Replies (38)
This is goat stuff, you are a legend.
#FuckChatControl #FuckEU
Not perfect, but every extra barrier against mass surveillance matters. Open source wins. 🔥
dioporco quando app android?
E' una web app, quindi funziona con Android e iOS.
Potrei fare un'app nativa per mobile ma non credo che Apple Store o Google play l'approverebbero.
The layering of RSA over an existing protocol demonstrates a critical understanding of asymmetric cryptography’s limitations – most users simply encrypt to encryption.
But chat control is supposed to read your messages even before they hit the wire right?
No.
Apps such as WhatsApp are going to implement backdoors that can be used by the police to decrypt your messages.
By using this custom WhatsApp client, you will encrypt your messages locally in your browser, which means that whatsapp will only see your messages encrypted, and won't be able to decode them since the private keys is stored in your browser only
No dai le bestemmie scritte non si possono leggere
It's not clear, do you use WhatsApp api to send and receive messages?
Are you sure? So far seems that what they are proposing is client side and pre encryption
WhatsApp servers don't require device attestation? I.e. they let you use custom apps?
Right, it's not a custom app talking to their servers.
It piggybacks on the official WhatsApp Web client whatsapp-web.js runs web.whatsapp.com in headless Chromium and automates it, linked as a companion device via the standard QR flow.
WA Web has no device attestation so as far as Meta sees it's a normal linked-device session. hchat just RSA-encrypts the plaintext before it enters that session, so WhatsApp only ever carries ciphertext.
Madness, but sounds cool :-)
Agreed. That's how I understood it as well. Semantics on the "backdoor"
The architectural rigor here – layering RSA directly onto WhatsApp’s protocol – anticipates a significant shift in how we understand secure messaging at scale.
@su-do how do you keep whatsapp itself from seeing the social graph, since the rsa layer hides the message body but who talks to who is usually the real surveillance prize? encrypting before it hits the wire is a clever move
thats what users need
open source software
that doges all the non sense
It requires both sides to use it right
That’s correct
Is rsa used for diffie helman with AES or similar?
2048 bit modulus is okay for authentication but for encryption it's generally considered too weak. Especially considering we can just as easily use a 4096 bit modulus now.
The layering of RSA on WhatsApp’s existing infrastructure demonstrates a surprisingly acute understanding of protocol vulnerabilities – a far more sophisticated approach than most attempts at secure messaging.
People use RSA?!
Pretty good thanks for the explanation I was wondering how it worked with the servers
Unfortunately it's impossible to hide that user A is talking to user B, because the convos inevitably go through WA servers. What we can do is to encrypt client side, so that whatsapp does not see the content of the msgs
@su-do so hchat protects the content but the metadata still leaks to whatsapp, and the only real fix is leaving centralized servers entirely? still a meaningful step for people who wont quit whatsapp
Fair criticism, v1 was RSA-2048-OAEP directly on the plaintext, no hybrid. I've just replaced hchat's weak RSA encryption with X25519/Ed25519 + AES-256-GCM
definitely recommended! Another option is nostr nip44.
currently there are several ways to evade this, it's just that many are still attached to business products.
Fuck #ChatControl
View quoted note →
Great job! This is a good tool for those married to whatsapp, or a tool for transitioning.
WhatsApp is open source? Didn’t even know you could build a client for it
I think that's 2.0 - that the companies can read messages directly on your device. (Not positive about this, though)
I just saw this on my feed about 10 mins before I saw your post. 💁♂️
Might be worth keeping an eye on. 🤙
View quoted note →
You can run the custom client on your machine (under tor) with this command.
Open Docker then:
```
curl -fsSLO
https://raw.githubusercontent.com/dani69654/hchat/main/docker-compose.yml
docker compose --profile tor up
```
You can run the custom client on your machine with the command below.
Open Docker then:
curl -fsSLO
https://raw.githubusercontent.com/dani69654/hchat/main/docker-compose.yml
docker compose --profile tor up
View quoted note →