Hard block vs soft block — three restriction tiers
WhatsApp faces three tiers of restriction across countries: (1) Tier 1 hard block — mainland China (2017-09 onward GFW DPI identifies WhatsApp protocol and RSTs immediately, all features unusable) + North Korea (nationwide internet block, ordinary citizens have no Wi-Fi/mobile data); (2) Tier 2 VoIP soft block — UAE (since 2016), Qatar, Saudi Arabia, telcos Etisalat/du/STC RST WhatsApp's voice/video streams (SIP+Opus) at the gateway layer, but HTTPS text messaging and image/video file transfer aren't touched — the actual reason isn't political censorship but economic interest (Gulf telcos rely on IDD international call revenue, VoIP cuts that); (3) Sporadic per-country enforcement — Brazil 2015-12-16 / 2016-05-02 brief nationwide blocks (courts ordered after WhatsApp refused to hand over criminal records), later lifted. AF3 distinguishing these three tiers matters — Gulf users 'can use WhatsApp but can't call', and our InfoCard makes this explicit.
Signal Protocol E2EE — WhatsApp's core tech asset
WhatsApp has had global default E2EE since 2016-04, using the Signal Protocol developed by Open Whisper Systems (later the Signal Foundation): Curve25519 elliptic-curve key exchange + AES-256-GCM symmetric encryption + HMAC-SHA256 integrity + Double Ratchet algorithm for forward secrecy. Meaning: even if WhatsApp servers are breached, past messages are undecryptable — each message has an independent key. Legally a double-edged sword: (1) Strong privacy appeal acquired large privacy-conscious user base (Europe + LatAm WhatsApp dominance far exceeds Messenger); (2) Recurring conflicts with national law enforcement — UK 2023-04 OSA (Online Safety Act) requires platforms to 'scan for CSAM', WhatsApp publicly stated it would exit UK if forced to scan (violates E2EE design). AF3 doesn't probe encrypted content, only checks STUN port and WebSocket connectivity.
Channels and Business — major 2023-2024 extensions
WhatsApp launched two major features 2023-2024: (1) Channels — globally launched 2023-09-13, similar to Telegram Channels + Twitter one-way broadcast, anyone/organization can create a channel, subscribers receive one-way messages (no group chat), used for sports, news, celebrity 1-to-many scenarios; Channels are NOT E2EE (public broadcast), Meta can see content for monetization + recommendation; (2) WhatsApp Business — small-merchant version (free) + Business Platform API version (enterprise, pay per message), used to send promotions / order status / customer service. Business API is Meta's high-margin product, est. ~$3B annual revenue 2024, mostly LatAm + India SMB users (who don't have a WeChat mini-program ecosystem like Chinese merchants do). AF3 detection doesn't differentiate Personal / Business / Channels — probes the same domain set (graph.facebook.com etc.).
WhatsApp Web QR pairing — extra hurdle for China users
WhatsApp Web isn't a standalone account — it works via phone pairing: (1) Open web.whatsapp.com on desktop → (2) Phone scans QR → (3) Desktop browser acts as 'client mirror', all encryption/decryption happens on the phone, desktop only displays. This architecture creates a special problem for China users: (1) Phone must reach WhatsApp (VPN required); (2) Web side must also reach web.whatsapp.com (also VPN); (3) Both endpoints should preferably be in 'nearby ASN/region', else WhatsApp triggers a 'device location anomaly' warning email to phone-bound mailbox — doesn't break usage but annoying. So China users' standard WhatsApp Web approach is: route all devices through the same VPN (whole-network proxy or router-level VPN), keep phone and desktop egress IPs aligned. AF3 probes three endpoints: web.whatsapp.com, graph.facebook.com, stun.whatsapp.net.
AF3 node strategy — sweet spot for 3-star strictness
WhatsApp's 3-star strictness is a sweet spot: not as strict as Netflix/Disney+ (datacenter IPs always die), not as loose as Telegram/Reddit (any node works). Specifics: (1) Datacenter IPs generally work for login + messaging, but ban-trigger rate ~15% (especially during new-account registration); (2) quality_vpn (residential IP pool) passes ~100%, recommended approach; (3) Gulf-3 VoIP restriction — local SIM + VPN can't bypass (telcos RST at gateway, unrelated to IP), Gulf users wanting VoIP must use SIP-over-VPN (e.g. Skype Number / Google Voice with domestic numbers); (4) New account sign-up: recommend residential IP + real phone number (SMS verification), WhatsApp's anti-SIM-farm is harsh, cheap +84/+62 SMSactivate numbers often get banned within 30 days. Best practice: when VPN-ing, pick a country node matching your actual residence (US users use US nodes, India users use IN nodes), reduces account risk-control flags.