WhatsApp claims to be E2E/not readable by Facebook and to my knowledge, all we have to the contrary is speculation provided you verify the keys on both ends (same as Signal). Facebook might know who you’re messaging but that’s also true for Signal. I’d still 100% trust Signal over WhatsApp given Facebook’s massive conflict of interest, but SMS has been known-bad and collected by the NSA for a decade now. US telecommunications companies also have a terrible reputation for privacy. The only advantage it has over any other platform is portability between providers but even that falls to the side since you can have multiple messaging apps at once.
Facebook might know who you’re messaging but that’s also true for Signal.
Signal’s sealed sender does a good job at knowing you’re sending a message, but not who to. All it’ll know on the receiving end is that a message was sent to it.
Of course people have found other methods of identifying this but sealed sender does cover most of the low hanging fruit.
Signal does also purposefully attempt to find ways to not collect any metadata, whilst also making it more difficult for anyone attacking to the servers to find anything. (e.g. ORAM for Secure Enclave operations)
My understanding is that meta used E2EE on your messages themselves, but everything else is up for grabs.
Don’t buy into this, this is just marketing. I’m not saying that Signal is acting in bad faith, only that they chose to design a communication silo with themselves at the helm instead of a federation of servers/providers united by the same protocol. Because of that, they own all accounts, and have the monopoly of messages being routing on the network. Of course there is no difficulty for them knowing who’s addressing whom, how often, with what kind of payload, by topology. “Sealed senders” and “secure enclave contacts discovery” is just techno babble meaning “trust us, bro. Especially because you have no choice, anyway”.
Is your source for “what privacy experts say” a sad jpeg meme, really?
Also, no matter what some distracted expert might say, the only fact that matters is that none of Signal’s marketing claims are verifiable: the feature you are referring to happens server-side. Nobody but Signal knows what runs server-side. The guarantee of “not knowing who’s talking to whom” isn’t built into the protocol itself. This is where trust enters the picture.
The dominant paradigm in cybersecurity is that trust is not proof of anything. Math is. And “sealed senders” isn’t that.
Fair. But I would say they have a disincentive to lie about E2E because it’s a selling point of WhatsApp and if they didn’t care they could just roll WhatsApp into Facebook Messenger where there is no promise of E2E.
If E2EE was broken in any app (not just WhatsApp but also Telegram, Signal, iMessage, etc) then someone would have figured that out by now by sniffing the traffic and analyzing the apps in a debugger.
WhatsApp claims to be E2E/not readable by Facebook and to my knowledge, all we have to the contrary is speculation provided you verify the keys on both ends (same as Signal). Facebook might know who you’re messaging but that’s also true for Signal. I’d still 100% trust Signal over WhatsApp given Facebook’s massive conflict of interest, but SMS has been known-bad and collected by the NSA for a decade now. US telecommunications companies also have a terrible reputation for privacy. The only advantage it has over any other platform is portability between providers but even that falls to the side since you can have multiple messaging apps at once.
Signal’s sealed sender does a good job at knowing you’re sending a message, but not who to. All it’ll know on the receiving end is that a message was sent to it.
Of course people have found other methods of identifying this but sealed sender does cover most of the low hanging fruit.
Signal does also purposefully attempt to find ways to not collect any metadata, whilst also making it more difficult for anyone attacking to the servers to find anything. (e.g. ORAM for Secure Enclave operations)
My understanding is that meta used E2EE on your messages themselves, but everything else is up for grabs.
Don’t buy into this, this is just marketing. I’m not saying that Signal is acting in bad faith, only that they chose to design a communication silo with themselves at the helm instead of a federation of servers/providers united by the same protocol. Because of that, they own all accounts, and have the monopoly of messages being routing on the network. Of course there is no difficulty for them knowing who’s addressing whom, how often, with what kind of payload, by topology. “Sealed senders” and “secure enclave contacts discovery” is just techno babble meaning “trust us, bro. Especially because you have no choice, anyway”.
No, I don’t think I will
I’ll trust what the cyber security and privacy experts say.
Is your source for “what privacy experts say” a sad jpeg meme, really?
Also, no matter what some distracted expert might say, the only fact that matters is that none of Signal’s marketing claims are verifiable: the feature you are referring to happens server-side. Nobody but Signal knows what runs server-side. The guarantee of “not knowing who’s talking to whom” isn’t built into the protocol itself. This is where trust enters the picture.
The dominant paradigm in cybersecurity is that trust is not proof of anything. Math is. And “sealed senders” isn’t that.
Facebook lies all the time. Why would anyone believe anything they say?
Fair. But I would say they have a disincentive to lie about E2E because it’s a selling point of WhatsApp and if they didn’t care they could just roll WhatsApp into Facebook Messenger where there is no promise of E2E.
If E2EE was broken in any app (not just WhatsApp but also Telegram, Signal, iMessage, etc) then someone would have figured that out by now by sniffing the traffic and analyzing the apps in a debugger.