[fdik]

You cannot verify that WhatsApp isn't cheating without a source code analysis. And it's even worse, WhatsApp is a doughter company of Facebook, so WhatsApp is falling under Section 215 US Patriot Act.

In short: it's not Facebook's or WhatsApp's fault, but they're forced to cheat if there is the requirement from US officials.

While there may be E2E encryption in WhatsApp, there is no way to get it trustworthy.

[higherpurpose]

Legally, if they indeed enabled E2E, the government shouldn't be able to force them to disclose the data. CALEA says you should decrypt the data for the government only if you have the keys. But with Axolotl E2E encryption, they're not supposed to have them.

Of course the government will try to threaten them with NSLs or tax audits or whatever, and Whatsapp could cave, but the law should be on their side.

But before we get there they actually have to put it in their privacy policy that they are doing that, so then they can show the judge later that they've legally committed to a certain level of privacy for their users.

[mSparks]

it's not a case of threatening anyone.

they just pay them to include the additional primes in the public key system. users are still more or less secure. not just whatsapp. pretty much all the public key systems use it. it's still effectively 1024 bit plus keys for everyone but the nsa and ghcq.

latest snowdon leaks include everything you need for confirmation now you know what to look for.

[mSparks]

the way it works is quite straight forward. the rsa key is the product of 4 primes rather than two. two of which are known to the nsa. this shortens then rsa key length to 128 bits which is factored using a sieve on their hpc platform in a fraction of a second.

this gives them the key used for the encryption and allows them to decrypt the messages. but still makes it hard for everyone else to decrypt (since they don't know the nsa primes).

no I'm not going to share the keys they use.