this post was submitted on 07 Mar 2024
297 points (98.4% liked)
Technology
59428 readers
2858 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Why do you need to control both ends for E2EE? Both ends need a public and private key to encrypt and decrypt messages. You need a method of key exchange. I would prefer to have an offline method (phone call, in-person) of validating a key (like iMessage and Signal have). But I don’t see a reason to need to control both ends.
Probably because different messaging platforms have different opinions on how to implement encryption, and those opinions are baked into their infrastructure at a pretty low level. If two platforms don't support a common encryption system, the only way to move traffic between them is to decrypt and re-encrypt the data at the boundary between platforms, giving both platforms access to the unencrypted messages.
Mandating a common system for E2EE seems like a good step 2, but just getting them to exchange messages at all is a good first step that doesn't require anyone to change their backend to support a different encryption mechanism.
(Just to give an example I'm familiar with, you can tell Facebook's encryption isn't E2E because you access Facebook Messenger from a new device and have access to all your old chat history. Making Messenger support E2EE would break a basic assumption about how it works and what features it offers.)
If there'd be a way to use FBM with an alternative client - one could use OTR.
I agree that decrypt/encrypt is bad—it is simply not E2EE. The solution would have to be a better method of public key distribution for ‘federated’ systems.
While I don’t know anything specific about facebook messenger, E2EE doesn’t necessarily preclude what you suggest. A messaging service could store the entire chat history encrypted without decryption keys. When you get a new client you could restore the entire history in encrypted form onto your device. You would then use a recovery key you would possess to decrypt the message history on your end. At no time would the messaging service have the keys to decrypt. I’m not saying that is what facebook does.