Ah yes, whatsapp, that bastion of privacy, and not at all a messaging service that exists primarily for Meta to mine.
If everyone was on Signal, sure, but if everyone's on Whatsapp, maybe not the kind of thing to go "why don't you just do this too, why are North Americans so backward?" for something owned by what is basically still just Facebook.
Whatsapp and signal use the same encryption and the same messaging protocol.
Piece of advice: As far as tech is concerned, HN isn’t a place where you can get away with talking about things you don’t understand. You’ll far too often run up against people who have more expertise in what you write about than you have expertise brushing your teeth.
I know what I'm talking about, and I'm detecting some arrogance.
Also, it doesn't matter here, but where are you getting that WhatsApp and Signal use the same messaging protocol? Might be missing something, but I don't see that they both use XMPP, if that's what you mean.
I know what the words mean, but I don't know what the ends are doing. Facebook practically controls either end, unless users are reverse-engineering.
I also don't know what the middle is doing. Client still trusts the server to give the correct identity aka pubkey for the other clients. Server could give its own and mitm, like a corrupt root CA for TLS. Yes this requires more deliberate action on FB's part, so it's at least better than non-e2ee, but not trustless like people often claim. This issue isn't at all unique to WhatsApp.
No the middle is not trusted, that’s the whole point of end to end encryption. Users can check security keys. Also yes some people are reverse engineering clients. If you’re claiming that the whatsapp clients are backdoored and faking the end to end encryption claim that would be a pretty big news
The middle is trusted for the identity exchange and not afterwards. This is fundamental and has nothing to do with what protocol is used. If you explain to me an e2ee messaging protocol with a centralized server that you think is trustless, I can always show you a leap of faith in there.
The first time your client messages another on WhatsApp, it knows nothing other than the phone number and has to somehow go through WhatsApp to exchange keys with the other client. WhatsApp can simply fake that entire exchange. Now, WhatsApp also lets you physically visit another user and scan a QR code to verify the identity out-of-band, which escapes that "centralized server" limitation I mentioned, but few use that feature. Compare this to how HTTPS works; you trust the certificate authority unless you gather the certs yourself.
I doubt the clients are backdoored to defeat the encryption, but idk what advertising metrics they're sending or what might change in the future.
Yeah that’s end to end encryption. Like any security protocol it is based on assumptions and trust comes from somewhere. In this case trust comes from verifying each other security keys, or more meta: knowing that the incentive for the server to cheat are low as they might get caught by anyone checking and it could kill the entire product.
If everyone was on Signal, sure, but if everyone's on Whatsapp, maybe not the kind of thing to go "why don't you just do this too, why are North Americans so backward?" for something owned by what is basically still just Facebook.