And if so, why exactly? It says it’s end-to-end encrypted. The metadata isn’t. But what is metadata and is it bad that it’s not? Are there any other problematic things?
I think I have a few answers for these questions, but I was wondering if anyone else has good answers/explanations/links to share where I can inform myself more.
E2E is not equal to Symmetric Encryption, which is the most private “one way” encryption meaning the user controls the data at the origin, and the messages can’t be decrypted by anyone else.
WhatsApp is not the latter, so it is not private. Signal is symmetric, for example.
Care to elaborate? You can’t just imply asymmetric encryption can be decrypted by 3rd parties and not explain how.
Also I don’t know how exactly signal works but I know that you don’t need to share secrets externally to message someone, so how are they exchanging the symmetric keys without using asymmetric encryption to boot?
This is more of a “how encryption” works question, so I’ll just defer to some article response I got from Google which explains it simpler than I would:
“When someone sends a message to a contact over an app using the Signal protocol, the app combines the temporary and permanent pairs of public and private keys for both users to create a shared secret key that’s used to encrypt and decrypt that message. Since generating this secret key requires access to the users’ private keys, it exists only on their two devices. And the Signal protocol’s system of temporary keys—which it constantly replenishes for each user—allows it to generate a new shared key after every message.”
That doesn’t explain why asymmetric encryption is insecure? In fact signal seems to be using two pairs of asymmetric keys to generate its symmetric secret, so it would also be prone to attack if asymmetric encryption was a flawed system.