1

In the web page of WhatsApp there is the following:

WhatsApp's end-to-end encryption ensures only you and the person you're communicating with can read what is sent, and nobody in between, not even WhatsApp. This is because your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them.

However the users don't decrypt the messages themselves; the WhatsApp application does it itself. Therefore, the application knows all required encryption keys. Therefore, WhatsApp may read all the messages.

Or I don't know something about this staff?

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
Sonya Seyrios
  • 33
  • 1
  • 7
  • 5
    If you don't trust the WhatsApp application itself, then all bets are off no matter how the encryption is implemented. Due to the closed source nature of the app, this concern is valid. You can use Signal (which is name of the protocol used by WhatsApp as well as name of an app by the Open Whisper systems) and it is open source. https://github.com/whispersystems/ – void_in Aug 17 '16 at 14:25
  • I mean, end-to-end encryption is safe if people generate and store the keys themselves. As the application generates it itself- People, who have access to the database and source code- may decrypt everything- as it's done by the application – Sonya Seyrios Aug 17 '16 at 14:32
  • If you use Signal, make sure to compile it yourself after checking the code and on every update check all the code changes. Else the people creating Signal could read your messages! – Josef Aug 17 '16 at 14:37
  • @SonyaSeyrios people never create keys used for modern encryption! Can you create a 1024bit prime number in your head? I bet not? You can't even create a 128bit random key in your head! Keys are always created by an application! I am not sure what you are trying to say... – Josef Aug 17 '16 at 14:39
  • Yes! The developers may read the messages! However whatsapp claims that even they can't do that! How that works then? – Sonya Seyrios Aug 17 '16 at 14:39
  • The problem is not in that the application creates the keys! The problem is the application stores the keys! As it decrypts itself. As application may decrypt- therefore the developers also may decrypt! – Sonya Seyrios Aug 17 '16 at 14:40
  • In addition to that, the application generates the same key everytime- as you can read old messages. So, Whatsapp basir that no one, even Whatsapp, may read the messages – Sonya Seyrios Aug 17 '16 at 15:00

1 Answers1

2

Whatsapp wasn't a secure application to begin with. But with so many accounts being compromised the company had to do something, so they introduced the over advertised "END TO END ENCRYPTION" Which is a standard maintained by mostly all others. But yes the keys are generated on the client side and even stored in the same place. As the database is stored on the client side rather than on the server it is a bad idea to store the keys with them too.

Yes there is a possibility that the algorithm they used to encrypt the messages may have a back door or a master key that can decrypt any message. check the WhatsApp Legal page read 7. Limitation of Liability, even if they want to read your messages and you somehow get to know about it, they can easy blame it on a 3rd party. And just for a moment lets cross that line where they ensure that they can't and won't read your messages because if they can encrypt these messages and have access to the keys they sure as hell can read them too. If your conversation is controversial or illegal and they can earn profit by exposing that to a right party there are chances that you are being monitored.

The only security which is added according to me is that now if anyone who tries to tamper/capture my message from the network is gonna get an encrypted cipher rather than plain text.

HeroicJokester
  • 36
  • 1
  • So, to conclude. Whatsapp may read all messages. And anyone, who hacks their server and DB, may read them. Right? – Sonya Seyrios Aug 17 '16 at 15:17
  • The only one scenario, which I can come up with is that they delete all messages from their DB after loading them to the device of receiver. As the messages are deleted, they can't read them – Sonya Seyrios Aug 17 '16 at 15:20
  • Yes, that's right. But remember its easy for whatsapp to read your messages but its a whole another story for a 3rd party. Hacking into their servers is not gonna be easy and if it happens the reputation of the company jeopardizes so they use extra security to make sure that doesn't happen. but yes, with enough access anyone can read our messages. – HeroicJokester Aug 17 '16 at 15:24
  • I don't think that's gonna work by my experience when we delete a message it is deleted from our chat not from the database.It always exists in the database and I don't think its possible to delete a single message from the database. But I can be completely wrong maybe someone with more experience can help us. PS the messages are not stored on the server its stored on the client side. So they can't delete any messages from our device and they dont store any messages on their server. – HeroicJokester Aug 17 '16 at 15:27
  • If they willingly accept they they may read your private messages under some specific condition, will you use such messaging app? They would loose a lot of clients if they did that. Im more surprised there's no star (*) after that line lol – HeroicJokester Aug 17 '16 at 15:31
  • So, as they don't store the messages in the database in the server, they can't read them. Probably, that's what they wanted to say. But, definitely, they may decrypt any message! :) The same story with Viber/Telegram etc – Sonya Seyrios Aug 17 '16 at 15:32
  • Yes pretty much the same but Telegram uses 256bit AES Encryption which is highly secure and they even have a small reward for someone who can break telegram a bit around $200,000. Check it out [Here](https://telegram.org/crypto_contest) – HeroicJokester Aug 17 '16 at 15:36
  • The required symmetric keys are stored in the devices of those who are present in the conversation. WhatsApp doesnt store any private keys. I think you both have missed the point of the end to end part. – Luke Park Aug 17 '16 at 22:13
  • They ADDED a backdoor to their end-to-end encryption algorithm: https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages – A. Hersean Jan 13 '17 at 14:19
  • So can we conclude that The Signal is much more open hence more secure than WhatsApp? – Denis May 02 '18 at 13:03