Reverse Engineering WhatsApp Web(github.com) |
Reverse Engineering WhatsApp Web(github.com) |
A point to those that support migrating to alternatives such as Signal. Signal is good, but far from great for a single reason: you need a phone number. This is very bad in necsec and reliability terms, my case:
Reliability: like more and more people, I travel all the time between countries and live out of Airbnbs. Hence my pre-paid phone numbers changes very regularly. If I lose my phone, I lose the phone number, I also lose my Whatsapp/Signal key associated with my phone number.
Netsec: A phone number is associated with your physical identity, you might not care, but more and more people do care about this stuff. Yes there are ways around that, but nothing straightforward and actually practical.
I'm patiently, but eagerly, looking forward to status.im .
I could export all my Android (Nougat) messages and media, and restore it onto my iPhone (iOS 11).
It was a bit dodgy though - it asked me to install an old (custom?) APK first to export my messages, and the iPhone restore process looked like an actual iOS system restore..
As in it 'hijacked' the UI? I guess its possible that it's using the backup-restore mechanism to get data onto the iPhone.
I wonder if it still works now in iOS 11.
iMessage works with email addresses too.
I suggest using Riot, preferrably self-hosted.
It makes no sense to create a "secure" chat app, and then to force your users to use cellphones, which is the most unsafe technology I can imagine... Why this cellphone fetish?
How did you sign in without a phone number? It's not possible on https://web.telegram.org/#/login.
Unfortunately, unlike the old chat protocols, switching to any other platform means convincing your contacts to use a new platform. They like you and all, but that means they also have to use a special app just to talk with you now.
What the hell are we doing?
You can choose your version when you send the requests
What would it do differently?
Ends up with some friends throwing you a bone and downloading / registering for a new service. Some of them remember to keep it open. Some use it. The rest of their friends don't. But a few of them love you enough to use a special app just for you because you seem to care. <3
Besides, what's more open, as usable and secure?
It's self hostable or you can just login on their Matrix server.
Ah, and no phone number needed.
Obviously, WhatsApp/Facebook would want to avoid a bunch of third party apps connecting to their service. How long until they make changes to make this more difficult/impossible?
This is only useful for real users who want to write custom applications that connect to their phones.
> An UI that is not that technical, but rather starts to emulate the actual WhatsApp Web UI.
No, no, no. This trend of 'Phone UI' chat interfaces on desktop/laptop screens needs to stop. If you are going to all this effort to reverse engineer the protocol, at least make your front end customisable or at the very least IRCish in style.
Do you need a phone running to use this project?
To add to that I can use Signal just fine with Google Voice. So if both Telegram and Signal require a Google voice number, might as well go with Signal.
- you are tracked everywhere - you don't control the software for real - you have almost no control on connectivity - it's super difficult to kill a process
etc.
Also there are not good free software mobile operating systems, sure there is LineageOS and other ROMs that still require some proprietary parts, mainly the firmware of the device and binary blobs in the kernel, for one person concerned about privacy that is a problem, because proprietary software means backdoors, and it's useless to use a fantastic free software secure communication app if we can't trust the OS where we run it.
Apple's reality distortion field in full effect...
Neither Android nor iPhone can be considered secure.
People like tptacek have talked here at length about why Telegram is not trustworthy, you can see a history of his comments with a simple search: https://hn.algolia.com/?query=tptacek%20telegram&sort=byPopu.... Moxie Marlinspike has also pointed out a bunch of problems with Telegram, and even if you don't consider him a trustworthy source because he runs a competing service, the technical reasoning behind his opinions is sound.
If you want a personal POV, here are three reasons why Telegram is a bad idea:
1) The large number of unsound technical decisions. See Thomas and Moxie's many comments for details, or the "Security" section on its Wikipedia page.
2) Within days of launching, they had a critical security vulnerability: https://news.ycombinator.com/item?id=6948742. Frankly, this alone should have discredited them forever, especially considering how much boasting they were doing beforehand, but people are stupid.
3) They have a consistent pattern of responding to criticism not with technical defenses, but with ad hominem attacks and conspiracy theories ("You're paid by the US Government!")
As a Russian, I do appreciate the fear that the "russki" brand instills in your soul, but I think you are rightly being downvoted for jumping to conclusions simply based on nationality.
Telegram in my opinion is far better, it's completely cloud based, you can use it from whatever device you want, it has real desktop apps, you can send files, you have bots, channels, large groups, usernames, you name it.
I don't get why using Signal, yes it's free software, also Telegram it is (ok, the server is proprietary but even if you have the source how can you be sure that what they release is what is running on the servers ? If you don't run your own server the source are useless), but I don't see other advantages, so why bother with a third messaging app ? I use WhatsApp for the large user base, and I use Telegram for the advanced features if I need them.
Also, it has a much more praised security and cryptography than Telegram, is always encrypted (Telegram is only encrypted in secret chats) and has a much more secure codebase, with more open development (Telegram sometimes takes weeks to release source code), reproducible builds and a more transparent history.
I do use Telegram (mainly for group chats), but I treat everything posted in it as I would treat a public forum like HN.
Just go XMPP with OMEMO, so no hard smartphone dependency, no electron app monsters. Thankfully XMPP doesn't have a problem with 3rd party and federation.
I just don't want any more applications open.
I'm CA's will be bypassed soon. There's a lot of brain attention on this.
But to be clear: I have a lot of distrust against governments regarding mass surveillance. But I distrust some governments more than others. And Russia is relatively high on that list for me. I think a healthy dose of distrust would be fitting for Russians citizens too.
Also I find it puzzling that so many people here keeps on recommending WhatsApp over Telegram after all the lies from WhatsApps owner.
Edit: While I have no way to verify this, AFAIK both Telegram and Gmail stores data and keys in ways that makes them hard to access by everyone except for the user.
Telegram in particular say they do this by storing data and keys in different datacenters in different jurisdictions.
Add to this that WhatsApp has had their fair share of issues as well before they started working with Moxie.
I'm sure if a third-party client would contribute to support the maintenance (both financially and in terms of the time and effort investment) he might be open to that, but obviously that's not going to happen.
It can take years, much like a car has to be crash tested, a new crypto algorithm must go through a certain process to be considered good enough.
That said: I belive them when they say that WhatsApps crypto is stronger.
On the other hand I would expect them to leave a little note somewhere about WhatsApp being a data collection tool for Facebook that also still happens to works as an instant messaging platform.