• Dreeg Ocedam@lemmy.ml
    link
    fedilink
    arrow-up
    3
    arrow-down
    3
    ·
    3 years ago

    It doesn’t necessarily mean that the phone number is sent with every API call. The real authentication of who sent the message happens on the receiver’s device when they decrypt it.

      • Dreeg Ocedam@lemmy.ml
        link
        fedilink
        arrow-up
        3
        arrow-down
        2
        ·
        3 years ago

        They know who the receiver is. They don’t need to know who sent the message. They only have to route it to the receiver.

        • Dessalines@lemmy.mlOP
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          edit-2
          3 years ago

          In a centralized database, this seems like it’d be trivial to get around. You’d only have to look at the client sent messages and correlate them to the receiving ones.

          • Dreeg Ocedam@lemmy.ml
            link
            fedilink
            arrow-up
            3
            arrow-down
            3
            ·
            3 years ago

            It’s more complex than that. The client doesn’t authenticate itself to the server. It only shows a certificate that says “I have a right to send messages to this person”. This certificate is anonymous and was initially generated by the receiver, and then sent via the encrypted session.

            More details here.

            The server could still correlate the IP, which is much less valuable and can be hidden through VPNs or even the built-in censorship circumvention proxy.