How does end to end encryption work with whatsapp web?
Correct: The Web-Client is establishing a secure connection to the phone. The messages you send through WhatsApp Web are encrypted by the WebClient, decrypted by the phone, then re-encrypted to fit the end-to-end scheme and then sent to the recipient. Same thing the other way around.
I dont know details about the protocol, but this is what i suspect (or how i would implement it):
- When first opening WhatsApp Web a key pair for asymmetric encryption/signing is generated (and stored in the local storage of the browser. Probably RSA or ECC.
- Scanning the QR code exchanges the fingerprint of the said keypairs public key. This establishes trust between phone and browser installation: the fact that the user scanned the QR code implies that the user trusts the browser.
- When WhatsApp Web is to be used, a TLS connection to the phone is established (probably proxied by WhatsApp to overcome Firewall and NAT issues). WhatsApp Web authenticates towards the phone using the initially generated keypair (thus relying on the trust established earlier).
- The connection between the Browser and the phone is fully qualified TLS: Authentication and PFS included.
localstorage is not a secure location to store private keys as far as I know
It is as secure as the browser can get. WhatsApp Web works without password entry after the initial trust exchange. That means that the private key is available to any code running on the machine.
Could you provide a source where I can read how the protocol for the web client works?
I dont have any sources, sorry. The answer is just my speculation on how things are actually implemented.
If WhatsApp's website can show me all of my messages (regardless of how I login) why can the server guys not see it? How is it that they cannot emulate my login and be able to see everything I am doing? I just sent an image to a friend of mine using WhatsApp web, it got sent, he saw it.. everything was fine. I turned off my WiFi before opening WhatsApp and the image hasn't even downloaded!! Its not even in my phone.. how did WhatsApp web use my 'phone' to send that image when it doesn't even exist in my phone? (Note: My settings don't allow immediate downloading of images).
Again: This awnser is a guess. Assuming i guessed correctly: the whatsapp people cannot see your messages because they are encrypted with a key that only *your phone* and *the phone of the recipient* know; nobody else. Your **browser** (not the website!) can show your messages because, by scanning the QR code on login, your phone started trusting **the browser installation on your machine**, not whatsapp in general. Your phone sends the messages to your **browser** to display them. The end-to-end encryption in WA might be a fake, but your phone not caching the image is not proof of that.
On why your phone needed to download the image: i might have not guessed correctly: it is possible that the WhatsApp web client can send messages directly (not redirecting them though the phone). WhatsApp maybe stores all **encrypted** messages on their server and they get downloaded to your phone as soon as you open WhatsApp. Again, just guesses.
@MTCoster see the answer, it's in there. An RSA modulus would not fit into the QR code, I suspect. But if they are using elliptic curves, the QR code maybe contains the entire public key.
FYI, a white paper (not addressing whatsapp web) is available here: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
Does this mean that the web app routes all traffic through your phone? What happens if your phone doesn't have network connection?