My friend: I think WA. is very secured that's why I use it.
Me:

WhatsApp might be end to end encrypted, but there's no way to guarantee or prove that. There's also no guarantee facebook doesn't have decryption keys, or that the data isn't sent to facebook prior to encryption for analysis.

So, like everything else Facebook does, it's either misleading or an outright lie. And it's practically guaranteed not to be in your best interest.

The message may be encrypted during transit, but is stored encrypted too and in device backups as well?

There is a lot of attack vectors when dealing with encrypted data, and it only takes 1 source to be plaintext to void the entire solution.

Just want to remind about this quote of the former NSA director:

"We kill people based on metadata."

It is more important who communicates with whom than what is communicated.
I would even go as far to say the E2E encryption of Facebook in WhatsApp is a secure one - but it does not protect metadata, which is more than enough for the advanced attacker.

Easy way to get this through to devs: if you dont control the private keys, the encryption is not 100% secure.

Facebook: "We dont store passwords in plain text"
Also Facebook: stored passwords in plaintext till 2019

@Root As I understand, criminals have already been caught becauzs of WhatsApp's lack of security and purposeful holes used to monitor traffic.

And you can bet Facebook wants all that sweet data to feed into their marketing algo.

E2E is cool if you can guarantee endpoint integrity. That's about it.

E2E encryption is only useful to mitigate MitM attacks... At the ends the data needs to be decrypted at least once to be useful... Facebook cant "not see" your messages and then use them further without knowing them, that's not the point of encryption anyway. However what it does protect you from is your neugbour being in the same network watching all broadcasted packets. If he missed the keys and handshakes he's out completely.

At best if the data is kept stored encrypted and only decrypts on demand it makes database leaks safer, but the decryption key has to be somewhere and facebook has to have it, otherwise there's no point. As long as theres a search function you know the backend sees the data in plain text.

@Hazarth No, for a search function on my device, Facebook does not need any keys: It will simply search the copies on my phone, for which I obviously have the keys.

Additionally, E2E encryption (if correctly implemented) will even protect me against an evil provider, as he will not have the key; otherwise it is a point to point encryption.

In both cases (E2E or P2P), my neighbour can even sniff handshakes and still not have any ideas about my messages.

@sbiewald I find the facebook search function has a suspiciously long history and fast search for something that doesn't seem to take all that much space on the phone. Im just saying, I don't think e2e encryption is what they are really doing

PS: I just checked, they are not doing it, It's a normal graphql driven search. On top of that there are news where they talk about how incredibly difficult it would be to implement e2e encryption over their platform

So that's one service we know didn't deliver year later

@Hazarth For WhatsApp, they do have proper E2E.

For Facebook messenger: Unfortunately the technology for fully encrypting a searchable database, without reavaling information about the plaintext has AFAIK not yet been invented yet. While there are new ideas every now and then, an equal amount of systems turns out to be broken in one way or the other.

@Root Next to that, the metadata isn't protected at all so Facebook can build a massive social graph.

For the record, same goes for Telegram. Metadata isn't protected, secure chats have to be manually activated and they build their own crypto which has been widely criticized by actual cryptographers.

Maybe wickr or signal can do better, but still:
If you write from mobile and have an iOS, what you type is sort of recorded by Apple (to make word prediction better, yeah), if you have an android you might be spied by the product or company or Google itself, unless you installed a custom ROM which might have more different issues

If you want 100% security, just talk one another away from anything having a chip