-
I assume when you send a group message you're actually sending a decryption key (encrypted for each participant) and the encrypted message? Otherwise sending images would get pretty unwieldy in large groups. I think that's how PGP encrypts messages for multiple recipients anyway.
For simple bits of text I would think individual messages are sent encrypted per person (but flagged as being part of a group obviously).
But, yes, for images/movies I'd expect they encrypt it once with a unique symmetric key, the encrypted blob gets uploaded to WhatsApp servers (along with an encrypted preview/thumbnail), and then send each person is sent a copy of the symmetric key over the usual encrypted comms plus the details of what to download if they want it.
As for a backdoor, the trick is to reuse existing functionality, such as the resending of messages (with no notification on the client) like is used in the web client. Yes you have to trigger this with the QR code normally but there may be a way to silently do this remotely, and that's what they could use.
Or they just have something like the Apple's classic "goto fail;" bug that goes down as some kind of plausible deniability.
You are reading a single comment by @Greenbank and its replies.
Click here to read the full conversation.
Greenbank
That's really interesting - thanks for typing that up.
I assume when you send a group message you're actually sending a decryption key (encrypted for each participant) and the encrypted message? Otherwise sending images would get pretty unwieldy in large groups. I think that's how PGP encrypts messages for multiple recipients anyway.
I like to think WhatsApp would be reluctant to put a back door in the app because they know that every version of the app that they publish will be downloaded stored and dissected for eternity, and any back door will eventually be found.
I'm sure they are capable of deploying backdoored versions to specific clients though.