Hacker News new | past | comments | ask | show | jobs | submit login

>WhatsApp already has a key extraction protocol built right in for its Web interface.

I don't believe this is correct. WhatsApp (and Signal AFAIK) web works by decrypting the original message on your phone, re-encrypting it with a different key that is shared with your web interface (this is what is being shared via the QR code when connecting to WhatsApp Web), sending it to the web client, and having your web client use the second key to decrypt. This is why your phone must continue to be powered on/connected to the network for the web service to work. The original key is never "extracted", and AFAIK can't be extracted by normal means.

There are a few apps that attempt to exploit a few security vulnerabilities to recreate your key for you if you lose it and need to access backups, but that isn't the same as what you're describing.

WhatsApp always requires your phone to be around, whereas Signal needs it only when you link it. After linking, the desktop client is independent of the phone (being online or in your vicinity or the number being in your possession).

Yep, you're right. I just looked more into it and WhatsApp and Signal operate differently. WhatsApp works as I described, but Signal actually does share the original key between all devices through some sort of key sharing mechanism.

Fair enough, I suppose it's more of a plaintext extraction protocol.

Still, it would take just one decision by Facebook to completely disable e2e or add an actual key extraction method to WhatsApp and there's nothing you can do about it. While WhatsApp is the most secure of all conventional chat apps, it's certainly not a replacement for PGP in most use cases.

Signal-Desktop works even when your phone is turned off.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact