It is actually verified e2ee. However, they do keep a ‘spare key’ for every single user and chat, you know, in case they need to help you, the good guys at Meta.
Also, their e2ee is built on the signal protocol. Now, their server code and client code are not open source, so they could have left all types of doors open for their benefit. Also, the Metadata is not encrypted at all, something they actually brag about for some reason.
And just to be clear, I am a genuine 'everything-meta-hater" (and Google, MicroShit, Crapple, Crapsung, etc.), but spreading misinformation doesn’t help preaching about privacy and security.
That verified if their backups were end to end encrypted though right?
It’s also interesting what was out of scope:
Limitations
The following components were not in scope; NCC Group was therefore unable to evaluate and identify issues with them:
• Third-party and proprietary HSM vendor implementation.
• Backup encryption implementation.
• Side-channels in the access, creation, modification and deletion of backup data on third-party cloud storage.
Dude, you seem to be under the impression that I’m somehow defending meta, and you’re evidently in battle mode. I said my piece, provided the evidence as requested. I guess this is where I drop off of this convoy for ith you, buddy. Make of it what you will. Have a good day.
No, I am not in battle mode. I just read the link and found it interesting and responded with things I saw in it.
What I didn’t do, was realize you sent TWO links, and I failed to read the second one. But believe me I am not trying to argue in any way. I am just responding.
The second link was also just for backups.
Again, I am just saying that they are not able to demonstrate that they are actually implementing this, AND that both of those links are for backups only. Thats all.
And I totally get what you were driving at: it doesn’t matter, they have a “spare key”.
I don’t think it will. It’s just another outside audit (no idea if país by meta or not though). It is E2ee, that’s the bottom line. Now, the implementation is what dictates what that’s worth. It’s no different than client-side scanning or Microsoft co-pilot. What’s the point of having e2ee if someone else can get access either before encryption or by a third party, like meta, having a master key to decrypt anyway?
The first thing was if there was any indo of e2ee being implemented, there’s plenty, even Cloudflare audited them at one point if I recall correctly. But, nobody knows how it’s implemented, except for meta, and that’s where the lack of trust resides, because we all trust meta as far as we can throw our cars.
As far as I’m aware Moxie Marlinspike made the encryption before it was acquired by Facebook. One of the founders of WhatsApp now finances Marlinspike’d Signal messenger.
In theory Meta only sees who you communicate with, but not what you communicate.
(I wouldn’t be surprised if the bastards are trying to undo the encryption if they already haven’t.)
It is actually verified e2ee. However, they do keep a ‘spare key’ for every single user and chat, you know, in case they need to help you, the good guys at Meta.
Can you show me where it’s verified? Did someone get to see the code?
https://www.nccgroup.com/media/fzwdxklh/_ncc_group_whatsapp_e001000m_report_2021-10-27_v12.pdf
https://eprint.iacr.org/2023/843.pdf
Also, their e2ee is built on the signal protocol. Now, their server code and client code are not open source, so they could have left all types of doors open for their benefit. Also, the Metadata is not encrypted at all, something they actually brag about for some reason.
And just to be clear, I am a genuine 'everything-meta-hater" (and Google, MicroShit, Crapple, Crapsung, etc.), but spreading misinformation doesn’t help preaching about privacy and security.
That verified if their backups were end to end encrypted though right?
It’s also interesting what was out of scope:
Dude, you seem to be under the impression that I’m somehow defending meta, and you’re evidently in battle mode. I said my piece, provided the evidence as requested. I guess this is where I drop off of this convoy for ith you, buddy. Make of it what you will. Have a good day.
No, I am not in battle mode. I just read the link and found it interesting and responded with things I saw in it.
What I didn’t do, was realize you sent TWO links, and I failed to read the second one. But believe me I am not trying to argue in any way. I am just responding.
The second link was also just for backups.
Again, I am just saying that they are not able to demonstrate that they are actually implementing this, AND that both of those links are for backups only. Thats all.
And I totally get what you were driving at: it doesn’t matter, they have a “spare key”.
I don’t think it will. It’s just another outside audit (no idea if país by meta or not though). It is E2ee, that’s the bottom line. Now, the implementation is what dictates what that’s worth. It’s no different than client-side scanning or Microsoft co-pilot. What’s the point of having e2ee if someone else can get access either before encryption or by a third party, like meta, having a master key to decrypt anyway?
The first thing was if there was any indo of e2ee being implemented, there’s plenty, even Cloudflare audited them at one point if I recall correctly. But, nobody knows how it’s implemented, except for meta, and that’s where the lack of trust resides, because we all trust meta as far as we can throw our cars.
As far as I’m aware Moxie Marlinspike made the encryption before it was acquired by Facebook. One of the founders of WhatsApp now finances Marlinspike’d Signal messenger.
In theory Meta only sees who you communicate with, but not what you communicate.
(I wouldn’t be surprised if the bastards are trying to undo the encryption if they already haven’t.)
not that it really matters, but it was a few years after the acquisition.