[Barrin92]

This is almost too good to actually go through. Protocol transparency, that is to say forcing companies to open up their APIs would be one of the simplest and effective ways to break platform effects and walled gardens.

It shouldn't just be limited to messaging. An internet where everyone can built a client against Facebook's API, or Youtube or what have you and users get actual choice and control about how they consume those services would be a big leap forward.

[jjav]

> It shouldn't just be limited to messaging. An internet where everyone can built a client against Facebook's API, or Youtube or what have you and users get actual choice and control about how they consume those services would be a big leap forward.

Or a wonderful leap backward, in the most positive sense.

In these days of proprietary wall gardens everywhere it might be difficult to remember, but earlier in the Internet that was how things worked. Every protocol was public, documented in RFCs and all implementations were interoperable (barrings bugs/etc, but mostly anyway).

[RenThraysk]

Er, WhatsApp is based on Noise for client server protocol, and Signal protocol for peer to peer encryption. Both were open standards before WhatsApp implemented them.

[Nextgrid]

The problem is less about how known the protocol is and more about whether the platform owner uses its influence to prevent others from implementing said protocol.

Even a completely obscure protocol can be reverse-engineered given enough time - in fact if you search on GitHub you can already find a lot of client libraries for proprietary services.

The problem is that at the moment the platform owners intentionally detect usage of these alternative clients and ban their users or abuse laws such as copyright to block their development & usage.

[zahllos]

I dunno how to say this but Noise is really a set of possible handshakes with various security guarantees (or, more like, aims, which we are reasonably sure are met), which kinda followed on from X3DH/Signal Protocol. I'm unsure how you got that Noise is a client-server protocol and Signal is peer to peer. When you send a whatsapp message you still send it to WhatsApp servers and the client-server protocol here is probably just TLS. Likewise, when you receive it, probably TLS also. However that message is encrypted "end-to-end" in the sense that the server cannot decrypt the actual message payload on the way. Noise _also_ enables this. Critically this is not peer-to-peer: the clients are still relaying messages via a central server.

Peer-to-peer communication in WhatsApp in the network topology sense happens where possible when making Voice and Video calls, as this is probably WebRTC-derived (it is WebRTC in everything else these days), which concretely involves some kind of call signalling, then p2p setup to talk RTP if possible. This is not Signal Protocol or Noise: it is most likely the S in SRTP with key agreement done over the Signal Protocol. In other words, no key ratcheting between voice or video packets. I'm actually not sure if the session key is ever changed for a given call. To make this clear: call setup happens via a central server but the media streams will go from your IP to theirs directly, if possible (or proxied via WhatsApp if not). The reason for doing calls p2p like this is where possible is to reduce latency.

This is also, last time I looked, true of Signal. We are good at end-to-end text. We are less good at voice/video, particularly voice/video group calls that might not be p2p-able and rather require the server to do something with the RTP streams.

Now, what you're actually missing is that WhatsApp was in its early days based on a fork of ejabberd, the Erlang XMPP Server, with if I understand correctly custom extensions. Thus WhatsApp actually was at some stage somewhat compatible with open standards.

We've also kinda been here before. Google Talk used to interoperate with XMPP just fine and at one stage my own XMPP server could talk to my friends on Google Talk and they'd pretty much not notice.

I agree however that it would be better to have a new protocol that starts based on end to end key agreement like Signal/Noise, rather than use XMPP. Or perhaps use XMPP _inside_ this protocol. This is because "opt-in" crypto is a disaster that probably has happened. Signal and Noise are also missing what the body of those messages should look like and standards for agreeing for example calls, media transfer and so on, basically all the non-crypto parts.

[RenThraysk]

Being a developer and implemented both, I know. Maybe I just mispoke.

[zahllos]

Looks like I fired off a bit too hard as I saw peer to peer and... That means something specific. Sorry about that. There's far too much 'zero knowledge encryption' on the internet, eurgh.

Seems WhatsApp does use noise pipes for some some long running connections. Just checked their doc to be sure.

[RenThraysk]

I misspoke, should have said end to end.

