this post was submitted on 08 May 2025
153 points (98.7% liked)

Technology

69845 readers
5206 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
153
WhatsApp provides no cryptographic management for group messages (arstechnica.com)
submitted 16 hours ago by themachinestops@lemmy.dbzer0.com to c/technology@lemmy.world
15 comments fedilink hide all child comments
top 15 comments
sorted by: hot top controversial new old
[–] Sandbar_Trekker@lemmy.today 20 points 12 hours ago

Highlighting the main issue here (from the article):

“This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.”

[–] ouch@lemmy.world 38 points 14 hours ago (5 children)

If you want your group memberships to be known only by the group members, use Signal.

[–] sykaster@feddit.nl 30 points 14 hours ago (1 children)

Just be sure to add only the people you want to be there. I've heard someone people add others and it's a bit messy

[–] tias@discuss.tchncs.de 20 points 13 hours ago (1 children)

How bad can it be, it's not like we're sharing state secrets

[–] AbidanYre@lemmy.world 6 points 11 hours ago

We're clean on OpSec

[–] ParetoOptimalDev@lemmy.today 8 points 11 hours ago

Or https://simplex.chat/ where there are no identifiers like phone numbers or any other identifier.

Security review was done by trail of bits.

[–] unexposedhazard@discuss.tchncs.de 4 points 11 hours ago

Or P2P stuff like Briar :)

[–] coconut@programming.dev -3 points 11 hours ago

Just use signal is not a valid statement in a world where vast majority of people aren't using (and won't use) it. I have been trying to get people to install it and have a total of 6 over several years. They only use it to communicate with me.

[–] Bahnd@lemmy.world -1 points 14 hours ago (2 children)

Or Matrix (warning some assembly required)

[–] new_guy@lemmy.world 14 points 14 hours ago (2 children)

WhatsApp isn’t the only messenger lacking cryptographic assurances for new group members. In 2022, a team that included some of the same researchers that analyzed WhatsApp found that Matrix—an open source and proprietary platform for chat and collaboration clients and servers—also provided no cryptographic means for ensuring only authorized members join a group. The Telegram messenger, meanwhile, offers no end-to-end encryption for group messages, making the app among the weakest for ensuring the confidentiality of group messages.

[–] Bahnd@lemmy.world 8 points 13 hours ago

That study was 3 years ago, features to create private (invite only) group chats are supported now.

[–] coconut@programming.dev 1 points 11 hours ago

an open source and proprietary platform

Are parts of matrix closed source?

[–] Vanilla_PuddinFudge@infosec.pub 5 points 12 hours ago

I actually found xmpp to be a breeze compared to most Matrix solutions.

Synapse is bloated, dendrite sucks and conduit is in perpetual beta and the uwu forks die too fast.

XMPP:

  1. Install Snikket
  2. Reverse proxy
  3. Done
[–] lIlIlIlIlIlIl@lemmy.world 14 points 15 hours ago (1 children)

Duh, how else is Zuckerberg going to spy on you and sell your data back to you?

[–] wischi@programming.dev 2 points 10 hours ago

It's not called Meta data by accident 🤣