Security vs. Usability. Multi-device E2E requires ONE device be the source of truth for the private key. That's why for WhatsApp Desktop to work, you need your phone to be connected. This defeats the purpose for most people.
Does it, though? I feel like most people just use their phone, and that's it, and people who use the web version don't mind so much that they need their phone on the internet, because it pretty much always is anyway.
Sure, there are edge cases, like being on a plane and only having bought internet access for your phone, phone battery dead and no charging cable, phone lost/stolen, but those things seem rare enough that most people just live with it.
I would prefer that I didn't need my phone to use WhatsApp Web, but in practice it hasn't kept me from using WhatsApp (mobile or web).
for me, its one of the reasons why I prefer Telegram over WhatsApp. There have been numerous cases when my phone was dead or offline (being abroad/roaming, battery dead, etc) and I wanted to use my laptop to finish that important conversation. The other one is lack of a native Linux desktop client for WhatsApp.
Right, I get that, and even mentioned one of the failure modes you mention. But I think for the average user (which more or less disqualifies most of our experiences here), it's not even remotely a deal-breaker.
> Multi-device E2E requires ONE device be the source of truth for the private key.
To this:
> That's why for WhatsApp Desktop to work, you need your phone to be connected.
Is just an implementation detail. Signal gets around this by letting server know about person's devices so that each device can sync independently of others. Phone holds ultimate key, but messages do not need to be routed through phone.
The way Wire does this, if I recall correctly, is that logging into your account (proving to the server you can authenticate) allows you to push up a new device public key, which you can see as your device fingerprint in the UI. A conversation between two users with multiple devices is really a group chat, with pairwise ("client fan out") double ratchet sessions going on.
When you do this, your other devices are informed of the account change by the server, as are people you communicate with (if they've previously marked your account as trusted, changing any devices on your account changes that). This isn't much different to Signal: ultimately the server acts as a key directory in both cases.
The problem with this approach is that it doesn't scale well at all. This is why Facebook, Wire etc are working on MLS (Messaging Layer Security) which is basically "add trees" so group chat scales better.
Thanks for explaining, that makes much more sense.
It seems to me that double ratchet is really to blame here. Without it, you could simply share a single key across all devices. With it, your choice is to either deal with this sort of complexity or to set up a trusted proxy in the middle.
It's a bit strange actually. There's this constant mantra of having to pick either security or usability. We now have readily available means for usable _and_ reasonably secure E2E, but the crypto nuts go and add additional "must haves" that once again make it difficult for the average person to use.
An aside: Instead of authenticating with a central server to add a key (as you've described Wire doing), why not handle this client side via X.509 certificate chains? This is very mature crypto and seems far more flexible. It would enable use of standard PKI token hardware for managing your root identity, allow fully offline enrollment of new devices, and provide cross signing for various purposes (changing your root identity, setting up a web of trust with a group, integrating with a corporate environment, etc).
No, it does not. Keybase does it pretty well. Signal is pretty close. Even the WhatsApp approach (require phone to be online, which is how it differs from Signal) is better than what Telegram has today (not even possible).
The whole purpose of cloud chats would be broken if e2e would be implemented this way. Search for example basically impossible to implement anywhere near the way telegram does it.
Also from all my group chats and I have hundreds 99% are public or semi public (not searchable in telegram but can be found on the internet) it make no sense to encrypt this.
