Comment by Terr_

Comment by Terr_ 10 hours ago

62 replies

View on Hacker News

So basically their marketing-department is abusing a security term in order to sound good, as opposed to a software flaw.

They're claiming "end to end" encryption, which usually implies the service is unable to spy on individual users that are communicating to one-another over an individualized channel.

However in this case there are no other users, and their server is one of the "ends" doing the communicating, which is... perhaps not a literal contradiction in terms, but certainly breaking the spirit of the phrase.

bmandale 10 hours ago

This is an incredibly common misuse of the term e2ee. I think at this point we need a new word because you have a coin flip's chance of actually getting what you think when a company describes their product this way.

Reply View 38 replies
  • WatchDog 9 hours ago

    Any new term you come up with, will end up being misused by marketers.

    Reply View 1 reply
    • spwa4 33 minutes ago

      End-to-end encryption doesn't mean anything where it is semi-validly used. It's used on phones, where you as a user (or company) don't control what code executes. For example, WhatsApp was end-to-end encrypted. Well, it doesn't actually provide security because with either physical access to the phone or if you have if you can use the app store to "upgrade" the app, you can upload code to the phone. You can upload an apk that replaces the WhatsApp app. It even still uploads the messages to a central server so you can get those messages from Meta, then get the key from the phone some time later or earlier and use the key to decrypt it when the message is already erased from the phone.

      (aside from the fact that people don't seem to know/remember WhatsApp backs up to google drive)

      Code that then gets access to the end-to-end encryption keys ... so you're not safe from state actors, you're not safe from police, you're not safe from the authors of the code and you're not safe from anyone who has physical access to your phone.

      Reply View 0 replies
  • fastball 10 hours ago

    I have never seen "e2ee" abused this way personally.

    Reply View 17 replies
    • N-Krause 5 hours ago

      There was a discussion here on hn about OpenAI and it's privacy. Same confusion about e2ee. Users thinking e2ee is possible when you chat with an ai agent.

      https://news.ycombinator.com/item?id=45908891

      Reply View 7 replies
      • charcircuit 4 hours ago

        >Users thinking e2ee is possible when you chat with an ai agent.

        It shouldn't be any harder than e2ee chatting with any other user. It's just instead of the other end chatting using a keyboard as an input they chat using a language model to type the messages. Of course like any other e2ee solution, the person you are talking to also has access to your messages as that's the whole point, being able to talk to them.

        Reply View 5 replies
      • pyuser583 3 hours ago

        I saw a YouTube video claim similar levels of privacy are possible using trusted computing.

        Reply View 0 replies
    • ljlolel 8 hours ago

      Zoom also did this once

      Reply View 4 replies
      • wkat4242 4 hours ago

        They don't care about security at all.

        They once shipped a backdoor in their macOS app. It was noticed and called out and they refused to remove it. It took Apple blacklisting it for Zoom to finally take action.

        Reply View 0 replies
      • internetter 8 hours ago

        They also paid me something around 100 dollars in settlement for this

        Reply View 0 replies
      • bayindirh 5 hours ago

        I believe they now have a proper e2ee mode which disables all the cloud powered features, no?

        Reply View 1 reply
        • computerfriend 2 hours ago

          They aquihired (and gutted) keybase for this, but I have a doubt that their "reimplementation" is actually E2EE.

          Reply View 0 replies
    • hulitu 6 hours ago

      Whatsapp, Signal, Telegram, iCloud

      Reply View 3 replies
  • g-b-r 9 hours ago

    It's not incredibly common, there's sure a lot of companies that try to misuse it, but the average person (even non technical) still interprets it in the correct way

    Reply View 0 replies
  • tacitusarc 10 hours ago

    “In transit encryption”

    Reply View 16 replies
    • boomboomsubban 10 hours ago

      Creating a new term for the less secure definition doesn't work, as they'll just continue to call it E2EE encrypted.

      Reply View 14 replies
      • calebio 10 hours ago

        I think part of the problem is that prior to WhatsApp's E2EE implementation in like 2014, TLS was very often called "End to End Encryption" as the ends were Client and Server/Service Provider. It got redefined and now the new usage is way more popular than the old one.

        I can't blame most people for calling TLS "E2EE", even some folks in industry, but it's not great for a company to advertise that you offer X if the meaning of X has shifted so drastically in the last decade.

        Reply View 12 replies
      • SchemaLoad 9 hours ago

        No term will stop marketers from lying. If users see one as being the more secure one, marketers will use it. Unless they get sued for false advertising.

        Reply View 0 replies
    • kstrauser 10 hours ago

      I despise how often that’s used. “Do you have end to end encryption?” “Sure! We use TLS for everything, and KMS for at-rest.” “So… no?”

      Reply View 0 replies
koolba 10 hours ago

> However in this case there are no other users, and their server is one of the "ends" doing the communicating, which is... perhaps not a literal contradiction in terms, but certainly breaking the spirit of the phrase.

