Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

WhatsApp actually uses signal protocol for e2ee


They say they do, but you have to trust them. You don't have to trust Signal, you can audit the sources (or trust some third party to do it for you).


How do you know the source code you’re looking at is for the same program you downloaded from the App Store? Does apple publish a checksum of software you’re installing?


> Does apple publish a checksum of software you’re installing?

Reproducible builds: https://github.com/signalapp/Signal-Android/tree/main/reprod...


This is a failure of Apple and their walled garden, not of Signal. If this is a concern to you, you either need to jailbreak or switch to a more free as in freedom platform.


Honestly, if it really mattered a lot to me (i.e. to my own security), I would compile Signal from source and install it on my device. Which I could not do with WhatsApp.


True


Signal doesn't press you to setup (by default) unencrypted cloud backups.


It doesn't matter, the app is closed source so they can still access your messages regadless of what protocol they use.

https://gizmodo.com/whatsapp-moderators-can-read-your-messag...


That article doesn't support what you're saying. It says that WhatsApp has access to metadata, which it hands over to law enforcement. This does not necessarily mean that they can read your messages.

It does say that 'WhatsApp can read some of your messages if the recipient reports them'. That 'if' is doing a lot of work in this sentence. It means that the recipient has to decrypt your message.

Although there are forms etc. within the app for doing this, it's essentially no different to taking screenshots.

There is no way to ensure 100% privacy if the other party you are communicating with does not keep data they have access to private.

I'm not a big Meta fan, but as far as I am aware, they can't normally read your messages. The fact that it's closed source just means that we can't verify that for ourselves.


> The fact that it's closed source just means that we can't verify that for ourselves.

That's really the whole point. As far as we know, it could be that it is not e2ee at all.

Also from the moderation article, it's not clear to me what that means: if I report you, does that mean that the moderators will get access to all your recent conversations? Could be, right? But then the FBI could report you for no reason, and then ask WhatsApp to provide your recent conversations. Which would effectively act as some kind of backdoor, right?


I agree, closed source means we can't do anything apart from decide whether we believe Meta or not.

But my understanding is that the 'report' is from a user's WhatsApp client—if someone sends you a message that you think is reportable, you can report them to Meta. As part of the report, your WhatsApp client will forward some information to Meta.

Assuming Meta are not actively lying, this would not mean that it's not E2EE.


Can I see the source to make sure?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: