undefined | Better HN

0 pointssqueaky-clean9y ago0 comments

> All I can see there is that you asked for the source code of the QR generator and he delivered.

Eh, I kind of agree with geocar's point in the original thread. Moxie shared source code to "a" QR generator. Is there any way to verify that this code is what's running inside of WhatsApp?

0 comments

geocar9y ago

Yes. The most obvious one is to make it possible for me to build WhatsApp and install it on my phone, however there are a lot of challenges with this.

A less obvious one is to make it possible to detect WhatsApp cheating. This isn't perfect, but someone only needs to detect it cheating once and then your name is mud.

One such way I proposed: If I can create my own key, then I can pass my public key out of band to someone who can mitm[1] themselves and verify that the message on the wire was encrypted and only encrypted with my key, and I can mitm myself to verify that my device only ever sends things encrypted with my own key. Tooling for the protocol is non-existent, and despite someone claiming they could do it in 10 seconds, they never followed up with instructions on how I could do it in 10 seconds.

This also allows other non-WhatsApp versions of the client, which may make things much more difficult for FaceBook (since now they can't upgrade legitimate clients if they discover a protocol-level problem) but the Internet has some experience with protocols.

[1]: https://mitmproxy.org/

j / k navigate · click thread line to collapse