10

I am not sure if this is the right place to ask but I am pretty sure I am asking a very stupid question. I am a developer but don't know anything about the latest encryption technologies. I've read on many websites that it took WhatsApp many years to come up with this 'technology' and that our messages and everything is now safe.

I have a question that really puzzle me all the time.

  1. If I send a video to one of my friends via WhatsApp Web, it takes sometime to upload, it shows a progress bar while uploading.. if I forward the same video to a few other friends of mine, it gets sent within a second, immediately. How? was it not encrypted? How come it got sent if it didn't encrypt again?

  2. Secondly how does WhatsApp web still work? If WhatsApp's website can show me all of my messages (regardless of how I login) why can the server guys not see it? How is it that they cannot emulate my login and be able to see everything I am doing? I just sent an image to a friend of mine using WhatsApp web, it got sent, he saw it.. everything was fine. I turned off my WiFi before opening WhatsApp and the image hasn't even downloaded!! Its not even in my phone.. how did WhatsApp web use my 'phone' to send that image when it doesn't even exist in my phone? (Note: My settings don't allow automatic downloading of images). Clearly WhatsApp wasn't talking to my phone it just sent it because its on the server..

Can someone please help me understand this?

Edit: a link to a page that helps me understand would also suffice.. You don't have to write everything here if its too long. Although I have been googling for quite some time on this. No one asked this question on this website as well.

Muhammad bin Yusrat
  • 1,433
  • 1
  • 14
  • 19
  • 1
    This is more something for [security.se]. – Artjom B. Oct 20 '16 at 06:06
  • 2. The might be saving the encrypted video on their servers for first time and then next time they just share the link. – Muhammad Babar Oct 20 '16 at 06:26
  • @Muhammad Babar Of course that would just kill the entire idea of end-to-end encryption.. and that exactly is my question.. it simply implies that the videos were 'not' encrypted. The video could be my personal video and I 'could' be sharing it with my immediately family only and it goes ahead un-encrypted, whats the point of end-to-end encryption then? – Muhammad bin Yusrat Oct 20 '16 at 06:32
  • sure they have the keys or how would they be able to send the keys for ends to decrypt the messages or videos or... and yes they want us to trust them – Mohammad Haidar Oct 20 '16 at 07:17
  • 1
    @MohammadHaidar No, they don't have the keys. They are just the transport medium. If they had the keys, then it wouldn't be end to end encrypted. – Luke Joshua Park Oct 20 '16 at 07:54
  • @LukePark and what makes you so sure that when they transport the key they dont save it? you have any evidence? – Mohammad Haidar Oct 20 '16 at 07:57
  • @MuhammadHaider if they want us to trust them, we could do that even when there was no end-to-end encryption? When they write in the apps description that "now even whatsapp cannot read these messages" then this clearly isn't about trust. If it was trust, then those of us who wanted to trust would never need an end-to-end encryption at the first place. – Muhammad bin Yusrat Oct 20 '16 at 08:00
  • @MuhammadbinYusrat then what means your answer? are you with or against the idea that they could keep the keys on their side and use them to decrpyt any chat any time. – Mohammad Haidar Oct 20 '16 at 08:10
  • @MohammadHaidar I think you misunderstand how E2EE works. They never have the key in plaintext, it is transmitted as ciphertext through their servers. You should read the spec, I think you might be confused. – Luke Joshua Park Oct 20 '16 at 08:21
  • @LukePark okay i misunderstood how it works, can you please tell me than how would the key get decrypted in order to decrypt the message – Mohammad Haidar Oct 20 '16 at 08:24
  • 1
    @MohammadHaidar Read the spec. It is all in there. Just smart use of asymmetric crypto. – Luke Joshua Park Oct 20 '16 at 08:25
  • @LukePark some link? – Mohammad Haidar Oct 20 '16 at 08:26
  • @LukePark Whatever that can be decrypted on the phone, why can it not be decrypted on the server? The server takes the keys and gives it to the other receiving party.. now the receiving party obvioulsy needs some "key" to decypt the message.. If the receiving party can decrypt it, why can't the server do it? Its a very easy to understand question. – Muhammad bin Yusrat Oct 20 '16 at 11:01
  • @MuhammadbinYusrat Very simply put, the symmetric keys are distributed to the clients by encrypting the key with each participants public key. The server only ever sees ciphertext but the clients can decrypt the ciphertext with their respective private keys. Thus, everyone ends up with the same symmetric keys except the server, who still doesn't know anything. – Luke Joshua Park Oct 20 '16 at 11:04
  • This question was closed as too broad, because you asked three separate questions. Since this has very little to do with programming, I would suggest that you ask those questions separately on [security.se]. Please check for duplicates before you post. – Artjom B. Oct 20 '16 at 18:08
  • Question has been edited to focus on WhatsApp web only. – Muhammad bin Yusrat Jan 31 '20 at 07:31

0 Answers0