[nashadelic]

Doesn't WhatsApp do a bunch of customizations applied to the base protocol? Its not the vanilla standard

[A4ET8a8uTh0]

Yes, but if I remember correctly, one of the things FB internal document dump showed was that API for smaller and bigger players behaved differently. API access won't mean anything, if companies are allowed to pick and choose how it behaves against some IDs.

[Retric]

Beyond privacy concerns, it’s also going to open these and many other services up to an unending wave of SPAM.

So, I wouldn’t assume it’s great for end users without digging into the details. Don’t forget the last time they did privacy regulations they created an unending wave of click yes to accept cookies.

PS: Looking at rapid downvotes I see people disagree, but mandatory interoperability would presumably force them to accept SpamNetwork101, SpamNetwork102 … etc.

[hetspookjee]

Luckily we’re kept totally safe by our benevolent overlords. Except for our good friend Jeff Bezos that got hacked through a WhatsApp image. Or the overt spam that any publicly posted business WhatsApp number receives.

WhatsApp replaced SMS as a free alternative with media. Sms is just a protocol. It is not necessary that a replacement is walled garden, especially not under the sole guise of spam protection - something that is being done very poorly anyway.

[Retric]

iMessage and WhatsApp are just a tiny selection of social networks.

Depending in the specifics everything from Yahoo! Messenger to MMO chat either needs to get shut down or made interoperable.

[hetspookjee]

I can only expect the matter to be applied to large applications in some sense. Hopefully they learned a lesson or two from GDPR, and tangentially I don’t expect this roll out to happen anytime soon.

[Retric]

That’s possible, but they don’t have a great track record.

[elliekelly]

And this removes agency for those of us who try to keep as much of our data out of Google’s hands as possible. If they’re going to force interoperability it needs to come with restrictions about what they can collect about people who haven’t consented.

[zaarn]

DMA has that (Google can't use Data obtained from Interop in anything but the market they sourced it from, ie E-Mail Data stays in the E-Mail sector) and the GDPR covers the rest (without consent, they are restricted to only processing necessary data to begin with).

[rewq4321]

Why? If your messaging app doesn't have the ability to block stranger requests, why are you still using it?

And even if you for some reason don't want to restrict your requests, you'll probably still be fine - Gmail handles protects me from spam pretty well.

[naoqj]

That's like saying that you don't need a spam filter for email because you can press the "mark as spam" button a hundred times a day.

[tinus_hn]

Good luck blocking a person that pretends to be 10000 different strangers.

[thinkmassive]

“block stranger requests” could mean using your contacts as an allowlist

[A4ET8a8uTh0]

This. I am somewhat surprised allowlist isn't a thing. I get that there are times, you want to be open to the world ( say you are actually waiting for an interview call ), but this would easily solve a good portion of the issues. Am I missing something?

[Retric]

My concern is how broad the definition of social network. Tinder for example requires people to be open to new massages and simply doesn’t work as a whitelist.

Is say MMO chat a social network?

[tinus_hn]

As long as you hardly ever meet new people, of course. Obviously this is not a trivial problem to solve, otherwise spam wouldn’t exist.

[thinkmassive]

If you meet a new person and want to exchange messages, there's not a huge difference between adding them in your messaging app and adding them to your contact list.

Using this model it would better to have multiple lists though, or at least tagging within the general contacts list, so tag-based lists could be allowed by certain apps (to keep business and personal messaging separate for example).

[aaomidi]

Facebook messengers chat requests has basically solved this problem.

New person goes to chat requests, they communicate through another channel they've sent you a message, you go open the graveyard of chat requests and accept theirs.

[Jcowell]

Exactly this. Exactly if the common protocol is SMS/MMS. So what if I can block people on one platform they can just now hop to another.

[em-bee]

or they can create a new account on the same platform. but that's why i don't like platforms that force me to use my phonenumber as a public ID. because already today, if i block you on whatsapp you can find me on signal because my number is the same. so really the interoperability doesn't make it worse than it already is.

[KoftaBob]

Isn't this generally taken care of by only allowing messages from numbers that are in your contact list?

[Retric]

That approach doesn’t work for something like Tinder. It’s also kind of a pain rather than just letting everyone message you on a platform without SPAM.