For open source messengers, you can check whether they actually encrypt your messages and whether the server has access to your encryption keys but what about WhatsApp? Since it’s not open source, you can’t be sure that the encryption keys aren’t sent to the server, right? Has there been a case where a government was able to access WhatsApp chats without reading them from the phone itself?
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 2.43K Posts
- 57.3K Comments
- Modlog
The code is not open source, so it’s hard to verify how good the encryption is or if it has backdoors.
I’m not an expert in cryptography, but from my limited knowledge, the cryptographic keys used are very important. If Meta or the government can somehow know the decryption key to your messages or predict it, then they can see your messages.
But they most likely don’t need to decrypt it in transit. One of the vulnerabilities in this system is Google firebase, which delivers notifications to your phone when WhatsApp messages arrive. Ever noticed how those notifications include the message content and the sender? Google has access to this information, despite the encryption.
That’s just an example. Google has access to a lot on your phone.
Another thing to consider is message metadata. The content of your message is encrypted, but what about information like the destination of your message, its recipients, time sent and received, and frequency? I’d even argue this is more important than content in many situations. Sometimes, linking person A to person B tells me a lot about person A.
Not necessarily. I work on a messaging app, and we only use firebase to “wake up” the app. Initially the notification doesn’t display anything meaningful, but the app very quickly connects to the server (tells the app who it should connect with) and then the peer (to finally get the actual content). The notification is updated once we have the content. But it typically goes so fast that you only ever see the final version of the notification.
It does not matter how good the encryption is. The app on your device has to be able to decrypt the content to be able to show it to you. If it has access to the decrypted data, it could just send it somewhere. If it has access to your private key, it can leak it. Even if the app is open source, you do not know if the binary on your phone matches that source, unless it uses reproducible builds and you actually verify the binary on your particular device, after each update.
The better question is, do you trust meta at all? I’m sure they have a way to read everyone’s chats and would gladly hand over yours to the government if they want it.
deleted by creator
Problem is that they can still compromise it. Simplest method would be to just take what you’ve typed into the UI and send it two times. One time to your communication partners and one time unencrypted / decryptable for themselves.
But even if they’re exclusively sending via Signal’s library and not tampering with it or anything, they can still instruct Signal’s library to add another member to a group chat. And that ‘member’ can be their server. It will be sent, fully end-to-end-encrypted, but to an end you don’t know about.
They only recently made it quantum resistant, so I don’t think that whatsapp is using that version
Ask Meta. Its not Open source, its all “trust me bro its encrypted with some encryption”
I personally wouldn’t touch WhatsApp with a 10foot pole. As it is owned by Facebook, the company who earlier this year paid a company to compromise TAILS OS to find a pedo. Which its not the fact that they threw a pedo in jail. But the fact they compromised anonymity and in no way are a government body!!! So glowies be glowing hard at Facebook.
They also have done other spooky shit. Which is why the only reason I use Facebook is to sell my shit.
We could also talk about the OS and hardware your using to message people for security. If you want to know more read permanent record by Edward snowden. Its a great book and talks alot about PRISM and other spooky stuff
It is impossible to say. If you are that concerned you should use something else
No. They cant decrypt your chats. They can however backdoor your device and see the pre or post delivery message. Its not hard for them to do. Technically or legally.
If they arent currently logging activity on your device then turning on self destruct messaging could mitigate their ability to spy on you. Unfortunately all your chat partners have to do it too.
Governments, if they want, can decrypt any chat, not just Whatscrap. But it makes a difference if a chat, especially this Zuckerbot shit, directly opens a Backdoor to governments, to give them access, or if they have to bother hacking the chats themselves, which due to its cost and time, is only done with a court order.
This is not true. Encryption that is not breakable by anyone - including governments - and the tools to use it have been available to everyone for decades now.
It might be broken later (which is why the US stores encrypted messages) but not right now, and is unlikely to be in the foreseeable future.
