calebio 9 hours ago

I think part of the problem is that prior to WhatsApp's E2EE implementation in like 2014, TLS was very often called "End to End Encryption" as the ends were Client and Server/Service Provider. It got redefined and now the new usage is way more popular than the old one.

I can't blame most people for calling TLS "E2EE", even some folks in industry, but it's not great for a company to advertise that you offer X if the meaning of X has shifted so drastically in the last decade.

Reply View 12 replies
  • kstrauser 9 hours ago

    I’m pushing back on that one. I’ve been running websites since the ‘90s, and I’ve never heard E2EE used that way until very recently by vendors who, bluntly, want to lie about it.

    Reply View 7 replies
    • calebio 9 hours ago

      It was pretty common to call client-side encryption/SSL "end to end encryption" among network engineers who were analyzing data flowing through their networks[0] as well as those who were implementing SSL/TLS into their applications[1]. The ends were the client and the server and the data was encrypted "end to end". The goal at that time was to prevent MITM snooping/attacks which were highly prevalent at the time.

      Papers in academia and the greater industry[2] also referred to it in this way at the time.

      Stack Overflow has plenty of examples of folks calling it "end to end encryption" and you can start to see the time period after the Signal protocol and WhatsApp implemented it that the term started to take on a much wider meaning[4]

      This also came up a lot in the context of games that rolled out client side encryption for packets on the way to the server. Folks would run MITM applications on their computer to intercept game packets coming out of the client and back from the server. Clever mechanisms were setup for key management and key exchange[3].

      [0] as SSL became more common lots of tooling broke at the network level around packet inspection, routing, caching, etc. As well as engineers "having fun" on Friday nights looking at what folks were looking at.

      [1] Stack Overflow's security section has references from that era

      [2] "Encrypting the internet" (2010) - https://dl.acm.org/doi/10.1145/1851275.1851200

      [3] Habbo Hotel's prime and generator being hidden in one of the dynamic images fetched from the server as well as their DH mechanism comes to mind.

      [4] Jabber/XMPP however used E2EE in the more modern sense around that time as they were exploring going beyond TLS and having true E2EE.

      Reply View 6 replies
      • Sophira 5 hours ago

        At least in some circles, the real meaning of "end-to-end encryption" was being addressed. For example, in the field of credit card processing, here's an article from 2009 which talks about how people back then were misusing the term: https://web.archive.org/web/20090927092231/http://informatio...

        Granted, it's a marketing piece trying to sell a product, but still.

        Reply View 0 replies
      • g-b-r 7 hours ago

        I wasn't a network engineer, but to my recollection "end-to-end encryption" was only used occasionally, probably by people not too knowledgeable in cryptography

        Reply View 4 replies
  • g-b-r 3 hours ago

    > prior to WhatsApp's E2EE implementation in like 2014, TLS was very often called "End to End Encryption"

    That's pretty wild

    The reason that a different term had to be invented was that some centralized messaging system defined itself as "encrypted" when it begun to use TLS.

    It would have been stupid to pick a term commonly used for TLS to differentiate yourself from TLS

    Reply View 0 replies
  • lukeschlather 9 hours ago

    The two endpoints of the communication with Kohler's app are the client and the server. In WhatsApp's E2EE implementation the endpoints are two client devices. Both are valid meanings of E2EE. You're defining that "end to end" means the server cannot access it but that's simply not what it means.

    Reply View 2 replies
    • calebio 9 hours ago

      The modern usage of E2EE definitely means that "the server cannot access it". That's the meat of this entire discussion.

      While you are technically correct in a network topology sense (where the "ends" are the TCP connection points), that definition has been obsolete in consumer privacy contexts for a decade now due to "true" E2EE encryption.

      If we use your definition, then Gmail, Facebook, and Amazon are all "End-to-End Encrypted" because the traffic is encrypted between my client and their server. But we don't call them E2EE because the service provider holds the keys and can see the data.

      In 2025, when a company claims a camera product is "E2EE", a consumer interprets that to mean "Zero Knowledge". I.e. the provider cannot see the video feeds. If Kohler holds the keys to analyze the data, that is Encryption in Transit, not E2EE. Even though in an older sense (which is what my original comment was saying), it was "End to End Encrypted" because the two ends were defined as Client and Server and not Client to Client (e.g. FB Messenger User1 and FB Messenger User2).

      Reply View 1 reply
      • lukeschlather 6 hours ago

        > If we use your definition, then Gmail, Facebook, and Amazon are all "End-to-End Encrypted" because the traffic is encrypted between my client and their server.

        That may or may not be the case. TLS is always terminated at a load balancer that uses TLS but it's still common to use HTTP within datacenters. So it may not be E2EE and it's a meaningful security feature.

        Reply View 0 replies
SchemaLoad 8 hours ago

No term will stop marketers from lying. If users see one as being the more secure one, marketers will use it. Unless they get sued for false advertising.

Reply View 0 replies