[bsaul]

I've read the post and i don't understand exactly which scenario they're trying to solve.

i think it's aimed at solving the problem of someone impersonating whatsapp server and responding with corrupted public keys ( but then this person could also impersonate the key repository server ?)

it doesn't however protect users against whatsapp cooperating with states to introduce spying devices / intermediate in your conversation. Does it ?

[snowboarder63]

So it does indeed even guarantee that the server is acting in a trustworthy manner due to the public auditing scenario. We will shortly be making our audit logs publicly available to show that the verified crypto proof the client performs does indeed match the publicly available records. The academic works SEEMless (https://eprint.iacr.org/2018/607) and Parakeet (https://www.ndss-symposium.org/ndss-paper/parakeet-practical...) jointly outline how this all works from a technical perspective.

While we do maintain the directory, we are held to an honest standard by our audit logs. Should any auditor find invalid records, they can publicly hold us accountable.

[bubbleRefuge]

I think in certain countries there are easier ways to clone numbers and also to generate links to switch a whatsapp account to another phone. Attackers will then hijack the account and send out SOS status updates and messages to contacts asking for money. Public Key verify can help 2 parties to authenticate manually so to speak.

[abdullahkhalids]

When I left Canada after my PhD, I stopped paying for my pre-paid phone plan for my Canadian number. A couple of months later, someone tried to scam my cousin in Pakistan, using Whatsapp. The scammer

1. Acquired my Canadian number.

2. Identified it as "my" account, and downloaded a picture of my social media to use as a Whatsapp display picture.

3. Somehow, identified my cousin as a potential target. Not sure how they did it.

4. Located where roughly my cousin lived. Perhaps via social media check-ins or some other way.

5. Asked my cousin to meet in a park not too far from his house, because I was in trouble and needed money.

Thankfully, my cousin did not fall for the scam and contacted me via other means to verify.

[bsaul]

In the scenario you're describing, what would let whatsapp know it actually shouldn't register that new device in the public key repository ?

Either whatsapp knows the phone is hacking the account to a new number / device, in which case it should simply disable it, or it doesn't and then it will treat it exactly like a normal one.

[bubbleRefuge]

Well the pubic key would refresh and the other side could see that. I think whatsapp already sends public key refreshes anyway.