Shocked, I tell you
Comment on Lawsuit Alleges That WhatsApp Has No End-to-End Encryption
just_another_person@lemmy.world 14 hours ago
DUH
Sunspear@piefed.social 14 hours ago
Comment on Lawsuit Alleges That WhatsApp Has No End-to-End Encryption
just_another_person@lemmy.world 14 hours ago
DUH
Shocked, I tell you
sexy_peach@feddit.org 13 hours ago
No if this is proven it would be a real scandal and would bring a lot of users to better alternatives.
If it’s false that’s good too, since then WA has e2e encryption
MrSoup@lemmy.zip 12 hours ago
Most users of whatsapp don’t care about e2e. They hardly even know what it is.
sexy_peach@feddit.org 16 minutes ago
True. But some would care about broken promises
dependencyinjection@discuss.tchncs.de 11 hours ago
Right. This place sometimes forget that we are tiny community of techies that hate the system. Makes me see this place as a bit of a circlejerk at times.
Chronographs@lemmy.zip 9 hours ago
Yeah the venn diagram overlap of “people who understand and care about e2ee enough to drop a messaging app for not supporting it” and “people who use whatsapp” has to be a sliver
Cethin@lemmy.zip 2 hours ago
They don’t know what e2e encryption is, but they sure as hell know what “employees have access to all your messages” means. Sure, it makes it harder for them to find a good alternative, but it will scare some away from Meta (unknown how many will actually care).
timestatic@feddit.org 8 hours ago
No but average people understand the concept of meta reading and accessing your private message. That would be a scandal and righly so
Rooster326@programming.dev 10 hours ago
They don’t but they do know what “Any Meta employee, and every US government employees, can read all of your messages” means
Especially if they saw it now
pressanykeynow@lemmy.world 1 hour ago
How would we know?
just_another_person@lemmy.world 12 hours ago
It’s already a known risk, because WA uses centralized key management and servers, and always has regardless what Meta says. If you believe their bullshit, then I feel sad for you.
Also…you don’t think that LAWYERS willing to go up against Meta would have rock solid proof from these whistleblowers FIRST before filing a lawsuit?
C’mon now, buddy.
sexy_peach@feddit.org 16 minutes ago
What do you want from me here?
bookmeat@lemmynsfw.com 12 hours ago
I’m surprised anyone is surprised. It’s been known since WhatsApp came out that it’s not true e2ee because meta holds your keys.
just_another_person@lemmy.world 12 hours ago
Well they did this whole stupid “rebranding” of it becoming e2e after Facebook bought them a few years back, but literally every security researchers was like “Nahhhh, pass”.
yesman@lemmy.world 11 hours ago
This is not how civil court works. It’s not trial by combat. There is no standard for the quality of lawsuits filed. And despite what the ambulance chasers say on TV, Layers get paid even when they loose.
“alleged in a lawsuit…” is the same level of credibility as “they out here saying…”.
just_another_person@lemmy.world 11 hours ago
It doesn’t matter if it’s criminal or civil. The costs to bring such a case are massive, and you’re leaving yourself open to a behemoth like Meta just dragging out the case for lengthy periods of time which drastically increase those costs.
No law firm files suit against a giant company like this unless they have rock solid proof they will, at the very least, land a settlement plus recuperation of costs. Just not a thing.
RIotingPacifist@lemmy.world 12 hours ago
What are the better alternatives, because it seems like the comment section is flooded with people (yourself includes) that don’t understand that most (probably all) e2e messaging apps are vulnerable to this attack as long as they trust a centralized server.
The issue isn’t an encryption one, it’s a trust one that requires you to trust the makers of the messaging app and the servers the apps connect to (and the method by which the app is distributed to you).
sexy_peach@feddit.org 15 minutes ago
What is your alternative? Everybody codes their own app??
