[arp242]

Gosh, all of this is so locked down.

I've been waiting for this, and hoping I could "just" cook up some of my own code to use with WhatsApp, and/or integrate it with Pidgin or bridge to email or whatever. But the entire process is about as hostile as possible.

For example "Partner shall have in place a dedicated security team" basically excludes most startups, or most smaller companies.

It's not clear to me if this is really complying with the DMA – it's certainly not in the spirit of it, but less sure about the letter of it.

[jeroenhd]

I think it's quite fair to demand basic security compliance for implementing an E2EE messenger.

That said, I'm sure we'll see open source libraries pop up everywhere to communicate with WhatsApp directly. There already are unofficial WhatsApp clients in various forms, but now they can use the protocol without risking breakage because they reverse engineered the contents of the protocol itself.

I think there will be plenty of space for the Beeper Minis out there right now.

[sebtron]

> I'm sure we'll see open source libraries pop up everywhere to communicate with WhatsApp directly.

How so? Each of them would need approval by Meta + signing an NDA, and I can easily see that ruling out open source libraries.

[jeroenhd]

Most of the protocol is already reverse engineered. Once less heavily obfuscated apps start using the external messengers API, implementing the rest of the protocol should be a lot easier.

[arp242]

> I think it's quite fair to demand basic security compliance for implementing an E2EE messenger.

That's really a decision you should make, and not WhatsApp – "do I trust this arp242 guy and his GitHub repo?"

And some auditing isn't necessarily too bad, I guess, but a lot of this goes far beyond "basic security"; it's the type of "corporate checkbox security" that we all know works so well.

[Calvin02]

You seem to be confusing interoperability with WA’s desires to make sure that e2e encryption isn’t broken.

What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?

my friends and I use WhatsApp because we know the messages are secure. Imagine if every other group message had the “green bubble” equivalent experience if someone was using a custom client.

[lxgr]

If that's your assumption, I've got bad news: People can already use third-party clients! WhatsApp "mods" for Android, third-party clients hooking into the web client etc. have all long been possible.

Without the DMA, Meta can make it very hard for any business model based on them, but it's never been a technical obstacle.

In a very similar way, you also need to trust your friends to not activate WhatsApp chat backups to Google Drive or iCloud without a password if you don't want end-to-end encryption to be compromised (there's no indication if they have it on or not), and that's the default suggestion by the official client.

[arp242]

You can do E2E encryption without all of these requirements. It's basically just TOFU some key when someone messages you. You can do 3rd-party implementation for other E2E messengers: Telegram, Signal (even though they don't like it), and of course XMPP (with extension).

I need to read a bit more carefully through the (limited) technical documentation they have; but all of this seems highly excessive. I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.

I don't know what "the green bubble experience" means(?)

[lxgr]

To be fair, there is one aspect where the platform is trusted with services like Signal and WhatsApp: Identity to phone number binding.

Many people don't actually ever verify their contacts' keys, but rather just rely on the platform provider to have done phone number verification correctly. In that sense, the security model is bit better than TOFU in practice.

> I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.

There I fully agree. If anyone could find a way, it's the company running the largest messaging infrastructure in the world.

[gruez]

>What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?

But even if you're using the official super secure endpoint, there's nothing preventing the user from taking a picture of the screen, which bypasses all protections.