Standard messaging platforms resemble an old-school telegraph. End-to-end encryption more closely resembles physical mail.

To send a telegraph, you beep out your message. This gets sent to a telegraph station, where a person listening writes down your message, and then beeps it on to the next station down the line, where there's another person waiting. Eventually, someone writes down the message and hands it over to the recipient.

The important thing to note is that the telegraph operator reads the message at every hop. So if your telegraph operator knows your cousin, they'll gossip. And if the Government thinks you're up to Crimes, they'll watch over the shoulder of the telegraph operator to see if anything Looks Like Evidence.

Mail, on the other hand, is sealed in an envelope. And that envelope gets handed to a postman, tossed around by baggage handlers when it's put on a plane, carried around by another postman, and then delivered unopened to the recipient. No one else has seen the content of the envelope until the recipient opens it. It is a crime for anyone else to open this mail, even the Government if they're not going through proper channels (warrantee void where it's voided).

The encryption is, more-or-less, the envelope that stops non-recipients from reading. The "end-to-end" part is the fact that it stays unopened from the beginning of the journey to the conclusion.

This, of course, relies on trusting the postal system actually does what they say they do. The post office has actual laws that guarantee it works this way, whereas some service that claims end-to-end encryption does not.

The encryption is from your end to the other and only both devices know the code to decrypt the messages. Which means it should be safe.

What they're claiming is that your data gets encrypted on your phone and doesn't get decrypted until the intended recipient gets it. Encrypted data can't be read without decrypting it first, so in principle end-to-end encryption ought to keep the app developer from sitting in the middle of your conversation reading your messages.

In reality, though, it's important to remember that anyone can claim their app uses end-to-end encryption, whether or not it actually does. So you shouldn't rely on an app to do the right thing.

Content is encrypted before it leaves your device, and is only decrypted when it reaches the other person's device. It has been encrypted from one end to the other.

What is not "end-to-end" encryption is when the email is encrypted during transmission between servers, but is transferred from your email server to you in a form that the server (and its operators) can read.

And that's actually the usual case, as email headers must be readable by the servers because they have routing information, and some email servers will also scan your emails for spam, attacks, and viruses.

Typical communication is unencrypted. This means that the data, the contents of the message, could be read by anyone who has access to them at any point in their journey to the recipient. Maybe your internet connection is compromised and someone can see all the data that comes and goes from your connection. Maybe it's the servers of the service that are compromised or maybe your Internet Service Provider is compromised. Your data passes through all those different networks and servers so it is theoretically possible that someone with access to them could read your messages.

End to end encryption is what it says on the label, it's encrypted. When two users have a chat with each other, an encryption key is generated that only their devices have. This encryption key is used to encrypt and then decrypt the data on either end. Without it the encrypted data makes no sense to anyone who may have access to them and is next to impossible to decrypt without the encryption key. This means that even if for example someone has access to my messenger account, and he has it open on a computer, he still won't be able to see my end to end encrypted chat that I have with someone through my phone, since only my phone and their phone have the encryption keys. That's why it's called end to end. A channel of communication may still be encrypted but not necessarily end to end.

End to end encryption offers significant security and privacy benefits but it's not unbeatable. If someone up to no good wants access to your data there's always ways they can get it. The weakest points are obviously the devices themselves. If malicious software that gathers your data is installed without your knowledge on your device it can simply read the decrypted messages and bypass the need to decrypt entirely. If someone has access to the encrypted data they may still be able to decrypt it if the method of encryption is weak or if they have the ability to brute force it with a suitable system. Lastly there's the question of whether the providers of those services themselves are honest about their encryption. What's App or Messenger may say their messages are end to end encrypted but that doesn't necessarily mean that's the case, in which case it poses a huge vulnerability.

[deleted]

It means it is encrypted on your device, and only decrypted when it reaches the other device.

Sometimes, apps will encrypt the data once it hits the servers, so that, but it is transmitted to those servers un-encrypted first.

Simply put, End to End encrypts the data on the sender's device, and it is decrypted on the receiver's side when it arrives, so it stays encrypted for the whole journey. The only way to decrypt the message is by using the key that only the receiver device has.

Not to be confused with Link Encryption, which works similarly but is able to also encrypt the headers where the routing information is located (IP addresses, MAC addresses, etc). End to End Encryption does not do that; it encrypts the data itself, but not the header.

It means that the message is encrypted on your phone and decrypted only at the receiver’s phone. Crucially, only the two ends have the decryption key, so it CANNOT be decrypted by the server.

This is in opposition to something like e-mail where your email is encrypted on your phone but decrypted at the email server (Gmail, etc).

The way modern encryption works is that the receiver has a private key (say two very large numbers) and they send out a public key (say the product of those two numbers). You can encrypt the message with the public key, but to decrypt it you need the private key. This works because it's trivial to multiply two large numbers together, but it's enormously expensive to factor the product of two large primes (until quantum computers come into their own).

