[RadiozRadioz]

I'm so tired of this. It's really simple:

If the client is proprietary and controlled by the vendor, E2EE is meaningless.

Last I checked, Discord is a proprietary application that updates itself on startup with freshly baked proprietary blobs straight from Discord Inc. They can say all they want about how great the encryption itself is, sure I believe them, but as long as alternative clients are forbidden and Discord's proprietary self-changing software exists on either end, it doesn't matter.

[rcxdude]

It's not meaningless (such applications are quite heavily inspected for signs of malfeasance by many parties that would stand to benefit from widely publicizing any backdoor), but it does substantially reduce the value, especially if your threat model includes being specifically targeted for a bypass.

[RadiozRadioz]

The whole point of all this fancy encryption is to make it mathematically impossible for the vendor to read your messages. It doesn't matter if it's mathematically impossible for them to read messages on the server if it's operationally trivial for them to extract them from the client.

It's end-to-end encrypted, but both ends are wide open for Discord to do what they like. If not them, someone doing a supply chain attack on their frivolously & opaquely updating proprietary clients.

WhatsApp has E2EE, but how do you think they found CSAM on people's devices? Because they control the endpoints.

[7jjjjjjj]

You really think someone is out there reverse engineering and debugging every inch of the behemoth that is Discord, any part of which could leak the keys, or compromise them in some non-obvious way? In every release? Yeah, right.

Also, you should rethink "many parties ... would stand to benefit from widely publicizing any backdoor." A new bugdoor is found in WhatsApp every six months and nobody cares.

[lxgr]

It's not meaningless at all at least to the vendor.