You are reading a single comment by @Greenbank and its replies.
Click here to read the full conversation.
London Fixed Gear and Single-Speed is a community of predominantly fixed gear and single-speed cyclists in and around London, UK.
This site is supported almost exclusively by donations. Please consider donating a small amount regularly.
@Greenbank
How does the Whatsapp web interface work then?
The QR code you scan is effectively another public key.
When you first go to the Whatsapp Web interface the client side website code creates a new public/private key pair. It presents the public key in the form of QR code that you scan on your phone.
Your phone can now send anything through Whatsapp's servers to that web client and encrypt the messages with the public key the web client created. The web client is able to decrypt the messages using the private key which it stores in the local browser's local storage.
Now that a secure communications channel exists between the two, the web client is able to request the current state of your phone's WhatsApp with messages routed via WhatsApp's servers. That's how it can get the recent messages, chats, etc to be displayed on the web page. It doesn't get the messages from Whatsapp, it gets them from your phone but just happens to use WhatsApp's servers to do so.
This is why it only works if the phone has access to the Internet, the messages to ask the phone the current state are routed through Whatsapp's servers, but they can only be replied to if your phone is alive, connected and working. I've left my phone at home once when commuting into the office (over a year ago!) and I was still able to have Whatsapp conversations whilst my phone was still on and had enough battery, as I'd had an existing Whatsapp Web session open on my work desktop.
Again, the fact that this functionality exists means you have to trust Whatsapp that they haven't embedded something similar in the client that can be triggered silently. If the phone client (which has access to everything decrypted) can send the current state (all recent messages/etc) through Whatsapp's servers to another client then it could easily be triggered to do so remotely.