> Messages are e2e and WA doesn't have access to them. We're talking about the metadata here.
You're still just blindly trusting this is the case. You can't verify the encryption or any of the code.
It would be trivial to actually encrypt the message and send it out and then store an unecrypted version locally and quietly exfiltrate it later.
They have to already be storing an unecrypted version locally, because you can see the messages. So unless your analyzing packets on the scale of months or years, you cannot possibly know that it isn't being exfiltrate at some point.
Take it a step further: put the extiltration behind a flag, and then when the NSA asks, turn on the flag for that person. Security researchers will never find it.
We don't really know that messages really are end-to-end encrypted though, do we? Is there a way to actually check that the messages in transit are encrypted in a way that only the other end can decrypt them? If not, we have to take Meta's word for it, which frankly doesn't carry much weight.
Not trivially. But with painstaking reverse engineering you could prove this. And people have, so you're not exclusively just taking Meta's word. The fact that Pegasus malware relied on remote code execution vuln to run malware on your phone to extract WhatsApp messages, really suggests that the E2EE works. If it wasn't E2EE, then the makers of Pegasus could have just intercepted traffic to get your messages.
Academics have also reverse engineered it as well, and though there are some weakness it's not a lie that WhatsApp is E2EE. Here's some I just found:
How can we call it "E2E encryption" in any meaningful sense of the term when the ends run proprietary code, and at least one of the ends has proven themselves unworthy of trust time and again.
Not sure this is correct - alaq said the messages are e2e, so not visible at all by anyone other that the participants of the conversation. The meta->data<- however IS visible by them and can and is likely to be used for advertising.
const_cast|5 months ago
You're still just blindly trusting this is the case. You can't verify the encryption or any of the code.
It would be trivial to actually encrypt the message and send it out and then store an unecrypted version locally and quietly exfiltrate it later.
They have to already be storing an unecrypted version locally, because you can see the messages. So unless your analyzing packets on the scale of months or years, you cannot possibly know that it isn't being exfiltrate at some point.
Take it a step further: put the extiltration behind a flag, and then when the NSA asks, turn on the flag for that person. Security researchers will never find it.
roelschroeven|5 months ago
varenc|5 months ago
Academics have also reverse engineered it as well, and though there are some weakness it's not a lie that WhatsApp is E2EE. Here's some I just found:
- https://eprint.iacr.org/2025/794.pdf
- https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin-Reverse...
lioeters|5 months ago
wordofx|5 months ago
jonoc|5 months ago