I’ll bet The Guardian regrets using the term “backdoor” now. What a difference it would have been if they had simply called it a “weakness” instead. They did find a weakness I am concerned about.
The key change notification feature default of off is a reasonable default considering the anticipated understanding of security that the majority of people using this app. It’s not hard to enable it, and I recommend everyone do that, and question any unexplained key changes.
The completely separate issue regarding how the whatsapp app automatic re-encodes and retransmits any not-yet-confirmed messages when one endpoint starts using a new key. This is not good. In other words, it’s possible for other people to intercept a tiny fragment of your conversation. This is true even if you have key change alerts on, it only alerts you AFTER resending that last message or two.
Privacy requires a level of trust in the technology, but it’s not magic. I think the key change alert feature ought to be expanded to mean more, that it won’t TOLERATE a key change without you knowing about it. Make it a big popup alert, not a tiny highlighted inline message that could be too easily misunderstood or ignored.