Am I understanding correctly that the other end of this is a rear end?

Reply View 1 reply
  • hulitu 6 hours ago

    Every front end needs a rear end. So, yes.

    Reply View 0 replies
addaon 10 hours ago

While they’re taking one “end” much less literally than usual, they are taking the other “end” much more literally…

Reply View 0 replies
geoduck14 10 hours ago

This is exactly what E2EE means. I used to work at a bank, and our data was E2EE, and we had to certify that it was E2EE - from the person paying, through the networks, through the DNS and Load balancers, until it got to the servers. Only at the servers could it be unencrypted and a (authoried) human could look at it.

Of course, only authorized users could see the data, but that was a different compliance line item.

Reply View 17 replies
  • modeless 9 hours ago

    No, E2EE doesn't mean it's encrypted until the service provider decrypts it. E2EE means the service provider is unable to decrypt it. What you are describing is encryption in transit (and possibly at rest).

    Bank data is never E2EE because the bank needs to see it. If banks call it E2EE they are misusing the term. E2EE for financial transactions would look like e.g. ZCash.

    Reply View 9 replies
    • [removed] 7 hours ago
      [deleted]
      Reply View 0 replies
    • RHSeeger 9 hours ago

      I would argue it depends on context. E2EE means it's encrypted until the "target" receives it. For a messaging protocol, it's the intended recipient of the message. For what the person you're replying is discussing, the intended recipient IS the bank.

      That being said, the person you're replying to seems to be saying that "the server" is always an "intended" end, which is wrong.

      Reply View 7 replies
      • modeless 8 hours ago

        No, it doesn't depend on context. The intended recipient of a financial transaction is not the bank. The intended recipient is the party you're trying to pay. It is possible for financial transactions to be E2EE and completely indecipherable by anyone but the two parties of the transaction. Crypto like ZCash can do it. Banks cannot.

        Reply View 4 replies
      • stephen_g 8 hours ago

        While what you're saying makes sense, it's not the normal use of the term - in fact, the term 'end to end encryption' was basically coined to differentiate user-to-user encryption (through an intermediary service that can't decrypt the message) from the regular case (user to service encryption) that you're talking about!

        Reply View 1 reply
        • calebio 3 hours ago

          It wasn't coined, it was reused. It historically meant things that were encrypted from the client to the server, e.g. SSH, SSL, TLS, etc.

          RFC 4949 (Internet Security Glossary, Version 2) from 2007: https://datatracker.ietf.org/doc/html/rfc4949

               $ end-to-end encryption
      (I) Continuous protection of data that flows between two points in
      a network, effected by encrypting data when it leaves its source,
      keeping it encrypted while it passes through any intermediate
      computers (such as routers), and decrypting it only when it
      arrives at the intended final destination. (See: wiretapping.
      Compare: link encryption.)

      Examples: A few are BLACKER, CANEWARE, IPLI, IPsec, PLI, SDNS,
      SILS, SSH, SSL, TLS.

      Tutorial: When two points are separated by multiple communication
      links that are connected by one or more intermediate relays, end-
      to-end encryption enables the source and destination systems to
      protect their communications without depending on the intermediate
      systems to provide the protection.
          There's a bunch of older references as well. Since SSL/TLS wasn't really adopted by a lot of services until 2008+ usages of it are mainly in papers, old forum posts, etc. I saw it used and was discussing it back in the day on IRC with folks who were way more knowledgeable than me on this topic and had been in the trenches for a while :D
          Reply View 0 replies
  • kstrauser 9 hours ago

    Nah. You have no reasonable expectation that the bank itself can’t access your financial records. Anyone reading Kohler’s lies would have every expectation that the Internet of Poopcam screenshots are theirs and theirs alone.

    Reply View 3 replies
    • lukeschlather 9 hours ago

      Anyone reading that is misunderstanding what E2EE means. As the article says, that's client-side encryption. Kohler isn't lying, people are confusing two different security features.

      Reply View 2 replies
      • kstrauser 9 hours ago

        That is an uncommon interpretation that’s far different than the usual meaning.

        Reply View 1 reply
        • butvacuum an hour ago

          They're also claiming regulatory requirements as features. At least consumers might be able to sue in addition to several governments when it turns out to be a bunch of crap.

          Reply View 0 replies
  • pyuser583 3 hours ago

    It sounds like one term is being used for two very different things.

    Reply View 1 reply
    • butvacuum an hour ago

      Yes, because people don't know the difference between "in transit" and e2ee.

      Reply View 0 replies
lmm 5 hours ago

> They're claiming "end to end" encryption, which usually implies the service is unable to spy on individual users that are communicating to one-another over an individualized channel.

It doesn't "imply", it outright states that. Their server isn't the end, it's the middle. They're not "breaking the spirit" or something, what they are doing is called lying.

Reply View 1 reply