
Ask HN: What does end-to-end encryption mean? - hiddensquid
Mobile, apologies for formatting.<p>I was reading Zoom&#x27;s security whitepaper on their website and it says it can &quot;encrypt presentation content at the application layer&quot;. Now I have a reasonable understanding of E2E encryption, but if the text or content has to be presented to the user by the OS, can the OS read the content of whatever the user is seeing since it has to render the graphics?<p>For example, can Google read my Signal messages via the fact Android has to render the text?
======
LinuxBender
End to end encryption means that a group of people agree to establish
encrypted communication with each other using a method that does not allow the
servers negotiating that communication to decrypt the contents of the
communication. There is sometimes a mechanism to allow the people to identify
each other out of band to verify trust. In some cases asymmetric encryption is
used. In simpler implementations, symmetric encryption is used with a
preshared key.

An example of asymmetric encryption would be OTR (off the record), which has
been used in the past to encrypt message payloads in popular chat programs. In
those cases, the chat programs are entirely unaware of OTR, or may just see it
as a plugin. OTR will encrypt messages with the keys of the party members for
whom the messages were intended. Implemented correctly, the servers handling
the transport of the communication will never see any private keys nor would
"backdoors" be feasible. A chat party member would have to be compromised to
glean any discernible data. This gives the party members privacy and the
server operators plausible deniability about any communications.

End to end encryption of course also assumes the chat servers have no control
over the applications and can not push an update the a specific person or
group of people and could not mitigate or simply back-door the implementation
of E2E. So for example, if I connect to an IRC server and use OTR, the most
the server could do is block me for sending words that do not look like
unencrypted text of a known language. It can't hijack my application. On the
other hand, cell phone applications can be updated by the carrier or
authorized maintainers of the application.

~~~
hiddensquid
Thank you for the clear explanation but I understand that. I'm asking if the
OS can read the contents of previously encrypted messages.

~~~
LinuxBender
That is related to the last paragraph, in that one has to trust the
application or other applications with access to your chat history cache can
not read your keys and know how to use them. On a cell phone, I would say that
is quite a challenge, given that applications can be updated by other parties.
In my opinion, unless you fully control the OS and applications and no
application can update itself without you explicitly taking action, then one
can not say for sure that the message was protected.

------
ThePhysicist
As you pointed out it always depends on where you put the ends. You could say
client-server communication via TLS is end-to-end encrypted and be right if
you define one end to be your browser and the other end to be the HTTPs
server. The term end-to-end encryption was popularized mostly by chat
applications though, where the two ends would be the trusted client devices of
the communicating users.