If Alice wants to send a message to Bob, Bob can send her his public key. Alice can then encrypt whatever she wants to say to Bob and send it back. Alice may have to send her message through lots of people, but they can't read it without Bob's private key. This is end-to-end encryption - nobody along the way can read it.

Of course, maybe facetergram is sitting between Alice and Bob, and the message goes through them. Facetergram may say "hey, use my public key", then Alice sends a message to facetergram, then facetergram decrypts it, then re-encrypts it with Bob's public key and sends it off. In this world, Alice doesn't need to know Bob's key (convenient!), but facetergram can now read Alice's message if they want to. This is not end-to-end, since the message gets read in the middle.

Incidentally, this is why I think a lot of the law enforcement efforts are colossally stupid. If I'm a criminal, I'll just call up Bob and say "hey, Bob, what's your public key?" Then nobody in the middle can read the message. The software to do this isn't hard - I had to do it for a single homework assignment as an undergraduate. Letting facetergram decrypt your messages is an enormous security hole (what happens if they get hacked?), but if I'm a criminal I'd send messages in a way that they couldn't read. So, only legitimate users (or really dumb criminals) can have their messages read, at the price of potentially disastrous leaks.

End to End encryption means that the transmission service can't read the content of the message.

The way it works goes a little something like this:

Modern encryption algorithms work on two types of "keys", Public and Privet, for this though you can think of them as a "Lock" and a "Key", if I hand you a lock you don't need any special equipment to put in on a box, but once you do that you can't open it.

The nice part about this, is that you can make an arbitrarily large number of locks for anyone who asks for them, they can be reused by the people you send them to, and no matter how many you make it will still be (until a quantum computer gets big enough) just as secure.

The goal of its development being "anyone can close this, only I can open it"

The step by step of using one of these apps goes as follows:

• A and B start chatting on an app with E2E encryption
• The first step is that each of their devices create a set of Locks and Keys and send the Locks to the other
• A decided to sends the following message to B "Lets meet tonight for dinner"
• A's app takes B's Lock and encrypts the message and makes it look like this: b'gAAAAABkJKWTY1u2sPwSGTUD0N69P8G5HrKJwRJmM0OnX9l4KJLpCmVOlNxLxPbExPw7XIQJRIhT5CC2gEpuReUq8A5bJlFph_QNmncg7tuJJItifUEMG-g=' (actual encrypted version of text, I used Python's Cryptography module)
• App then sends that over the internet to B's device
• B's device can then use B's Key to take the gobbledegook and turn it back into the original text of "Lets meet tonight for dinner"

The big deal about if being "End to End Encrypted" is that anyone who was trying to listen into the conversation by intercepting and copying the messages will only have the encrypted versions which are indistinguishable from noise.

The current method for encryption involves 3 numbers: 2 very large primes and their product, the primes are the privet "unlocking" key and the product is the public "locking" one, this works because it is incredibly time consuming with modern computers to go from the product to the prime factors. Quantum computers are changing this but people are implementing new methods of encryption which will still hold up into the future.

Now there are some problems that can come up which I will quickly run through:

• Not all encryptions are the same, if they are using a weaker algorithm or shorter keys then it can be broken
• Some algorithms can be set up with a pre-defined 3rd key that will always work to decrypt every message, in this case the company can read everything anyway and if the key gets out then all the encryption is meaningless
• Current development of quantum computers means that in the not to distant future it will be possible to break the RSA encryption algorithm which has been widely used for decades and there are actors in the space who are simply gathering encrypted data and sitting on it until they can get their hands on the tools to break it open, as it doesn't go bad.

In short it means that only you and the person you're talking to are able to read the message.

It goes directly from you to them without passing through any servers or anything in-between which can read the messages.

Encryption means information is transformed in some way such that it cannot be read or changed by unauthorised parties. Typically some kind of secret key is required to read the original information. Modern cryptography uses fancy maths to achieve this.

But "encryption" is kind of an ambiguous thing. Like a lot of services say they use "military-grade encryption!" but the claim is kind of meaningless. What really matters is what data is encrypted, where and by whom.

In a typical computer messaging service, you have the Sender, the Recipient, and in the middle a Server operated by the service provider (eg. WhatsApp/Meta). The Server is needed because directly communicating between two end user devices over the internet is actually pretty hard. The Recipient device may be switched off or out of service range and unable to receive messages, there may be NAT, firewalls or other barriers to establishing connections etc. So the Server handles all messages, temporarily storing messages for retry later, sending out push notifications etc.

In between these 3 parties, you have additional parties involved. The cafe who provides the WiFi; the ISPs who provide the internet connections; other companies or governments who operate the internet infrastructure between ISPs; hackers or rogue employees who gain access to systems and networks; governments who force companies to provide access etc.

So at the very least you want to ensure that the connection between the user (Sender or Recipient) and Server are encrypted to prevent any malicious parties snooping on your messages. A common encryption mechanism uses a pair of keys: a Public key that can be used to encrypt messages, and a Private key that can decrypt them.

