End-to-end encryption became very prominent with it's implementation in WhatsApp and other messengers following suite. These changes dramatically increased the interest in this concept, but some questions still remain:
We will try our best to help you answer these questions (and some more ;)
When you send a file or message to a communcation system like WhatsApp or Dropbox your data traverses several phases of processing:
Your data is send from your device to the backend server of the system. This covers all different use-cases like from your mobile device (iOS, Android, etc.), from your browser, from your desktop app, etc.
This part is absolutely critical for the overall security of communication systems like cloud storage services or messengers: Data coming from a secure TLS connection is decrypted, process on the backend server (metadata extracted, user-information processed, etc.) and then passed on the Phase 2. During the TLS Termination data is available in cleartext to the processing server.
After your data is processed and categorized, it is stored to be able to access more efficiently when you need it. To increase data protection most services provide data encryption at rest (see for example Amazon S3, etc.)
Let's sum it up: Phase 1 protects your data over the wire but there is the problem with TLS termination proxies. Phase 2 protects your data stored in whatever backend (database, amazon s3, etc.) but the problem already might occure in TLS termination. So a holistic security concept protects data in all phases.
End-to-end encryption enters the stage. Let's illustrate the different phases:
Strong E2EE are quite hard to implement as they introduce several challenges:
But how do you check if your favorite communication system (messenger, cloud-storage service, etc.) is using E2EE? This is extremely hard to answer. One indication might be the service itself:
Do you need to connect via QR-code scans? This indicates to a secure key exchange from different devices and might lead to a proper E2EE system.
Is the crucial part of the encryption implementation available as open-source? This is the ultimate check to see, if E2EE is implemented correctly. For most people this is quite hard to check, but there might be blogs that already took a closer look.
We took a closer look at some services: