WhatsApp's New Browser Extension is Aimed at Making Web Chats More Secure (theverge.com) 24
Code Verify is a new browser extension from WhatsApp parent company Meta that aims to improve the security of WhatsApp's web version, the company has announced. From a report: The extension works by verifying that the contents of WhatsApp's web version haven't been tampered with. The aim is to make it a lot more difficult for a would-be attacker to compromise data or the privacy of WhatsApp's end-to-end encrypted messages when using the browser-based version of the service. The extension follows the launch of WhatsApp's multi-device beta last year. This aims to make using the messaging service from devices other than your primary phone easier and more seamless. Since the feature's launch, WhatsApp says it's seen an increase in people accessing its service through web browsers, which present new security challenges compared to an app. There's nothing particularly new about the security methods underpinning Code Verify. Ultimately it's just comparing a hash of the code running in your browser, with a hash held by trusted third-party Cloudflare.
Secure from who? (Score:2)
lol, they sell all your information to the highest bidder.
Re: (Score:2)
The content of WhatsApp chats is end-to-end encrypted. We know it works because the police keep moaning about it. The bit that Facebook/Meta monetizes is your contacts (if you grant it permission, and it "encourages" you to do so by simply having no other way to assign names to phone numbers in the app). I'm sure they gather metadata about usage patterns too.
This is a good idea, but it would be even better if it was made part of a standard so that all websites could use it. Some kind of public key system th
Re: (Score:2)
Still not secure (Score:2)
Re: (Score:2)
Not made/owned by Facebook is.
Along those lines, I'm curious...how many criminals have been convicted based on WhatsApp transcriptions that were happily handed over by Facebook?
People want to be secure from harm, not privacy. If they wanted to be private, they wouldn't be such social media narcissists.
Re: (Score:2)
The thing is, this is completely new social territory.
Being a social (media) narcissist is just group behaviour: louder is better heard.
Everything you "say" can be "heard" by anyone, and is recorded to be dug up at a later date. And this is at a global scale.
The only people who have real experience with this are those who, as you correctly say, want to be secure from harm. i.e. dissidents, journalists, activists, criminals to name just a few.
Average "joe sixpack" (not said with any disdain) doesn't care, an
Re: (Score:2)
The thing is, this is completely new social territory. Being a social (media) narcissist is just group behaviour: louder is better heard.
Social media isn't all that new. We just called it AOL back in the day, and they were probably collecting all your usage data then too, since data mining for profit is older than the internet itself. And dismissing this as "group behavior"? Does any psychologist in Las Vegas recognize gambling addiction, or is that just group behavior? Everyone is a digital narcissist, so all good? I doubt a child psychologist would agree.
Everything you "say" can be "heard" by anyone, and is recorded to be dug up at a later date. And this is at a global scale.
Well, that depends on how you communicate with people.
Never in history could anyone (with or without power) listen in on most your conversations with friends or enemies, with the possibility to tap in after the fact, without having to target you specifically.
Never before in history hav
Re: (Score:2)
There are people using WhatsApp from before Zuck started absorbing it. They may or may not have anything else to do with Facebook.
Re: (Score:2)
Not made/owned by Facebook is.
Yeah just use plain old completely unencrypted messaging as long as its made by anyone other than Facebook, a company that has shown to not even respond to law enforcement requests to unencrypt messages, that's *far* more secure. /s
You are dumb.
Secure? (Score:2)
Re: (Score:2)
If you want to use TOR or a VPN for location privacy you need to enable it before you connect to any website or network service.
The headline here is "more secure" and it looks like they added an integrity check to the code being executed, so if they've done it right maybe it is more secure.
On the other hand, if they're downloading the code via TLS from their own server there's already an integrity check built in, so not clear what value they added with the extension, whereas by running the extension users m
Not e2e (Score:2)
Re: (Score:2)
It's not e2e in any meaningful sense unless only you can access the private key. How much do you trust Facebook/Meta with your private key?
An extension of what you've said, it's not e2e unless you've personally audited the complete source code of the encryption and compiled the program yourself. How much do you trust any code someone else has written?
As for how much do you trust Facebook, let's see, when they are enemy number 1 (well number 2, Apple is number 1) of courts and police for not even complying with warrant requests to access encrypted messaging I'm going to go with "a lot". Trust is not something you give people blindly, you base i
Re: Not e2e (Score:2)
And audit software ourselves? What kind of argument is that? Perhaps you could also suggest we audit the compiler too? And the OS running it just in case? At the end of the day, security & privacy are about trust, i.e. Who do we trust not to inva
Re: (Score:2)
Bullshit. If the police or FBI have a warrant, Facebook, Apple, Google, Microsoft, et al. hand over the data. Every company does.
Let me stop you right there since you're clearly not even reading Slashdot let alone have been paying attention to stories regarding encrypted communication services. Let me bring you up to date:
Those companies (no et al about it, the only three who have been involved to date have been Facebook and Apple) have very much told courts, no, we don't have access to the data, no we won't decrypt it for you, no we can't hand it over.
Now are you implying they are lying to the courts all the while hoovering up your
Re: Not e2e (Score:2)
Use Signal instead (Score:2)
If you want private conversations use Signal, not WhatsApp. Back when WhatsApp was privately owned you probably had a reasonable expectation of securely encrypted chats. But now that it's owned by Facebook all bets are off. Personally I wouldn't trust anything owned by Facebook.
Re: (Score:2)
Personally I wouldn't trust anything owned by Facebook.
Based on? You're talking about a company that isn't even compromising encryption when served a warrant. You think they are just lying to the courts and FBI that they don't have direct access to your messages?
And yet you use Signal. But just "use" it right? You didn't audit the source code? You didn't compile it post audit yourself? What high profile past experiences do you point to to trust signal more than a company which verifiably is refusing to hand over info?
Re: Use Signal instead (Score:2)
Re: (Score:2)
Because responding to warrants is a legal obligation and if they are lying about their capability of doing so they would get proper bend over grab your ankles arse fucked by the courts for ignoring a court order.
I suspect they aren't a fan of said arse fucking and thus aren't actually lying to the courts, and as such don't actually have direct access to your communication.
What kind of reasoning is that? Solid reasoning! Something you can hang your hat on rather than "derp derp Facebook bad mmmkaaay".
Won't someone think of the security? (Score:2)
If I was the suspicious sort, I'd say they're rolling this out on WhatsApp because they can plausibly claim it's for security... but the real destination is Facebook where it will be used to neuter FB Purity, ad blockers, and other browser extensions that let users bypass the ads and much of FB's data collection.
If I was the suspicious sort...