For open source messengers, you can check whether they actually encrypt your messages and whether the server has access to your encryption keys but what about WhatsApp? Since it’s not open source, you can’t be sure that the encryption keys aren’t sent to the server, right? Has there been a case where a government was able to access WhatsApp chats without reading them from the phone itself?

  • FooBarrington@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    The E2E keys are exchanged over Meta servers, right? Couldn’t they just store the keys and decrypt on the server?

    • cmeerw@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Only public keys get exchanged via Meta’s servers, those keys don’t help you with trying to decrypt any messages (you need the corresponding private key to decrypt - and that private key stays on the device).

      Sure, they could just do a man in the middle, but that can be detected by verifying the keys (once, via another channel).

      • FooBarrington@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Makes sense. It does leave the MitM option open as you said, but if they did something nefarious here, it would have long been seen in at least a couple of cases due to OOB verification.