They can, all goverments nowadays have at thei disposal Quantum computer, provided by large companies (Google, IBM, Facebook, M$…) Not being able to decrypt messages was valid, in part, a few years ago, but not longer. Microsoft itself is now moving away from using passwords, using logins with physical keys for this reason and others will follow soon. Chat messages are no longer secure, while they do not also use quantum technology. But don’t worry, as long as you don’t attract attention for being a pedophile or for belonging to a terrorist group, no one is going to bother decoding your messages. Also the Germans in the II WW thought that nobody can read their with Enigma encrypted messages, fail.
You comment is wrong and misinformed. Quantum computing isn’t able to break RSA 2048 yet. Also passwords aren’t related to quantum computing.
What you wrote is science fiction, not fact. So are practical quantum computers, thus far.
It also ignores the fact that quantum computing would do shit all against symmetric encryption (though admittedly that’s less relevant for whatsapp, but it’s perfectly relevant if you want to exchange secure messages with someone you met physically prior); as well as the fact quantum-resistant encryption algorithms such as NTRU already exist and are already considered for implementation in free software tools (the only reason they aren’t is they’re far less tested and nobody trusts them yet against conventional attacks).
https://sites.math.washington.edu/~morrow/336_16/2016papers/tristan.pdf
Any source for that claim?
Relevant xkcd as always https://xkcd.com/538/
I mean, it’s possible given their resources… It just takes long enough to be unfeasible. Also, in special circumstances they can Pegasus your phone and obtain the info without decrypting… Not like you’re not screwed anyways when it comes to such drastic measures.
removed by mod
Group chats are also end-to-end encrypted in WhatsApp (so any monitoring would need to be done in cooperation with one of the participants’ devices before encryption or after decryption)
removed by mod
Source please.
How do they get the keys?
Who is “they”?
removed by mod
Yeah… I see no reference to this anywhere… some stuff in 2021 about WhatsApp protesting privacy law changes in India and some stuff about the liability of Group Admins for things posted in groups. Nothing about broken encryption measures.
I can only assume they are referring to WhatsApp Group Admins, who are inherently part of the group, as opposed to WhatsApp company admins.
They don’t have to attack the encryption, there are far easier ways. Compromising your phone then reading the notification contents for example. If a smallish company can do this (pegasus) imagine what the resources of the US intelligence complex can do.
The easiest way by far is to intimidate you to give up your phone password and hand over the messages.
XKCD for refference: https://xkcd.com/538/
Shouldn’t the phone disk be encrypted too?
Doesn’t matter if the phone is compromised while turned on.
Everything I’ve ever heard about government cryptography from people close to me is that the government (FBI, military) is wildly far ahead of what’s available publicly. I wouldn’t count on anything you do on the Internet to be truly private.
That was at times of DES. Cryptography that is used today is proven to be complicated enough that it’s unbreakable unless the government got quantum computing working at sufficient skale.
Like others wrote, attacks will happen when the messages are received and decrypted.
People got arrested for WhatsApp messages in my country so there is a backdoor built in no question
That’s mostly group chats and someone from the group showed the comments to the police.
Dunno
Another thing to consider is that the US (and probably most 5 eyes countries) have agencies with a “store now and decrypt later” policy. They theoretically could be capturing certain types of traffic and storing it in the massive NSA fusion centers. If you come under suspicion at some later date and the quantum technology has advanced, you could be hosed. Now what’s the legality of storing “precrime material” without a warrant? I wouldn’t think it is legal but that doesn’t seem to stop the 3 letter agencies these days.
If you did not enable end-to-end encryption for your WhatsApp backups on Google Drive, the US government could possibly compel Google to hand over your encrypted (but not end-to-end encrypted) backup, and compel Meta to hand over the decryption keys for the backup.
Details about how WhatsApp backup works: The Workings of WhatsApp’s Backups (and Why You Should Enable End-to-End Encrypted Backups).
I know that WhatsApp backups aren’t safe and I never turned them on