- cross-posted to:
- privacy@programming.dev
- cross-posted to:
- privacy@programming.dev
A 10-month Commerce Department probe concluded Meta could view all WhatsApp messages in unencrypted form
A 10-month Commerce Department probe concluded Meta could view all WhatsApp messages in unencrypted form
I never assumed that this presumed “end to end encryption” was secure in any way. The key exchange either runs over Meta servers, and they just log them, or the client software simply surrenders the key (maybe always, maybe on demand) together with the data stream that still runs over Meta servers.
I also never assumed it was fully secure either. Like sure it could be secure to hackers since they would still need the keys, but if anyone ever thought Meta was somehow not going to allow themselves access is just crazy and I am shocked anyone thought differently. On top of this they absolutely share all data with the government, im just not sure if it’s by request or full access anytime.
Sadly, everyone i know still uses it so im kind of forced to but at the same time the chats are all dumb anyway so whatever and enjoy reading them Meta employees.
They can log anything they want and have nothing useful, if the encryption protocol is sound.
Have a look at how TLS is designed, if you want to know more.
I know my way around cryptography, therefor I am skeptical. If push comes to shove, they can simply command the Whatsapp App to silently surrender the keys. Nobody would know, it is a closed source app and protocol, and they can hide what they are doing inside the (probably) TLS encrypted stream.
You can have the soundest encryption in the world but if they have access to the keys it doesn’t matter, they can see everything.
But the key exchange is not the issue then.
Access to private keys is.
If the host system, on which the key exchange runs, is compromised, you’re toast.
Where’s the private key? I can get a new phone, log with WhatsApp and download all the historical messages without intruducing any additional password or key.
I assume they have all the required data too.
Sounds like a compromised phone in the sense that it doesn’t protect (and instead transmit) the private key.
That’s not the phones fault, but how WhatsApp works
How is a phone not compromised if it hosts apps that play into the hands of evil actors?
it is not, unless the app can exfiltrate data from other apps
I undersrstand my threat model and how to limit exposure.