throwaway_lmkg t1_je6hszf wrote on March 29, 2023 at 7:28 PM

Reply to comment by sethguy12 in ELI5: When a third party app says they offer "end to end encryption," what does that mean? by [deleted]

I'm only aware of this in generalities. My understanding is that platform providers can be lawfully compelled to read telegraphs or open envelopes, if it is technically possible for them to do so.

A "true" end-to-end encryption scheme would mean that the post office physically cannot open the envelope. In practice, most of the time they could but choose not to, and this is the type of system which can be overcome by a warrant. This happens because a) e2e encryption is bolted on-top of a non-e2e system b) a "true" e2e system like that requires the sender and recipient to manage keys, which is a hassle so usually the platform does it for you c) platforms get political brownie points for being friendly with law enforcement.

pseudopad t1_je72wwo wrote on March 29, 2023 at 9:46 PM

If you want a free and true e2e messaging app, Signal is pretty alright. It's also open source, so it can be audited by anyone with the time and skill to do so.

E_Snap t1_je7k3de wrote on March 29, 2023 at 11:53 PM

You’d have to audit whatever specific instance of compiler or interpreter they use to run it, too. Remember, Ken Thompson was able to hide an undetectable back door in UNIX by modifying a compiler to add the back door to the kernel whenever it was compiling it, and then modifying the compiler to add the back-door-adding code to the compiler code whenever it found it was compiling itself. Bam, no trace of malware in the source, all the checksums work out, and the only way you’d ever find out is by compiling a clean version of the compiler source with a clean version of the compiler and then starting your audit.