For sure if you are using any app or OS over which you don't have complete knowledge and control, and which isn't entirely unhackable, you are trusting someone somewhere.
Application companies will always be able to backdoor their apps.
What e2e encryption does do is make messages nearly impossible to be intercepted in transit or on a massive scale by anyone without the cooperation of the company.
> What e2e encryption does do is make messages nearly impossible to be intercepted in transit or on a massive scale by anyone without the cooperation of the company.
No, this is a non-standard definition of "e2e encryption" that I've never heard of. In fact, it's exactly counter to the whole point of e2e encryption. The reason "end" and "end" are specified is because it precludes anyone in the middle from getting the plain text of the message. End to end encryption is supposed to assume "cooperation of the company" as a threat model!
> What e2e encryption does do is make messages nearly impossible to be intercepted in transit or on a massive scale by anyone without the cooperation of the company.
I don't understand why you and others in this thread describe it this way. "end to end" in this description sounds a lot like "transport security" -- like what you get from TLS (https, e.g.). How is this version of "end to end" (where are the ends?) any better than TLS?
> I don't understand why you and others in this thread describe it this way. "end to end" in this description sounds a lot like "transport security" -- like what you get from TLS (https, e.g.). How is this version of "end to end" (where are the ends?) any better than TLS?
TLS is client-server oriented. When a messaging system uses "transport security", like Facebook Messenger, that normally means that your client's connection to Facebook's server is encrypted, but Facebook's server still has access to your message plaintext. Whereas an "end to end" encrypted system would encrypt messages on your client that are only encrypted by the person you're talking to's client.
(I'm similarly skeptical about how much difference this makes in practice - I don't know what the threat model is where you trust a closed-source app and closed source google play services but don't trust the same company's servers. But it is a real distinction in behaviour)
You may have misunderstood my reply to mean that I don't understand what's different between TLS and end to end encryption.
In fact I don't understand the difference between TLS and -- let's call it E2E' (that which might be "end to end encryption"). If E2E' permits the message broker to intercept messages, does it satisfy the conventional definition of "end to end encryption"? No, certainly not. Is it any better than TLS? No, not in my opinion.
Here's what I quoted, which I believe to be E2E':
> What e2e encryption does do is make messages nearly impossible to be intercepted in transit or on a massive scale by anyone without the cooperation of the company.
> If E2E' permits the message broker to intercept messages, does it satisfy the conventional definition of "end to end encryption"?
By "broker" do you mean the server or are you including e.g. the company's code running on your device? "End to end" conventionally means "device to device" since few if any strong cryptosystems can be implemented by humans without mechanical assistance.
Key exchange is traditionally assumed away as outside the scope of analysis; we assume as a starting point that the users have a preshared secret key. So in theory E2E is very different from TLS. But in practice key exchange is very relevant.
There is still a very real practical distinction though: WhatsApp/Signal/... do not allow the server to passively intercept messages. There are active attacks that the server can perform against they key exchange process, but these would be very likely to be detected if performed on a large scale (even by insiders at the company).
It's also worth noting that a TLS approach leaves a much bigger attack surface for bulk attacks from outside the company: any security hole in the company's servers gives a single point at which an attacker can capture plaintext messages on a large scale (as the NSA is known to have done to GMail).
Yes, that does safisfy the definition of end-to-end encryption. The broker - and anyone else - can intercept messages, which is fully accounted for. That does not compromise the confidentiality or authenticity of the secure channel. What is explicitly disallowed is the intercepting party getting access to the plaintext. That includes the broker.
TLS establishes a secure channel between a client and a server. Both the client and the server have access to the plaintext.
E2EE establishes a secure channel between two clients who each have access to the plaintext, via an intermediating server which has no access to the plaintext.
The two clients are the "ends" in E2EE. E2EE does not mandate that the server is uninvolved in the key exchange.
Application companies will always be able to backdoor their apps.
What e2e encryption does do is make messages nearly impossible to be intercepted in transit or on a massive scale by anyone without the cooperation of the company.