undefined | Better HN

0 pointsmulmen3y ago0 comments

Is it really? I always assumed it was like Zoom end to end encryption where one of the “ends” is a Facebook data center. How can a user prove the claim of end to end encryption?

0 comments

jeroenhd3y ago

Almost all of WhatsApp has been E2EE for years, based on the same protocol Signal uses. This goes for text messages (personal and groups) and calls. Cloud backups are not encrypted by default, but encryption can be enabled.

WhatsApp doesn't have an open source client so verification is difficult. However, if someone were able to break the encryption, I'm sure it'd be in the headlines of most newspapers.

One exception is WhatsApp business: I don't know the details, but Facebook offers a service where they will do some chat automation for your business which means they must receive the keys.

In terms of security: key changes are automatically accepted. They are hidden by default, but by toggling a setting every time a user updates their keys, a message will be introduced into the chat. QR code key validation has been in the app for years now, though I doubt many users are using the feature.

mulmenOP3y ago

How do you tell the difference between true E2EE and Zoom E2EE where FB decrypts the message in the middle? Or otherwise backdoors the exchange, perhaps outside the Signal protocol? Ultimately you are trusting Facebook to tell the truth here.

salawat3y ago

You read the bloody code, and you run the infrastructure. Not your hardware, not your system. There is no alternative.

caf3y ago

There was a bit of a song and dance when Whatsapp adopted the Signal protocol. Certainly if you choose not to back up your Whatsapp messages, your old messages aren't available when you switch phones.

If they're not end-to-end encrypted, they're engaging in a lot of deception to indicate that they are.

mulmenOP3y ago

Thanks, I don’t have much experience with WhatsApp. I don’t have a lot of faith in Facebook. Especially post-Snowden.

If you think you need E2EE you can really only achieve that on an open system you control and have intimate knowledge of. You can’t trust precompiled binaries.

Something something trusting trust.

This isn’t a problem technology can solve. Women shouldn’t need to be information security experts just to ask questions about their own bodies.

unmole3y ago

> Especially post-Snowden.

What does Snowden have to do with Facebook? I'm asking in good faith.

1 more reply

jeroenhd3y ago

They are if you enable encryption (with your own key, of course). The default backups are insecure, though.

mulmenOP3y ago

Except you provide the key to the app and the app is controlled by FB. There’s really no way to prove the key stays on your device. Or that your messages aren’t just forwarded without encryption to a FB datacenter.

ccouzens3y ago

> how can a user (without deep technical knowledge and skills) prove the claim of end to end encryption?

Checking to see if investigations include evidence from messages on these platforms excepting:

Messages sent by the user to someone who distributes them further

Or investigators getting control of the phone.

---

WhatsApp stands up to that test.

salawat3y ago

Except, parallel construction is a thing; jealously guarded by law enforcement as well.

j / k navigate · click thread line to collapse

0 comments

jeroenhd3y ago

WhatsApp doesn't have an open source client so verification is difficult. However, if someone were able to break the encryption, I'm sure it'd be in the headlines of most newspapers.

One exception is WhatsApp business: I don't know the details, but Facebook offers a service where they will do some chat automation for your business which means they must receive the keys.

mulmenOP3y ago

salawat3y ago

You read the bloody code, and you run the infrastructure. Not your hardware, not your system. There is no alternative.

caf3y ago

If they're not end-to-end encrypted, they're engaging in a lot of deception to indicate that they are.

mulmenOP3y ago

Thanks, I don’t have much experience with WhatsApp. I don’t have a lot of faith in Facebook. Especially post-Snowden.

If you think you need E2EE you can really only achieve that on an open system you control and have intimate knowledge of. You can’t trust precompiled binaries.

Something something trusting trust.

This isn’t a problem technology can solve. Women shouldn’t need to be information security experts just to ask questions about their own bodies.

unmole3y ago

> Especially post-Snowden.

What does Snowden have to do with Facebook? I'm asking in good faith.

1 more reply

jeroenhd3y ago

They are if you enable encryption (with your own key, of course). The default backups are insecure, though.

mulmenOP3y ago

ccouzens3y ago

> how can a user (without deep technical knowledge and skills) prove the claim of end to end encryption?

Checking to see if investigations include evidence from messages on these platforms excepting:

Messages sent by the user to someone who distributes them further

Or investigators getting control of the phone.

---

WhatsApp stands up to that test.

salawat3y ago

Except, parallel construction is a thing; jealously guarded by law enforcement as well.

j / k navigate · click thread line to collapse