Encrypt all the things!

Posted on
Page
of 139
  • Is there a safe way to use WhatsApp that doesn't allow them to harvest all my data?

  • Depends who "them" is?

    It's generally thought of to be secure (but hard to verify this).

    One thing for sure, if you use the Web interface then it's pretty safe to assume that the UK Government has access to the private key of their HTTPS Cert, and so all traffic to/from that site would be readable.

    I'd trust [EDIT] Telegram Signal a lot more than Whatsapp.

    [EDIT] Just for starters, Whatsapp is end-to-end encrypted, but:

    • It doesn't tell you how many endpoints you are sending each message to, so it could be sending every message to a collection endpoint that is gathering info
    • It doesn't tell you when a new endpoint is added for any existing messages (such as when you use Whatsapp on the web)
    • Even if it did it may lie and not tell you about the "other" endpoints
    • It doesn't easily allow you to confirm each endpoint is who they say they are, there's a "verify" feature if you see that contact in person, but the UX on it is terrible
    • You can't see the source for the phone app, even if you could there would be no way to verify that that is the source that your phone app was built from
  • I'd trust Telegram a lot more than Whatsapp.

    Why not Signal? Less Russian, less Meta, more open source. Or, are you using Telegram as a known-suboptimal system that is still better than WhatsApp?

  • I use signal although hardly anyone I know does and there's no SMS integration anymore.
    I might have to use WhatsApp soon for work. Don't want to use another phone but would prefer Facebook to not monitor my phone use and build a profile on me whilst I'm using it. I wondered if it was possible to block Facebook trackers somehow.

  • Sorry, had meant Signal, but Telegram is not Meta and so less likely to be automatically given over to UK/US agencies.

  • iPhone or Android?

  • Android. Thanks.

  • So the whatsapp mobile app will decrypt messages and send them to whatsapp web in paintext (albeit over TLS)?

    Didn't know that :/

  • Not quite.

    When you use WhatsApp Web it treats the WhatsApp Web client as a new contact of yours, and so it (the browser) creates a new public/private key pair for that contact and then requests all messages be resent from your mobile to this new contact E2E encrypted so it has access to the messages.

    Theoretically only E2E encrypted message data should be sent between client and browser (plus over TLS for extra safety), with the private key having never left the browser, but clever people have analysed it and worked out that things are somehow retrievable from just the HTTPS data sent back and forth.

  • Interesting. Sounds like an implementation error rather than a theoretical flaw? Something they can just fix up pretty easily?

  • I'll try and find the reference, maybe it has been fixed.

    But, whatever you use, most useful information is gained via metadata analysis. It's more important knowing who is talking to who, and how frequently, than the actual message content. E2E encryption doesn't protect you from that kind of eavesdropping.

    You need to be doing a lot of really bad stuff in order to get to the point that they want to look at your actual messages.

    The Government simply doesn't have the resources to trawl through everything and act on everything, so there's a huge amount of criminial behaviour well documented on WhatsApp that will just be left alone.

  • It was more just WhatsApp building a advertising profile or whatever rather than the gov seeing my dodgy dealings.

  • I'd be questioning why your work is using a Facebook marketing tool for comms.

  • If work wants you to have a work app, then work needs you to have a separate work phone. Which is turned off as soon as you leave the office.

    Then you have no worries about any profiles being generated, other than for WorkYouβ„’.

    Keep your work drug dealz and your personal drug dealz segregated.

  • Work: You need to install this on your phone.
    Me: Hahahahahah fuck off and set fire to your pants while you're wearing them.

  • Whatsapp shouldn't be seeing the contents of your messages.

    Doesn't mean they couldn't if they really wanted to, but it's very very unlikely they're collecting any information about you based on the *content* of the messages you send or receive.

    I'm probably more privacy conscious than the average person and I don't worry about WhatsApp at all.

  • If work wants you to have a work app, then work needs you to have a separate work phone. Which is turned off as soon as you leave the office.

    Or work for an employer where you aren't really concerned about this, or where they don't force over the top security requirements on you.

    I prefer to carry a single phone. The apps I need for my job are quite separate to my personal life, so there's hardly any consequence. They're primarily just stuff like authenticator apps. I have apps for my work email and calendar on my phone to make my life a bit easier - they are there for my convenience not my employer's.

  • You can set up a work profile on Android. It doesn't have access to any of your personal profile (contacts, files, installed apps, calls, etc). The two can be run simultaneously or you can freeze the work profile at will.

    You can also use something like NextDNS to block some of the Facebook trackers but obviously there is a limit as to how much you can block before you break the functionality.

  • Cheers @aggi

    If I set up another profile with WhatsApp in it will I have to switch to it to check notifications or will they show on both profiles? And will calls from profile 2 show on profile 1?

    It wasn't an official work request to add WhatsApp. Just an informal training group chat to arrange stuff. I didn't want to be the odd one out but I also hate Facebook.

  • The two profiles can run simultaneously. You can get notifications from both at the same time and you can even have shortcuts to apps for both profiles on your home screen. It's pretty seamless.

  • Perfect thanks

  • Since WhatsApp accounts are tied to phone numbers, you'll need a dual SIM phone, won't you?

  • I've set up a separate profile with work colleagues phone nos and WhatsApp in it. Same phone no.

  • In the first example, what appear to be normal forward slashes ate univode characters that a browser won't treat as forward slashes. So it's actually a login to the domain v1271.zip


    1 Attachment

    • Screenshot_20230607_175007_Tusky.jpg
  • Somehow unsurprising


    1 Attachment

    • IMG_2215.jpeg
  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Encrypt all the things!

Posted by Avatar for Velocio @Velocio

Actions