Comment by fc417fc802
1 day ago
> E2EE means only your intended recipients can access the plaintext.
No, it does not. It means that only endpoints - not intermediaries - handle plaintext. It says nothing about who those endpoints are or who the software is working for.
Key escrow and E2EE are fully compatible.
No, it is not. This is precisely why we have the term E2EE. An escrow agent having your keys but pinky promising not to touch them is indistinguishable from the escrow agent simply having your plaintext.
Unless you’re fine with the escrow agent and anybody they’re willing to share the keys with being a member of your group chat, in which case my original point still stands.
Edit: I think you might be confusing your personal intention (ie I wanted this to be private but didn't realize the service provider retained a copy of the keys) with the intention of the protocol (ie what the system is designed to send where). Key escrow is "by design" whereas E2EE protects against both system intrusions (very much not by design) as well as things like bugs in server software or human error when handling data.
> is indistinguishable
Technically correct (with respect to the escrow agent specifically) but rather misleading. With E2EE intermediary nodes serving or routing a request do not have access to it. This protects you against compromise of those systems. That's the point of E2EE - only authorized endpoints have access.
The entire point of key escrow is that the escrow agent is authorized. So, yes, the escrow agent has access to your stuff. That doesn't somehow make it "not E2EE". The point of E2EE is that you don't have to trust the infra. You do of course have to trust anyone who has the keys, which includes any escrow agents.
If we used the definition "only your intended recipients can access the plaintext" ... well let's be clear here, an escrow agent is very much an "intended recipient", so there's no issue.
But lets extrapolate that definition. That would make E2EE a property of the session rather than the implementation. For example if my device is compromised and my (E2EE) chat history leaks suddenly that history would no longer be considered E2EE ... even though the software and protocol haven't changed. It's utterly nonsensical.
> I think you might be confusing your personal intention with the intention of the protocol
So what would be the name for a mechanism where escrow is deliberately not a part of the design and nobody aside from the sender and recipient can access the plaintext data, no 3rd parties whatsoever, as long as those two participants aren’t compromised.
I’m not disagreeing with you but I’ve heard people talk about E2EE while actually thinking it’s more like the above. There is probably a term for truly private communication but I’m sleepy and it eludes me.
1 reply →
Well, WhatsApp backups claim they are E2E encrypted, but there’s a flow that uses their HSM for the encryption key, which still feels like some escrow system.
https://engineering.fb.com/2021/09/10/security/whatsapp-e2ee...
True but you can choose to store the key completely yourself. That fixes a big backdoor that's been around for ages.
The biggest problem remaining to me is that you don't chat alone. You're always chatting with one or more people. Right now there's no way of knowing how they handle their backups and thus the complete history of your chats with them.
It's the same thing as trying to avoid big tech reading your emails by setting up your own mailserver. Technically you can do it but in practice it's pointless because 95% of your emails go to users of Microsoft or Google anyway these days.
> Key escrow and E2EE are fully compatible.
Wild to see someone on HN even entertain this idea.
It's literally the point of key escrow. My views on a given practice are entirely irrelevant to the definition of the relevant terminology.
With key escrow, by definition you can only implement end-to-many-ends encryption.
3 replies →
Wild to think otherwise.