Hacker News new | ask | show | jobs
by orangepurple 1481 days ago
Terrible advice. If you want e2e you can choose to enable it. It is not enabled because many users choose to receive their messages across multiple personal devices simultaneously. This is not possible with e2e, which is why it is an option.
2 comments
soziawa 1481 days ago
> Terrible advice. If you want e2e you can choose to enable it. It is not enabled because many users choose to receive their messages across multiple personal devices simultaneously. This is not possible with e2e, which is why it is an option.

Signal, WhatsApp, iMessage and Threema seem to do just fine.

link
sgjohnson 1481 days ago
> iMessage

Unrelated to this, but for all intents and purposes, iMessage cannot be considered e2e encrypted if either party has iCloud backups enabled. Apple has access to your iCloud backups, and they contain the iMessage keys.

link
arwineap 1481 days ago
IIRC With the keys they can technically decrypt in line, backups are not required.
link
dmix 1481 days ago
Yes they can choose to decrypt messages going forward (by injecting a third key controlled by the gov/Apple in a multi person message and silently copying messages) but they can't retroactively decrpyt them in that case.
link
vetinari 1481 days ago
"Just fine" by conveniently managing the keys for you. You have no idea what they really do with them.

Well, except Threema. Last time I used it, it was not possible to receive their messages across multiple devices simultaneously.

link
pkulak 1481 days ago
You have no idea what any software does with your keys unless you audit it, then compile and install it on your device yourself. Oh, and audit your compiler. And its compiler...
link
vetinari 1481 days ago
If you have a piece of software, that can read supposedly encrypted messages on several devices, it is obvious that it does something with the keys. You don't have to audit the compiler and argument into ad-absurdum.
link
prophesi 1481 days ago
The Sesame protocol lets the linked device generate its own keypair, the only thing in common is your user id. Each private key never leaves the respective device.

A talk on the technicals can be found here: https://www.youtube.com/watch?v=7WnwSovjYMs&t=1762s

link
orangepurple 1481 days ago
Guess who conveniently holds your "secret key" in escrow just like AWS KMS does by default? The provider.
link
criddell 1481 days ago
> This is not possible with e2e

Why not? You can encrypt a message with more than one key, no? It’s still e2e, just that there are multiple ends.

Apple’s Messages is e2e (until SMS is used) and they have group chats.

link
skrowl 1481 days ago
Until SMS is used OR until either side has iCloud backups turned on (which is the default setting)
link
_flux 1481 days ago
Just shipping keys to someone to hold on doesn't make the encryption not-end-to-end, though it does reduce the point quite a bit.
link