
How WhatsApp Needs to Improve Its Encryption - msh
http://blog.nadim.computer/post/115940264683/how-whatsapp-needs-to-improve-its-encryption
======
AndrewKemendo
>Anyone who replaces your public key in transit obtains immediate decryption.

Actually, you would have to _spoof_ the public key, not just replace it,
otherwise it's not actually an end-to-end system. Seems like doing the key
verification step on the server is how the author describes it, which would
very much not be secure in any world. Is that what the author is claiming?

If there are devices using the network that aren't capable of PKI, which seems
dubious given how ubiquitous PGP is, then they have a major vulnerability.

Given that they own the native app development, and aren't using a browser for
example, I see no reason why WhatsApp wouldn't be able to implement true end-
to-end on any device that had capable hardware - unless it was engineered
specifically to be able to break the encryption chain.

What am I missing here?

