Good to know. So between Whatsapp (the other peron’s Whatsapp client?) and the bridge it is E2E encrypted using Whatsapp’s encryption (signal protocol), It is decrypted by the bridge and than re-encrypted with Matrix’s encryption between the bridge and the matrix client?
Whether it is encrypted between the bridge and Matrix client depends on the bridge implementation. It might also be unencrypted. But yes, between the bridge and the other person’s WhatsApp client it is the regular E2EE used by WhatsApp.
Now that is the state today. Potentially if WhatsApp would use an encryption method compatible with the protocol used by the bridge (Matrix in this example), then there would be no need for the bridge to have the ability to decrypt. That’s why RFC 9420: The Messaging Layer Security (MLS) Protocol might become interesting, especially if certain regions were to force encryption compatibility by law.
This is my hope (possibly in a few years if the EU forces Apple, Meta, et al to open up their messaging services. However based on the little info I have, I doubt that if this were to happen, Meta would switch to Matrix’s encryption, since they already use Signal’s which seems to be the emerging standard (Signal, Whatsapp, Google RCS, Skype and I believe the not-yet-fully-implemented e2ee chat in Instagram and Facebook all make use of Signal Protocol under the hood, Twitter has expressed an interest in Signal as well).
I’ve been using the WhatsApp Web To Go app for about a year - not heavily, most of the time it’s just not running - and not had any problems. If I understand correctly, it’s just a nice wrapper around WhatsApp’s own web interface, so I don’t see why they should object to it being used on your account. I’m sure they can detect the wrapper somehow rather than the site being accessed in a regular web browser on a PC as they probably intended (just check User-Agent?), but unless they’re just trying to force you to use the proper WhatsApp app, I see no reason they should care. (Even then, wouldn’t they be better just stopping their web interface working if they detect the app, rather than suspending your account? If your account is suspended you aren’t going to be bothering to install their app “properly”.)
If I had to guess I’d suggest running the WhatsApp app on an Android VM on your PC is what raised red flags at their end. As for a better solution - do you have an old mobile you could dedicate to running just the WhatsApp app, instead of using an Android VM on your PC? That’s what I’m doing. The phone with WhatsApp on doesn’t have the SIM with the WhatsApp number in any more either and it doesn’t seem to matter. (I still have that SIM in another phone and can enter any code they text me to prove I control the number, not that this has happened.)
I have a contact who does this with iMessage. Personally, I don’t like it. When I use an encrypted platform with someone I’m trusting the network it’s on and the recipient. Not a middleman they’ve inserted in-between without telling me.
I don’t use Whatsapp, but if I did I would prefer that using an unsecured circumvention would cause you to be removed from the network. Or, at a minimum, some kind of notification to me that messages to you are insecure.
on this note, I would recommend checking their FAQ real quick, as this is not a design decision to undermine encryption. I would assume and hope that once MLS is part of the Matrix spec / Existing clients, and things like WhatsApp, iMessage etc also adopt it that it’ll become easier for Beeper to get to their goal of full, end-to-end-encryption for these bridges