Hacker News new | past | comments | ask | show | jobs | submit login

What is the user supposed to do when they get notified of a "safety number changed" message? How do they verify they've not just been MITM? Honest question... I don't use whatsapp or signal at all.



It's up to you to confirm what's going on using another channel (say call them on phone and see what's going on, compare the numbers). It's the same thing ssh does when server keys change for instance. To me it's a reasonable way to handle such situation.


You have to physically compare the numbers on the two phones (in real life), or send the numbers through a different trusted channel (PGP, USPS, Carrier Pigeon, etc).


You can aks the other party to resend you a message from before (one that doesn't matter). Ie. Can you confirm this is you: send me a message from 5 messages back using the quote function. (you know what is said 5 mssgs back so you can pick a non sensitive one, and they can do the same to you)

edit: nvm, if this is man in the middle then that doesn't matter because you still exchange with each other and its not a hijack. Sorry, I made a mistake.


(Re-)verify the safety number out-of-band, like you hopefully did initially.


I would simply ask if they got a new phone or re-installed WhatsApp.

A few would inquisitively ask "Yes, how did you know?", then I would explain them to them the notification I got.


This can be triggered by the other side changing phones/devices. How do you explain this to the stupids?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: