> In a phone call with WIRED, a WhatsApp spokesperson confirmed the researchers' findings, but emphasized that no one can secretly add a new member to a group—a notification does go through that a new, unknown member has joined the group.
Yeah, that solves it. -_-;
@feld in no universe doe sthat solve anything.
1. as others pointed out there is nothing stopping WhatsApp to change that in the future;
2. I am part of about 20 Signal groups, am pretty savvy user, and got surprised by some new people on some of them multiple times.
It's not about key management, it's about WhatsApp being able to *modify group membership*. Let's not mix things.
@feld if you're in a sensitive E2E chat that gets a fair amount of traffic you are not going to notice the notification that somebody joined.
Notifying about this is not nearly enough.
When choosing tools to secure one's communication one has to take into account potential opsec failures. And a small notification about a potentially huge security problem (some random person just joined the group) simply does not cut it.
@feld plus, the bigger problem is that the *protocol* allows for this. This means that WhatsApp could remove the notification at any point in time and just add people as they see fit (or as the nice man in a trenchcoat asks them to) without notifying the members of the group.
You are basically asking me to trust WhatsApp not to do this. The whole *point* of E2E is to not have to trust the service provider.
"So Breaking News, People Still Miss The Point Of E2E Entirely", I guess? ;)
@feld Three Letter Agency compromised all our brains, we're in the Matrix already, WAT NAO?
There is trust involved in all those things. I trust people I work with way more than WhatsApp. And for good reasons.
There are always ways in. I'd just rather minimize the number of them that affect me and my peers.
@feld I beg to differ:
"End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages."
The whole point of E2E is not that "it's encrypted, somehow", but that it's encrypted *effectively*, so that only the intended users can read it in transit.
Your take on E2E would mean that rot13 + double-XOR would be enough of an "encryption" on the wire. It is very definitely not.
Others are on iOS and Android. And again, if I have to choose between trusting Google/Apple *and* WhatsApp, vs. trusting just Google/Apple, I choose the latter.
Not sure where you're going with this discussion though. You clearly thing it's fine if server admins can add people to an encrypted groupchat with just a notification, I clearly don't. You look at E2E on a protocol level, I look at it at whether or not it's actually effective in it's goal.
@feld You choose to trust that WhatsApp does not have this design flaw. I choose not to.
Have you ever tried sharing a link on WhatsApp? Well... https://mobile.twitter.com/mulander/status/874370124932943874