Longtime Slashdot reader schwit1 shares a report from PCMag: A lawsuit claims that WhatsApp's end-to-end encryption is a sham, and is demanding damages, but the app's parent company, Meta, calls the claims "false and absurd." The lawsuit was filed in a San Francisco US district court on Friday and c...
Being FOSS is not a prerequisite of E2EE but a prerequisite of knowing it’s E2EE for sure. Like, I can give you a black box that prints PGP key pairs and says “includes RPGP, MIT-licensed PGP library” but you can’t trust that the machine doesn’t use modified, low-entropy RNG or exfiltrate the results. The communication you do with these PGP keys is technically E2EE − a third party server relaying your messages will not be able to read them, unless I provide them with the potentially not-so-secret “random” data my box generated.
But you’re right: if my black boxes are also used to encrypt/decrypt the messages with “your” keys (made by them) and I run a non-transparent ssrvice that delivers the messages, there is a case for not calling it E2EE.
Being FOSS is not a prerequisite of E2EE but a prerequisite of knowing it’s E2EE for sure. Like, I can give you a black box that prints PGP key pairs and says “includes RPGP, MIT-licensed PGP library” but you can’t trust that the machine doesn’t use modified, low-entropy RNG or exfiltrate the results. The communication you do with these PGP keys is technically E2EE − a third party server relaying your messages will not be able to read them, unless I provide them with the potentially not-so-secret “random” data my box generated.
But you’re right: if my black boxes are also used to encrypt/decrypt the messages with “your” keys (made by them) and I run a non-transparent ssrvice that delivers the messages, there is a case for not calling it E2EE.