Comment by palata

> It's not like we are all spending all our time going over a random s3 bucket to say `Aha, I am sure Bob didn't add this new key because he logged in from his desktop. It has to be a man in the middle`

That's not how key transparency works. The whole point of key transparency is that you don't have to do that.

If you are into manually checking that you have the right key, you can do it by scanning a QR code (or exchanging the key manually through some trusted channel), both on Signal and WhatsApp.

> Can they just siphon keys of your device?

Whoever hacks your device can read the messages, end-to-end encryption protects the data in transit, not at rest.

> Can they just deploy a special version to just your device

If you get WhatsApp through the Play Store, they would need to collude with Google to do that. But it is technically possible. If you get WhatsApp on the web it's a lot easier though: they can just serve you a different codebase this one time. BTW ProtonMail can do that too, or any webapp. Which I assume is why Signal doesn't have a web version.

> The gold standard would be personally managed keys, exchanged and signed by your contacts in person, open source software that is not auto-updating, distributed over a channel that does not know your identity.

You can get the sources of Signal, audit them yourself, compile them yourself, and verify the key with your contacts through a trusted channel (in person if you like). That is already possible.

> No one in Microsoft, Yahoo, Google, Facebook, AOL, Skype, or Apple said anything about PRISM

I think it is pretty different. Was PRISM available in the code source in the mono repo of all those companies? WhatsApp is.