Q: Why not use Signal or WhatsApp to send a password?

Answer

There are several key differences in favour of Crosspass. Note that a recipient must already have the Signal app installed before a sender can share anything with him by Signal. Also, the sender needs to know the recipient’s phone number. However, most business communication is done via email, and asking a recipient for a phone number would be an intrusion into his privacy.

This usability difficulty is a consequence of the asymmetric cryptography on which Instant Messengers are based. With asymmetric cryptography, a message can only be encrypted if a public key of the recipient has been registered with the API server beforehand. In contrast, Crosspass does not have this restriction. A Crosspass share is assigned a lookup ID and a PIN independently of a recipient and the sender can immediately include them in his communication.

Another problem with Signal is that its security guarantee depends on each party manually verifying Safety Numbers which are 60 digits long. (WhatsApp has a similar “Security Code" concept). WhatsApp, in particular, has other problems. Unlike Signal, which is only available as an app, WhatsApp has a popular Web version. However, web apps cannot be protected from JavaScript backdoors. Even if Alice always uses the WhatsApp app, she can not force Bob not to use the Web version to view her chats.

Another problem with Signal is that its security guarantee depends on each party manually verifying Safety Numbers which are 60 digits long. (WhatsApp has an equivalent concept of “Security Code.”) Short of this verification, it is impossible to know that there is no Man In The Middle (MITM) attacker intercepting the communication. (Fortunately, the Safety Numbers can be verified afterwards to validate the encryption of all prior communication. However, most users are unaware about the need to do so.)

Ready to try Crosspass?

Download from App Store Get it on Google Play