend another one. So doing it in person is still the safest. But for people that you can't meet in person anytime soon, it may still be worth giving this a shot.