It is a bold claim, indeed. What about WhatsApp Web though? I wonder how that works. I guess it connects to the device via a 3rd party (Facebook's) to send the data over HTTPS? Does it use public-key authentication where the key is only known to the WhatsApp Web client? Either way, it is a compromise on E2EE.
I suggest you read the guidelines for this website [1]
> Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community.
As for your link, I'm aware how they claim it works, and even if that is all true (we can't audit the source code), then it is still a compromise of E2EE. E2EE is between two devices, a receiver and a sender. The third device also able to receive, without the sender knowing or agreeing about it, is dangerous. Why? Because you can't know for sure the receiver has access to both machines. If you consider laptop and PCs are much less safe than mobile devices, then the danger is obvious.
>then it is still a compromise of E2EE. E2EE is between two devices, a receiver and a sender.
I don't get it. Does that mean if I have PGP installed on my desktop, and I also have a VNC server installed on it, it's no longer E2E? That seems like an arbitrary distinction to me. If you extend this further, you could also argue that being able to print out the message, or even have a second person look at the screen breaks E2E. I think the main point of E2E is that unauthorized third parties (including service providers) can't read the message, not that only two devices can read the message.
Alice uses a smartphone and a laptop with WhatsApp. Bob only uses a smartphone with WhatsApp. Alice and Bob discuss something secret. Alice assumes only Bob's (secure) smartphone can read the data. Bob assumes only Alice's (secure) smartphone can read the data. They both got physical access to the smartphone, which lowers the attack surface at that moment. Alice's laptop is in her house. As is Mallory.
My problem with above isn't that this works; it is how it works. My problem is that Alice never temporary authorizes WhatsApp Web. My problem is that Bob doesn't know about Alice's 2nd device. These 2 issues are issues which can be addressed and raise the privacy of the data considerably. The gut reaction "oh, its E2EE, so its secure." is dangerous, and untrue.
Yes, I'm aware you can make screenshots and print chats. You can also send temporary messages with Signal though. That's on top of E2EE, because E2EE isn't a panacea.
