[Calvin02]

You seem to be confusing interoperability with WA’s desires to make sure that e2e encryption isn’t broken.

What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?

my friends and I use WhatsApp because we know the messages are secure. Imagine if every other group message had the “green bubble” equivalent experience if someone was using a custom client.

[lxgr]

If that's your assumption, I've got bad news: People can already use third-party clients! WhatsApp "mods" for Android, third-party clients hooking into the web client etc. have all long been possible.

Without the DMA, Meta can make it very hard for any business model based on them, but it's never been a technical obstacle.

In a very similar way, you also need to trust your friends to not activate WhatsApp chat backups to Google Drive or iCloud without a password if you don't want end-to-end encryption to be compromised (there's no indication if they have it on or not), and that's the default suggestion by the official client.

[arp242]

You can do E2E encryption without all of these requirements. It's basically just TOFU some key when someone messages you. You can do 3rd-party implementation for other E2E messengers: Telegram, Signal (even though they don't like it), and of course XMPP (with extension).

I need to read a bit more carefully through the (limited) technical documentation they have; but all of this seems highly excessive. I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.

I don't know what "the green bubble experience" means(?)

[lxgr]

To be fair, there is one aspect where the platform is trusted with services like Signal and WhatsApp: Identity to phone number binding.

Many people don't actually ever verify their contacts' keys, but rather just rely on the platform provider to have done phone number verification correctly. In that sense, the security model is bit better than TOFU in practice.

> I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.

There I fully agree. If anyone could find a way, it's the company running the largest messaging infrastructure in the world.

[gruez]

>What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?

But even if you're using the official super secure endpoint, there's nothing preventing the user from taking a picture of the screen, which bypasses all protections.