How Whatsapp Web stays “Safe” and Whatsapp itself stays “Safe”

Hey G33ks,

So, I’m member of a Facebook group that is about IT n stuff (tho mainly hobbyists).
I got a question that asked: “How does Whatsapp work with it’s encryptions? Is Whatsapp Web encypted? Isn’t Whatsapp listening to our messages?”
The short answer is: you will never know, BUT, I can tell you how I think their protocol works.

Before we dive in, please keep in might that is just what I think is happening, so no guarantee this is actually what is happening!

Ready to dive in to it?
Here we go!

Whatsapp Web to your Phone

So, this is the biggest question for some: “Is Whatsapp web safe and aren’t they tapping off our messages?”.
Well, here is what I think is happening when you use Whatsapp Web:

When you open up Whatsapp Web (so you have to scan that QR code), this is what I suspect that happens:
1. Your WebClient sends some details to the WhatsappWeb Servers (to let them know you want to connect to a phone).
2. Your WebClient generates a private key and a public key.
3. Your WebClient generates a QR code containing information you need to establish a secure connection (your Public Key, maybe IP, session details etc. etc.).
4. You scan the QR code with your phone.
5. Your phone generates his private and public key (might have been done already?)
6. Your phone sends his public key to the WhatsappWeb Servers (probably along with some extra information) over TLS1.2 (which is stronger than SSLv3 at the time of writing).
7. The WhatsappWeb Servers decrypt the TLS1.2 layer and sends the public key to your WebClient over TLS1.2.
8. Your WebClient Decrypts the TLS1.2 and finished the key-exchange (probably by sending some test message?)

When you send a message, I thus suspect this is happening:
1. Your WebClient encrypts the message using your private key and adds some extra information for the servers.
2. Your WebClient sends this encrypted message to the WhatsappWeb servers over TLS1.2
3. The WhatsappWeb servers decrypt the TLS1.2 layer and forward the encrypted message to your phone.
4. Your phone decrypts the encrypted message
5. Your phone re-encrypts the message with your friend his key (Which we should already have if we send our first message to him, else, it will make a key exchange BEFORE sending your message)
6. Your phone sends your re-encrypted message to the Whatsapp servers over TLS1.2
7. The Whatsapp servers decrypt the TLS1.2 layer and send the encrypted message to your friend his phone over TLS1.2.
8. Your friend his phone decrypts the message with his key and displays it.

What the Kappa just happened?

The procedure used in both parts (without the TLS1.2) is known as a Diffie–Hellman key exchange (Here is an awesome explanation which got me to understand it as well!).
If your keys are long enough, it will take ages in order to crack the private keys, thus requiring massive amounts of calculations to crack it in a decent time.
And it would be a shame to waste massive amounts of time and calculations, on that one epic “meme” you send to that girl on your school ( ͡° ͜ʖ ͡°)

So basically, in theory, Nobody can sniff your messages (without using malware on your phone itself, or finding a hole in the encryptions used).
Now please keep in mind: even though we didn’t find any code for it yet, WhatsApp might have some kind of code somewhere that sends your keys to them.
I don’t think they are doing it, but again, they have to make their money in some way, so I can’t rule this out.
Just don’t send your credit card details, Password etc. over Whatsapp.
My advice it to use it like you would treat any “unknown” messenger.

Fun fact:
when you scan the WhatsappWeb QR code with a regular QR scanner app, this is what you can expect (It will be slightly different when you do it as your key pair is different!)

[email protected]+vJZ9KfG0FBhr8hAiV,wpncK0jtMYgIZQzb4hnqbr1p30eMHVQ1pCzacy72+gw=,xQNIM+l6CtXU9/TziHoQ6w==


It seems that Whatsapp fetches URLs you are typing Char-by-char .-.
This means that they *might* also sniff out your messages like this.


My thoughts are being confirmed by this thread over at StackExchange!


So, that’s about it for this post.
I hope you guys learned something new, and will stop being so suspicious 🙂
Yes, we don’t know exactly what happens at Whatsapp’s side for them to make money, and we will never know until somebody that works there reaches out and tells us.
But for now, just stick to this 🙂
Please don’t forget to like and share this post to all your friends who believe in conspiracy theories, that would be awesome!
But for now,

G33k Out!

Leave a reply