For open source messengers, you can check whether they actually encrypt your messages and whether the server has access to your encryption keys but what about WhatsApp? Since it’s not open source, you can’t be sure that the encryption keys aren’t sent to the server, right? Has there been a case where a government was able to access WhatsApp chats without reading them from the phone itself?

  • cmeerw@programming.dev
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    yowsup is an Open Source implementation of the WhatsApp protocol. So there is proper end-to-end encryption on the protocol level - that would only leave the possibility of having a backdoor in the “official” WhatsApp client, but none has been found so far. BTW, people do actually (try to) decompile the WhatsApp client (or the WhatsApp Web client which implements the same protocol and functionality) and look what it is doing.

    For anyone really curious, it’s not too difficult to hook into the WhatsApp Web client with your web browsers Javascript debugger and see what messages are sent.

    • FooBarrington@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      The E2E keys are exchanged over Meta servers, right? Couldn’t they just store the keys and decrypt on the server?

      • cmeerw@programming.dev
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Only public keys get exchanged via Meta’s servers, those keys don’t help you with trying to decrypt any messages (you need the corresponding private key to decrypt - and that private key stays on the device).

        Sure, they could just do a man in the middle, but that can be detected by verifying the keys (once, via another channel).

        • FooBarrington@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Makes sense. It does leave the MitM option open as you said, but if they did something nefarious here, it would have long been seen in at least a couple of cases due to OOB verification.

          • cmeerw@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Maybe so, but in this case the point was that the protocol used by WhatsApp hasn’t changed in that time and it’s still what they describe in their security whitepaper. If you want to use that software as is or maybe reimplement it based on that is up to you.