undefined | Better HN

0 pointsfemto1y ago0 comments

Does the WhatsApp program generate and store/mange the private keys? If so, it would be possible for the program to send private keys on request, effectively backdooring the endpoint. Such an arrangement would allow Meta to put its hand on it heart and truthfully say it is end-to-end encrypted (on the network), whilst still providing a way around it.

0 comments

3 comments · 1 top-level

lxgr1y ago· 2 in thread

Yes, but users can compare fingerprints (sure, most probably don't, but it's definitely a deterrence against MITMing all conversations by default), receive warnings whenever fingerprints change etc.

There's also supposedly a key transparency service deployed (similar to Certificate Transparency), but I haven't looked into that in detail.

BenjiWiebe1y ago

Sharing private keys gets around all that.

lxgr1y ago

That would require explicit code to do so, which would probably be extremely hard to explain away.

2 more replies

j / k navigate · click thread line to collapse