The Unclear Impact

@hund not much of a surprise when you are controlling both ends with your closed-source app.

@meisam @hund It's not even that, the thing is the moderators can see it if your conversation partner shares your message with them, so it's very much a false headline.

Not that it makes fb good guys, but this is quite clearly misleading, if your conversation partner shares your message all end-to-end encryption will behave the same, the moral is, trust your conversation partners.

typically it is not possible to verifiably share an E2EE-ed message without compromising the security of the whole session. But you are right @sotolf

@meisam If you don't trust the other end of the discussion to not share it that doesn't really matter if the other endpoint isn't trustable the whole conversation is in jeopardy no matter what ;)

@sotolf I got your point but for moderation, the other party should be able to prove the integrity/authenticity of the decrypted message. That was the part I was referring to.
I agree that there is nothing preventing them from sharing the whole conversation and that is not a technical flaw.

@meisam Well as I said it doesn't make FB the "good guys" but the title of the whole article is very misleading, I don't really care about if it's verifiable or not, you could just claim someone else was using your phone anyway in case there was something, so it's not much better than sharing a screenshot anyway.

Re: cryptography, moderation, whatsapp

@meisam @sotolf Isn’t that kinda the point of the double ratchet protocol?

I presume you’d only share the message keys for the messages you want to expose to the moderators, who can then verify that the keys indeed decrypt the ciphertexts stored on the server. It shouldn’t be possible to calculate keys for earlier messages from the exposed keys, and later messages are protected by pfs. (Usually, this is formulated for accidental keys exposure, but should hold for deliberate ones, too.)

So exposing the full session to someone who already has a record of the ciphertexts seems to be unnecessary, or I’m misunderstanding something.


Re: cryptography, moderation, whatsapp

@kristof You are totally correct. I thought during each ratchet step the same key is used for a short session which is consisted of multiple messages. Checking Signal's implementation this is not the case. I don't know how it's been implemented in whatsapp.