Am I right in assuming as Whatsapp is linked to your phone number that using a VPN does virtually nothing to protect/hide conversations on it?
Does it stop someone peering into my conversations? Is there any element of security that it provides? Or are my conversations just as vulnerable as the average Jo?
Does it stop someone peering into my conversations?
In itself, no. WhatsApp does its own end-to-end encryption, so using a VPN doesn’t really make a difference here.
If WhatsApp used NO encryption, or if you were using something else to send messages to someone in the clear, then a VPN would partially encrypt the path of the conversation: between your device, and the VPN server. The VPN server must then connect you with whatever messaging platform you use, and every connection past that point is unprotected by the VPN’s encryption.
Is there any element of security that it provides?
a VPN would hide your use of WhatsApp altogether from your ISP, if that’s important to you. All the ISP sees is that you’re connected to a VPN, not that you’re using WhatsApp or anything else.
If your ISP or government were blocking WhatsApp, but not blocking the VPN, then the VPN might enable you to get around the block.
Or are my conversations just as vulnerable as the average Jo
The security of your conversations are only as strong as the weakest link in the chain. So, the security of your messages require that you trust:
In a lot of cases, the weakest link is that last point, the devices at each end of the conversation. You have to be able to trust that your phone is always in your possession, always locked when it’s not in your possession, and that the security features on your phone are working. If someone hacks or gains unlocked access to your phone, then all the encryption in the world won’t help you. The same is true of the phone at the other end of the conversation: you have to trust that their phone isn’t in any way vulnerable, either.The apps themselves can also be a problem.
One last important note: Sometimes, chat apps store messages on your device in an unencrypted form, or using unencrypted storage space. And WhatsApp also allows you to store backups of your conversations on cloud storage services like Google Drive… but when it does so, those backed-up chats lose encryption. So, if you’re backing up your chat history, there’s very likely an unencrypted copy of your conversations sitting on cloud storage somewhere… rendering any other security precautions useless. And even if you don’t do these backups, if someone you’re chatting with keeps backups, then there’s still going to be an uncencrypted copy of your chat sitting around.
Note to iPhone users: the same is true if you backup WhatsApp chats to iCloud. However, iMessages in the cloud are encrypted, as long as you use two factor authentication.
Should you use a VPN? Yes, if you find/make one you can trust, because it’s useful in a lot of situations. But, practically speaking, it won’t make WhatsApp conversations any more or less secure than they already are.
tl;dr VPNs provide privacy, not anonymity.
I mean it doesn’t stop whatsapp from collecting the information is siphons off such as location and other thing the app collects directly off the device but it does stop your local ISP from seeing what you’re doing.
Am I right in assuming as Whatsapp is linked to your phone number that using a VPN does virtually nothing to protect/hide conversations on it?
I can’t speak for Whatsapp, but it is probably the same as Signal as Whatsapp uses the Signal protocol.
With Signal, they used to expose metadata for e2e (Signal to Signal encrypted) texts and calls, so your ISP could see who you called/texted and when. Signal has since upgraded so metadata is encrypted too. So with the Signal app (and perhaps Whatsapp) using a VPN provides no advantage as either way your ISP can only see you are sending encrypted traffic. They can’t see who you are texting or calling and at what time.
As an OT caveat, I will sat say I only use Signal. Whatsapp is owned by Facebook, which data mines everything and I don’t trust them. However, and again, if Whatsapp is using the latest Signal protocol set-up like Signal, your ISP can’t see anything e2e even without a VPN.
Not if you’re in China. Whatsapp is blocked by the government, doesn’t work without a VPN. As for privacy, your messages are encrypted end to end anyway, and Facebook (owner of WhatsApp) will collect the same meta data associated with your phone number whether or not you use a VPN.
Hi Check this Links, i hop its will be help you gbwhatsapp apk download
Does it stop someone peering into my conversations?
Somewhat. It makes it just a little more difficult.
Is there any element of security that it provides?
Somewhat.
Or are my conversations just as vulnerable as the average Jo?
