undefined | Better HN

0 pointsfoepys8y ago0 comments

WhatsApp, the most popular messenger, does not allow chat sync. It's single device even. I don't think that's part of the features the average user values.

0 comments

11 comments · 3 top-level

dijit8y ago· 7 in thread

Not true in all cases. They have a wonderful backdoor into your the phone app so you can use the webchat/desktop app. You scan a code and it will allow the website to connect to your phone and download all your messages/photos/etc and talk real time to friends.. Funcionally identical to telegrams desktop app (except, obviously, using your phone as a gateway of some kind).

This functionality makes me nervous honestly, because if the app allowed connections like this silently and downloads your details then wouldn't it be possible to just bypass the QR code for WhatsApp's server team?

(Also, when I point this out I always get downvotes, so, maybe a response this time?)

Yizahi8y ago

More likely - app is relatively secure but it collects and stores all that private info, then they need to work in some dictatorship or paranoid country (essentially a majority of all countries) and then those governments require storing info on their own local servers with which they can either comply or be banned, and then either government misuses this info or it gets hacked and malicious 3rd party misuses this info.

pmontra8y ago

Btw, the web app knows when the phone battery is low and warns about it. IMHO it's too much information going from my phone to WhatsApp and I don't know what's the real reason they need it. It's not like the phone doesn't have its own battery warning. Anything else going from the app to their servers?

Spivak8y ago

You do know that the connection between the web app and the phone is E2E encrypted, right? You're doing a key exchange when you scan the QR code.

Unless you think FB is intentionally poisioning their web interface and serving malicious clients that break their own security you've got nothing to worry about with respect to these features.

Being able to know that the phone my chat is proxying through is about to die is pretty valuable.

def_true_false8y ago

How is this different from e.g Telegram web client? I don't see a reason why this couldn't be done safely. I wonder if it's possible to prevent Whatsapp from serving some people a modified web client though.

Anyway, as much as I dislike Telegram, their desktop client is UX-wise miles ahead of web clients or electron trash.

dijit8y ago

Secret chats never leave the device basically.

The problem I have with telegram is that /by default/ it's security is very poor. It's stored and relayed by their servers so you can have a unified chat history.

However, if you hit the secret chat button I don't see a reason to think that this is stored in any way by them (and auditing the client I use confirms this for Qt linux desktop/iOS)

Spivak8y ago

Your running into exactly the problem that Signal faced when people asked for a web client. It can't really be done securely unless you're willing to put ultimate trust in Signal's servers and the CA system.

lhopki018y ago

Out of curiosity why do you think this is a backdoor and not a valid cryptographic connection via your phone?

Spivak8y ago

Chat sync really isn't the best statement of the problem because the feature that people want is that all clients see the entire authoritative chat history. WhatsApp solves this problem in a way that is largely invisible to the user without relying on a central message store.

jrs958y ago· 1 in thread

Isn't a lot of it's popularity among users who only have one device? I've only met one person who I know used WhatsApp, and that was just to talk to his parents in India.

Spivak8y ago

WhatsApp isn't really single device in practice; sure all the messages are routed through (usually) your phone but there's very little friction to using n devices. I'm logged in from 4 different machines right now.

j / k navigate · click thread line to collapse

0 comments

11 comments · 3 top-level

dijit8y ago· 7 in thread

(Also, when I point this out I always get downvotes, so, maybe a response this time?)

Yizahi8y ago

pmontra8y ago

Spivak8y ago

You do know that the connection between the web app and the phone is E2E encrypted, right? You're doing a key exchange when you scan the QR code.

Unless you think FB is intentionally poisioning their web interface and serving malicious clients that break their own security you've got nothing to worry about with respect to these features.

Being able to know that the phone my chat is proxying through is about to die is pretty valuable.

def_true_false8y ago

Anyway, as much as I dislike Telegram, their desktop client is UX-wise miles ahead of web clients or electron trash.

dijit8y ago

Secret chats never leave the device basically.

The problem I have with telegram is that /by default/ it's security is very poor. It's stored and relayed by their servers so you can have a unified chat history.

However, if you hit the secret chat button I don't see a reason to think that this is stored in any way by them (and auditing the client I use confirms this for Qt linux desktop/iOS)

Spivak8y ago

lhopki018y ago

Out of curiosity why do you think this is a backdoor and not a valid cryptographic connection via your phone?

Spivak8y ago

jrs958y ago· 1 in thread

Isn't a lot of it's popularity among users who only have one device? I've only met one person who I know used WhatsApp, and that was just to talk to his parents in India.

Spivak8y ago

j / k navigate · click thread line to collapse