1. Home

Encrypt all the things!

You are reading a single comment by @cyclotron3k and its replies. Click here to read the full conversation.

  • Depends who "them" is?

    It's generally thought of to be secure (but hard to verify this).

    One thing for sure, if you use the Web interface then it's pretty safe to assume that the UK Government has access to the private key of their HTTPS Cert, and so all traffic to/from that site would be readable.

    I'd trust [EDIT] Telegram Signal a lot more than Whatsapp.

    [EDIT] Just for starters, Whatsapp is end-to-end encrypted, but:

    • It doesn't tell you how many endpoints you are sending each message to, so it could be sending every message to a collection endpoint that is gathering info
    • It doesn't tell you when a new endpoint is added for any existing messages (such as when you use Whatsapp on the web)
    • Even if it did it may lie and not tell you about the "other" endpoints
    • It doesn't easily allow you to confirm each endpoint is who they say they are, there's a "verify" feature if you see that contact in person, but the UX on it is terrible
    • You can't see the source for the phone app, even if you could there would be no way to verify that that is the source that your phone app was built from

  • So the whatsapp mobile app will decrypt messages and send them to whatsapp web in paintext (albeit over TLS)?

    Didn't know that :/

  • Not quite.

    When you use WhatsApp Web it treats the WhatsApp Web client as a new contact of yours, and so it (the browser) creates a new public/private key pair for that contact and then requests all messages be resent from your mobile to this new contact E2E encrypted so it has access to the messages.

    Theoretically only E2E encrypted message data should be sent between client and browser (plus over TLS for extra safety), with the private key having never left the browser, but clever people have analysed it and worked out that things are somehow retrievable from just the HTTPS data sent back and forth.

About

Avatar for cyclotron3k @cyclotron3k started

About Terms of Use Privacy Policy Cookie Policy Report a problem