Comment by I_am_tiberius
1 month ago
> "WhatsApp provides default end-to-end encryption for over 3 billion people".
Wasn't there news lately that they can still read your messages somehow?
1 month ago
> "WhatsApp provides default end-to-end encryption for over 3 billion people".
Wasn't there news lately that they can still read your messages somehow?
WhatsApp could exfiltrate messages at the ends. But I assume the trick lies in the word "default". Didn't Skype also default to end-to-end encryption, unless there was a server flag that disabled it for that specific user (I might be fuzzy on the details)
I don't trust un-auditable client applications...
If you want to assure me your e2e is secure, there must be at least two clients implemented by different people, with at least one of them opensource.
Whatsapp used to have this, but lately they have cracked down on third party clients.
> Whatsapp used to have this, but lately they have cracked down on third party clients.
Blame spammers on that. The amount of scammers and spammers on Whatsapp is unreal.
Even if they have, this doesn't prevent from turning on a feature flag, or push an experimental build to some users.
1 reply →
Every encryption is end to end if you're not picky about the ends, or metadata.
Do you trust facebook (excuse me, meta) to not snoop on your messages, and to not share them with the "intelligence" agencies ?
This is not true. The IETF draft is explicit that E2EE means that the message cannot be read by any party other than the sender and the intended receiver. When companies like Meta claim they support E2EE, this is what they claim. There are no tricky semantics or legalese at play here.
To be fair zoom did claim E2EE, with one of the ends being their servers.
1 reply →
It's not entirely accurate to say "any party other than the sender and the intended receiver," since the messaging app running on the user's device can read the messages. Something like "any third party (other than the app vendor)" would be more accurate. Without actually analyze app behavior, it comes down to trusting that the vendor doesn't do anything nefarious.
8 replies →
> When companies like Meta claim they support E2EE, this is what they claim.
Well, that statement can only resolve to true.
These requests of data collection are perfectly legal. FBI DITU gives an order: give me all chats from *@banana.com and they receive banana.com.
From there, two choices from the perspective of a tech provider:
a) You accept. You get paid.
b) You refuse. It's a crime.
To this day, Apple, Facebook, Google still deny participating in illegal requests. They claim these were lawful requests, that have been carefully looked one-by-one.
Yes, we looked carefully and decided we won't enjoy losing 100M USD and go to jail.
The trick is that the identifier / wildcard can be very vague and wide. Or there can be multiple of them, each of them are narrow, but put one of top of the other they are super wide.
Do companies that claim E2EE support face consequences if they don't abide by IETF's definition? Not like IETF governs them.
> Do you trust facebook (excuse me, meta) to not snoop on your messages
No, but I trust some nosy German guy at TU Whatever to spend hours poking at the assembly, find that hidden flag and proudly present it at 40C3.
With enough eyeballs, all source is open (and AI will give us far more eyeballs than we have any idea what to do with).
Sure, you can have different builds distributed to different people, but the NSA can also just do that with Signal, Signal being open source makes it that much easier. FDroid mitigates this somewhat, but it's not like the NSA can't get a fake TLS certificate for their domain and MITM your communications.