How is it possible to maintain an E2E communication while using the whatsapp web client? I've found different Q&A ( f.i. How does end to end encryption work with whatsapp web? ) but nobody completely resolved my doubts.
How does the web client synchronize itself with the mobile app? How are the messages sent to the browser session initially? What's going on when I write a message in the web client in order to maintain all the communication E2E?
It wouldn't make sense to make complete end to end encrypted system between two web clients because in that case the data encrypted/decrypted by web client will not be readable by the mobile client and vice versa.
To avoid this, there is a protected channel created between the mobile and web clients. The mobile clients will execute end to end encrypted chat service with each other and generate different key pairs to talk with the web clients. So the message can be read/generated by both (mobile and web) clients.
The answer that you are referring to already gives the technical ideas as to how it is implemented. I will just add a flow for you to understand.
Accordingly, say user A and B are communicating via whatsapp. Then the way the end to end encrypted chat will work is:
A's web client <-protected-> A's mobile client <-E2E-> B's mobile client <- Protected-> B's web client.
[Paraphrasing parts from the answer referred in the question]
How the web client synchronizes itself with the mobile app?
Initial setup is done when the mobile client scans the QR code of the web client. After that, it is simple client server architecture where the mobile client acts as the server. All the messages are readable to the mobile client.
How messages are sent to the browser session initially? What's going on when I write a message in the web client in order to maintain all the communication E2E?
Once a secure connection between the web and mobile client is established, that is used for all the communication. Again, it is not end to end encryption between the two web clients. The mobile clients can read all the messages. So the end to end encryption is between the mobile and web clients. Then there will be another end to end encrypted channel between the mobile and web clients.
This is my reconstruction after some investigation.
This first image could represent the flow when Alice sends a message from WhatsApp web to Bob:
While this one represent the flow when Alice sends a message from the mobile app but she is also logged to whatsapp web:
(I've intentionally skip QR code scan "handshake").
What I don't understand is how KEY-X is derived in order to keep the WhatsApp server blind over our messages from WhatsApp web client. Because if the KEY-X is derived from parameter sent by the WA server during the QRCode validation they can derive also the key and so all the E2E scheme fails ( which I think isn't the case )