Also you’re unhinged in these comments
TheNamlessGuy@lemmy.world 1 hour ago
Briar. Designed for, for example, journalists in countries that may persecute them for saying the wrong thing. Can technically be run completely on a mesh network, meaning it’s actually truly decentralized.
Zak@lemmy.world 12 hours ago
Signal uses reproducible builds for its Android client, and I think for desktop as well. That means it’s possible to verify that a particular Signal package is built from the open source Signal codebase. I don’t have to trust Signal because I can check.
If I don’t have extreme security needs, I don’t even have to check. Signal has a high enough profile that I can be confident other people have checked, likely many other people who are more skilled at auditing cryptographic code than I am.
Trusting the server isn’t necessary because the encryption is applied by the sender’s client and removed by the recipient’s client.
pressanykeynow@lemmy.world 1 hour ago
Maybe but that doesn’t mean you have the same app they do, Google may have different apks for people who could check it and for those who won’t.
just_another_person@lemmy.world 12 hours ago
Signal
RIotingPacifist@lemmy.world 12 hours ago
You’re just replacing trust in Meta with trust in Signal without understanding why Meta is vulnerable to this.
Is Signal more trustworthy, probably, is Signal safe from the attack described, absolutely not.
Pika@sh.itjust.works 12 hours ago
Just because it’s centralized doesn’t mean that it falls under this risk sector. Theoretically if the app was open sourced and was confirmed to not share your private key remotely on generation (or cross sign the key to allow a master key…), then the most the centralized server could know is your public key, the server wouldn’t have the ability to obtain the private key (which is what is needed to read the e2e encrypted messages)
This process would be repeated for the other party. The cool part of that system is you can still share your public keys via the centralized server, so you wouldn’t need to share the key externally. You just need to be able to confirm that the app itself doesn’t contain code to send your private key to the centralized server. Then checking integrity is as easy as messaging your friend to post what their public key is, and that public key would need to match the public key that the server is supplying as your contact.
The server can’t MiTM attack it because the server has no way of deciphering the message in the first place, so the most it could do is pass the message onto the proper party whom has the private key to be able to decrypt it.
RIotingPacifist@lemmy.world 12 hours ago
The attack as described almost certainly involves the server sending a message to your client and then having the messages replicated via a side channel to Whatsapp without breaking E2E encryption (it could be adding them as a desktop client or adding them as a hidden participant in all chats, that isn’t clear in the article)
If you could run Whatsapp without connecting to Meta, you would be safe from this attack, but as you’ve pointed out a secure client is a better solution.
Maestro@fedia.io 12 hours ago
With e2e you don't need to trust the servers. You only need to trust the client that does the encryption.
pressanykeynow@lemmy.world 1 hour ago
Should you not also trust your device hardware, it’s os and the market you got the app from?
RIotingPacifist@lemmy.world 12 hours ago
The attack as described almost certainly involves the server sending a message to your client and then having the messages replicated via a side channel to Whatsapp without breaking E2E encryption.
But yes the point is you can’t trust the clients.
If you could run Whatsapp without connecting to Meta, you would be safe from this attack, but as you’ve pointed out a secure client is a better solution.
axx@slrpnk.net 12 hours ago
Element / matrix.
zeca@lemmy.ml 8 hours ago
People wouldnt move. They know its not secure and they dont care enough.
Nioxic@lemmy.dbzer0.com 9 hours ago
Mark zuckerberg eats scandals for breakfast
sexy_peach@feddit.org 17 minutes ago
Yes but Whatsapp has been pretty reliable and trustworthy for many people. No ads etc
devfuuu@lemmy.world [bot] 6 hours ago
It would not. People don’t care. People don’t care that meta is an evil corp. Encryption is not even close to the top 10 reasons people use that app. It’s just a random word normal users throw around because marketing told them it’s good.
sexy_peach@feddit.org 18 minutes ago
Normal users don’t talk about encryption at all but they somewhat trust WhatsApp
sauerkrautsaul@lemmus.org 12 hours ago
we can’t lose!