sigalor
commented
6 years ago First, yes, the phone needs to be online for WhatsApp Web to receive or send any messages (also see #10 for this). Currently, I did not or do not know anyone who thoroughly investigated the WhatsApp APK regarding communication with WhatsApp Web yet, but I am quite certain that the chain of communication you stated is correct.
As one should be able to tell from the readme, the message sent from WA Web to the WA servers is encrypted with the encKey and, because the encKey is based on the secret sent to the WA Web client from the phone, the phone is in turn able to decrypt this message, reencrypt it and send it to the server for delivery. Still, I am not an actual cryptography expert. Could someone with profound knowledge in this field evaluate it?
Because of this chain of encryption, I am rather certain that WhatsApp is never able to read your messages, because they are end-to-end encrypted at any point during the communication. Assuming that the used encryption algorithms, and especialy their interconnections, are flawless (and probably AES 256 CBC, Curve25519 and SHA256 are), messages you sent are safe. Still, WhatsApp and WhatsApp Web send a lot of clear meta and debug data to the servers, which is probably the main problem with WhatsApp in general.
Regarding your final question, I do not know how the Chrome or Mozilla push services work under the hood. To answer this question, one would need to know how the chain of communication works here. For example, upon receiving a message, is the web browser able to interact with it at all, i.e. decrypt it using the encKey from the local storage of web.whatsapp.com? Do you know some specific documentation from Chrome and Mozilla dealing with this?
wiomoc
Hi, short question regarding encryption: Is WhatsApp-Web properly end-to-end encrypted? If i understood right, the phone needs to be online at all times in order to encrypt messages. So the chain of communication works like this(?): 1. Sending message via Whatsapp Web --> 2. message sent to WhatsApp server (websocket) -->3. server forwards message to phone --> phone encrypts message and sends it out to the server again? Did I understand that right? Is the communication from step 1 - 3 readable by WhatsApp? Also: In WhatsApp-Web, you can enable push notifications. In order for them to work, the messages need to be routed through a chrome/mozilla push-service. Does that mean that Google/Mozilla can read all the messages? Thanks in advance!