this post was submitted on 29 Nov 2023
0 points (NaN% liked)

Privacy

31182 readers
547 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
0
A question about secure chats (sopuli.xyz)
submitted 9 months ago by Thisfox@sopuli.xyz to c/privacy@lemmy.ml
11 comments fedilink hide all child comments
 

Two questions.

My family insist on using Whatsapp for the family chats. I have to keep a copy on a device just so I can communicate with them. I do so under protest, as I was always told it isn't secure. My brother has just said

"oh Whatsapp is encrypted, it's perfectly secure".

First, is it actually as encrypted and safe as my brother claims? That would solve everything.

Second, if it isn't, where can I get some proof that we should switch to Telegram or whatever? Proof which doesn't make me look like a raving loony?

top 11 comments
sorted by: hot top controversial new old
[–] GiM@feddit.de 0 points 9 months ago

The contents of the chat messages are e2e encrypted, so meta can't see what you are sending.

But they can see all of the Meta data, ie how often you chat with someone, how often you send pictures/videos/voice messages, etc.

That is more than enough to know everything about you and your friends.

[–] otter@lemmy.ca 0 points 9 months ago* (last edited 9 months ago) (1 children)

My understanding is that it IS encrypted, and its supposed to use the Signal protocol (Signal developed it and released it for others to use)

The problems are with

  • metadata (like the other comment explained)
  • closed source, so we take their word on it for how it works. It's possible they're being misleading or doing something shady

See this image from a few years ago:

Note that signal does require this, which isn't in the chart:

  • phone number (for now)
  • last active date
  • sign up date (I think)
[–] pylapp@programming.dev 0 points 9 months ago (1 children)

Interesting! Do you remember where you got this chart?

[–] elvith@feddit.de 0 points 9 months ago

These are just screenshots of the data privacy section from the Apple AppStore of each of the apps. Afaik those are mandatory & self reported by the devs of the app.

[–] vikinghoarder@infosec.pub 0 points 9 months ago (1 children)

I assume Whatsapp encryption is equivalent to https, your connection to the server is encrypted and "impossible" to be intercepted and decrypted, but on the server end everything arrives as clear text, so the only people that can watch your conversation is the recipient of the messages and whatsapp.

[–] h3ndrik@feddit.de 0 points 9 months ago* (last edited 9 months ago) (1 children)

That's not correct. WA claims to use end-to-end encryption. I have no reason to doubt that. It probably arrives encrypted at the servers, not as clear-text.

That'd also align with the business-model of big tech. They do lots of things with meta-data. And algorithms can infer lots of important things just by looking at that. I wouldn't be surprised if they really don't care about the exact content of WA messages.

[–] vikinghoarder@infosec.pub 0 points 9 months ago (1 children)

Reading whatsapp definition of e2ee seems to be the case, I stand corrected.

[–] h3ndrik@feddit.de 0 points 9 months ago* (last edited 9 months ago)

Yeah. I think they partnered with the makers of Signal and took the encryption from Signal back in 2014 or 2015. I still remember the first of my friends adopting WA and it had zero encryption or protection against impersonating people. I used XMPP (Jabber) back then and just shook my head.

But it's different now.

[–] h3ndrik@feddit.de 0 points 9 months ago* (last edited 9 months ago)

I case they're set on WhatsApp:

You could use something like:

https://github.com/mautrix/whatsapp

and bridge WA to a secure Matrix server of your choice. That way you can have a secure environment and they can use whatever they like.

Here is an overview table about messengers, in case you want to compare them and have more arguments in the discussion:

https://www.messenger-matrix.de/messenger-matrix-en.html

I wouldn't consider WA secure. They do tracking, they have your phone numbers and those of all of your friends and know exactly who you talk to, when, and how often. Even if they don't know the content of the message because it's encrypted, that's a lot of information for the algorithm to feed on. Apart from that, I'm not sure if they have access to the encryption keys. They might be able to decrypt everything if they want.

I'm sure someone wrote a lengthy blog article about WA. But unless someone does a proper security audit including where the encryption keys are stored and the implications of that and how extra features like breaking encryption in case someone flags an inappropriate post turns out... The 'it's safe' is just a claim by your brother or Meta. You're free to believe in anything you want. But it's not necessarily true.

[–] ris@feddit.de 0 points 6 months ago

WhatsApp gives you the option to back up all messages to Google or Apple Cloud unencrypted.

[–] Pantherina@feddit.de 0 points 9 months ago

No Telegram lol. Thats way worse. Whatsapp sais they are E2EE but its all "trust me bro" because you cannot look at the code.

With Telegram its a little pain to open encrypted chats and groups are always unencrypted. So its useless.

Let them try Signal, its nearly identical but you can trust it.