this post was submitted on 29 Sep 2023
349 points (97.5% liked)
Privacy
31886 readers
507 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This has always been my biggest pet peeve with WhatsApp. Yes, they might encrypt it all and the encryption might be practically unbreakable, but what worries me is what Meta might do with the private encryption keys. Lem me elaborate further.
I'll start by trying to explain how key-based encryption, the type of encryption WhatsApp uses, work at their core, for those who don't know (THIS IS GOING TO BE AN OVERSIMPLIFICATION). Imagine you want a friend to send you a message with super sensitive contents. Here's what you do to guarantee that no one else can read it but you:
This means that, if someone else manages to get the encrypted message, they will need the private key to read what it says, but they don't have it, only you have it. The only thing they can do keep guessing what that key is until they find what it was and read the message, but that can take up to millions of years, even using supercomputers.
As you can see, this works really well for sending messages without anyone but the sender and the reciever knowing what is being said, and that's why it's so used in encrypted message apps...
...but what if Meta has access to the private keys? I mean, what if, after WhatsApp creating the public and private keys for messaging, the private key is retrieved and stored in Meta's servers, making them able to read all the messages you receive?
Can someone with more experience in the subject say if my concerns are valid?
I share that concern and would not rely on my messaging being secure. Anyways as far as they state it themself, your private key for decrypting should stay on your device (in fact it uses the signal protocol and does a few more steps, e.g. to implement shared sessions over multiple devices. You can have a look at their FAQ, they've linked a white paper within it describing the technical details). But the main question is in my opinion: do you trust the guarantees they give you? It's the same struggle as with any proprietary software. You can trust them or you don't, but you will never know without access to the source code.