[_heimdall]

The encryption concerns here are a bit confusing IMO. Facebook owns the UI that show you the text of the messages.

There doesn't have to be a backdoor into E2E encryption at all per say, a simple UI property check would give full access to message contents directly in the frontend code. Throw that into a private API and Bob's your uncle, decrypted messages that were transmitted with 100% secure E2E encryption.

[lxgr]

Is that different for any other encrypted instant messenger, though?

[_heimdall]

No not at all, its a universal risk since you have to trust the UI.

I should have been more clear there. Its interesting to me that I often see concerns over whether Facebook has encryption backdoors when the UI can do all the work.

[lxgr]

That's arguably still a backdoor, no?

At least I'd call an instant messenger that which claims to provide end-to-end encryption between conversation participants and then surreptitiously inserts itself as another participant.

However, something very active like that would be much easier to detect and prove than a "true" cryptographic backdoor that could possibly be explained away as an oversight in design or auditing.

[_heimdall]

Yeah I think that would fall into the backdoor category. My point was mainly that concerns over E2E encryption usually stop at the level of encryption and transmission.

If one really doesn't trust that Facebook isn't honest about how messages are encrypted and who has access to decrypt them, they also shouldn't use an app made by the same company that by design must have access to the decrypted text.