There is some encryption. If that encryption is easy to crack, the NSA won’t tell us (NSA = Never Say Anything).
Even using a vpn, it doesn’t protect you from META looking in the content. I know that they said it’s an end to end encryption, but by experience never trust these people. They’re the middle man and the middle can do whatever he wants with the content: store it, decrypt it, mine it, sell it, give access to it by some government agencies,…
By the way, yes Whatsapp used Signal protocol, but they don’t use it as is, they added some features including eventually the capability to store and decrypt the data.
However, iMessages in the cloud are encrypted
This is quite interesting. Thanks for the link. However the more I read, the more concerned I become:
Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn’t stored by Apple.
Sounds like with the copy of the key, Apple can access those messages then?
Thank you for this. This was a lot of help.
Signal has a major flaw with phone #s as the identifier still. They’re dragging their feet to move away from it too which is unfortunate.
Not sure, but cloud backups in general are kind of a security nightmare. If it’s a concern, iOS allows people to make local, encrypted backups with a desktop computer and iTunes.
Regardless of platform, there’s a tradeoff: you can either have a super convenient backup with security compromises accessible anywhere you have a good internet connection, or you can make a local backup with hardened encryption (but if you lose access to that backup or your password, you’re screwed if you need it to restore your lost data).If your concern is NOT state actors, then the cloud backup is probably good enough for you. If state actors, very highly sophisticated hackers, or disgustingly filthy rich people with an axe to grind and lots of influence are your concern, then use the local encrypted option.
Can you elaborate? I don’t understand if you mean that in the future they want remove the phone number as a mandatory identification or what?
The phone # is the identifier, but you can set it up with a burner phone or a burner SIM in another phone of yours to not ID your number number. Still, if you use your number it is not accessible in an e2e Signal to Signal text/call to your ISP or a snooper. It used to be, but Signal encrypted metadata.
Cloud backups can still be safe if you use zero knowledge encryption. The issue is balancing security with convenience. There has to be some way for average users who lose their devices/forget passwords. Even LastPass has a bunch of fallback methods (allow reverting to previous Master Password, store local OTP for backup purposes, SMS recovery).
I really would like to see more companies push for zero knowledge encryption. Stop babying people, and give the appropriate warnings for these opt-in features for those who do want privacy. Forget your iMessage encryption password? Too bad. You don’t get your old messages. It’s not the end of the world either as you can still start fresh messages.
I believe they are looking into using alternative identifiers. Something like a username based system or even email address (think Reddit or any other forum service). I’m being selfish when I say this, but I feel this is the #1 priority for the app because any app that uses a phone # as an identifier is a huge risk. I feel like the developer team should be pushing this as the #1 priority to get done ASAP. I know it takes a huge back end re-write, but nothing impossible to do. Your carrier knows you use Signal based on the verification SMS that gets sent. Signal also has to store your phone # as an identifier, so even if messages are end to end encrypted, they have information about which phone #s communicate with which phone #s. That’s a huge risk when subpoenas start flying. Allowing people to use disposable usernames, burner accounts like Reddit would be huge for privacy.
True but someone can then get that burner number in the future and try to register a new number. That’s why there’s that “2FA” feature which some people might not turn on and then someone takes over your Signal account.
I’m a bit selfish when I say this, but Signal needs to get off phone number identifiers like yesterday. I’m not even sure how anyone pushing privacy would’ve thought that was a good idea. If the goal was to compete with WhatsApp for adoption in 2012, yeah auto add contacts and using phone # identifiers make total sense, but if your goal is privacy? Allow usernames or random IDs.
I see. Did Signal support something like Mysudo (iPhone app) or similar that are essentially “fake” numbers you can use online or to give to people you don’t trust? MySudo doesn’t require a login so it’s almost anonymous…
I agree, but the reason Whatsapp has over 1 billion users is convenience and encryption is a nice add-on. That’s the market Signal was and is going after, but I also agree it would be nice to download one of two apps - a privacy app or a convenience app like the present one. Perhaps that is the marketing route Signal should go in.