End-to-end encryption is a specific type of encryption that takes it a step further; the message content is encrypted on the Sender device (one end), and only decrypted on the Recipient device (the other end). The Server only has enough unencrypted information to route the messages to the correct users/devices, it doesn't need to decrypt the message content. In theory, only the Recipient has the decryption key, so the messaging service provider cannot decrypt it even if they wanted to (or were forced to).

The problem is, end-to-end encryption does not enforce this. You use an app like WhatsApp to generation the keys. There isn't anything that prevents WhatsApp sending a copy of the Private (decryption) key to themselves and reading your messages when they want to. You're trusting them to do what they claim. Then we get to the last part: what is encrypted. It's only the contents of the message. Metadata like how many messages you send, their size, to whom & when, are all accessible to WhatsApp. So end-to-end encryption sounds good in theory, but it you need to understand is limitations.

[removed]

It basically means that only the sender and the intended recipient can actually read the message. This is in contrast to the usual encryption that is only used to secure message from the sender\receiver to\from the server.

It is important though that there are a lot of companies that don't use Cryptographic terms correctly. Though at least for the large direct messengers (e. G. WhatsApp) they usually do use the term end to end encryption correctly.

End to end encryption is a way of making sure only the intended recipient of a message can read the message, even if that message has to be passed between many different places to reach where it’s going. This is necessary to protect your data on the internet because every bit of communication that happens, from loading websites to posting on social media to filling out online forms, all happens through the public medium of the internet.

If you’re curious how it actually works, imagine you’re sitting in school and you want to pass a note to your friend three seats away. You don’t want anyone in between to read the note, so before class you agreed on a special algorithm to use to scramble and unscramble the messages. Before you send a message, you’ll scramble it, and when you receive a message, you’ll unscramble it.

This works for a while, but eventually you realize: if anyone ever figures out your secret algorithm, they’ll be able to read all your messages. So, you come up with an even better algorithm. This one takes a password, and combines it with your message as it scrambles it such that anyone who gets the message also needs the password to unscramble it. Then you simply agree on a different password to use every day before class.

This works for a while, but eventually, it’s getting to gossip season and people are really trying to steal your messages and find out your juicy secrets. You decide that it’s too dangerous to share passwords before class because someone might overhear. So, you come up with an even crazier algorithm. This one requires two different passwords, one to scramble and one to unscramble. When you want to send a message, you now have to first pass a note to your friend saying you’d like to send a message. Then, they will come up with a scramble password and an unscramble password. They reply to you with the scrambling password. You then use the scrambling password to scramble your real message and you send it back to your friend. Finally, they use their unscrambling password to unscramble the message. This system is perfectly secure because you need the unscrambling password to read the message, and that password is never shared with anyone, so only your friend knows it.

Any even remotely competently written software will encrypt data when it's sent over the Internet.

A chat app that is not end to end encrypted (E2EE) will encrypt the connection between the app and the server. The server will decrypt the message, then encrypt it again for the recipient, and as a result, it will be able to read it.

If the chat app is end to end encrypted, your phone will first encrypt the message so that only the recipient's phone can read it. Then it will send it to the server (the connection to the server will typically still be encrypted one more time). Now the server can see that you're sending a message and to whom, but it can't see the content.

The hard part is doing it right and making sure you're actually encrypting it to the right recipient. Encryption is usually done with public key encryption systems. A recipient generates two keys, public and private, and gives the public key to everyone. You can use the public key to encrypt a message so it can only be read using the corresponding private key.

But how do you know which public key belongs to the recipient? Usually, you ask the server. The server could instead send you its own public key (pretending that it's the public key of the recipient). Your phone would now encrypt the message using that key. The server could decrypt it, read it, then encrypt it with the recipient's key.

For this reason, apps like Signal let you verify your contact's "safety number" which is the fingerprint of both your and their public keys (if you look closely, one half of your safety number is the same for all your contacts - that's your public key fingerprint!)

By checking this, e.g. if you meet in person, you can be sure that the attack I described above ("man-in-the-middle") is not happening. Some e2ee apps don't do this. This still means the server has to actively mess with the data rather than just reading it, but it's far from perfect.

Even e2ee is no guarantee: for example, a malicious server could send you a software update that just uploads your message history.

WhatsApp and signal use the same encryption, but a) WhatsApp doesn't warn you by default when your contact's key changes (because people lose their phones/reinstall all the time and it confuses people), b) WhatApp pushes really aggressively to back up your chats to the cloud, and once either you or your contact do that, the (already decrypted) messages are backed up to apple/google... (there is some other encryption involved but if someone gets the data from Apple/Google, and a key from Facebook, they can read those backups).

They mean that encryption/decryption takes place on the source and destination devices, so in theory the servers and attackers in the middle can't read the traffic.

In practice, whoever holds and applies the keys can read the traffic. So if your end device is using code from the server to do this, potentially the server could give you malicious code and read your traffic. The solution is to have the encryption and the storage/transport done by different companies or projects. Use an encryption package such as PGP or Mailvelope, and then a service such as normal email.

Thank you for the replies.

Assuming the companies do what they claim, then is messaging through WhatsApp the same as Signal?