End-to-end encryption: Secure messengers and messaging
April 26, 2021 / Alex LintonPrivacy, Private messaging, Security
End-to-end encryption (E2EE) is offered in most modern messaging apps. Everything from dedicated encrypted messaging apps like Session all the way to basic things like Facebook Messenger offer some kind of encrypted messaging functionality. There is a whole lot of hoo-ha about end-to-end encryption, but what is it exactly, and why does every messenger and its
dog integrated cryptocurrency wallet seem to have it these days?
End-to-end encryption is the most private and secure way to communicate online, making it essential for any serious messenger. When you use end-to-end encryption, only you and the person you are talking to can see the contents of your messages — nobody else. Without physical access to your device, your conversations can’t be seen by hackers, governments, or even the company who makes the app you’re using. This is important for lots of different people, for lots of different reasons.
How does encryption work?
Before we get to talking about end-to-end encryption, we should explain how encryption itself works. Encryption is a really important part of security. Nowadays, encryption is everywhere — even in places you don’t realise.
But really, people have always used basic forms of encryption to keep secrets. Cryptography has been traced all the way back to the Spartans, who used leather straps and differently sized rods to send messages to each other — the letters on the strap could only be read if you wrapped it around a wooden rod of the correct size.
Next, the Romans developed ciphers, where different letters (or eventually combinations of letters) would be completely substituted so that the written message looked like complete nonsense. You could only decode the message if you knew the system that was used to encode it. This is the basis for encryption, and is the same fundamental idea we use now — although things have gotten a lot more complicated.
In the 1970s, modern encryption really started to get going, as IBM and other computer scientists developed computer-based encryption. Around the same time, the Diffie-Hellman key exchange was developed. Computer-based encryption allowed really complex, difficult-to-crack, and mathematically rigorous forms of encryption to become commonplace.
Now, when you encrypt something using computer-based encryption, you are encoding your message (or any piece of information) so that it becomes completely unreadable to anyone who doesn’t have the information required to decrypt it.
How end-to-end encryption works
E2EE uses encryption to protect your messages all the way from their origin (you) to their destination (the person you’re talking to).
Most explanations of E2EE feature two classic characters — Alice and Bob. The scenario is this: Bob wants to send Alice a message.
In the real world, Bob can just talk to Alice, there is nobody needed to facilitate the conversation.
But online, things aren’t that simple. The majority of the time, you need some kind of service in the middle to connect Bob and Alice.
At the bare minimum, most services use transport encryption. This means that anyone who intercepts the message while its being delivered won’t be able to read it. But there’s a problem, the service provider — whoever that may be (Facebook, Google, etc.) — can easily read the contents of Bob’s message.
This is because the server provider holds the decryption key required to read Bob’s message. The solution seems simple enough — if the provider just doesn’t have those keys, only Bob can read the message.
But how do you know that the provider isn’t sneakily holding onto that key? Well, using public and private key pairs. Alice can create two keys — a private key that they keep to themselves, and a public key that they can share with anyone.
Anyone with Alice’s public key can encrypt a message for Alice, but only Alice has access to the private key — so you know only she can decrypt the message.
But there’s still a problem — you have to trust the service provider to give you Alice’s real public key. Instead, they might choose to give you a public key they have the matching private key for, which could compromise your messages. This is an issue called Trust on First Use, and the solutions are a bit more complicated than just encryption.
But now, your messages are end-to-end encrypted. This protects you from hacks and keeps your messages private.
What apps use end-to-end encryption
Lots of messaging apps have started using end-to-end encryption implementations over the last few years. Popular apps like WhatsApp, Signal, Session, and Wire use end-to-end encryption by default.
Supporting end-to-end encryption by default is super important. because otherwise some people using the app might not enable the feature, leaving them and the people they talk to vulnerable.
Some apps, such as Telegram and Facebook Messenger, do support E2EE — but not by default. In the end, this results in the vast majority of people using the app without end-to-end encrypted messages.
In the end, E2EE is just one (very important) piece of the puzzle when building a private and secure messenger. You also have to consider things like decentralisation and what information is required to register for the messaging service.
Protecting a Free and Secure Internet: World Press Freedom Day
May 03, 2023 / Alex Linton
Session Beta: Your all access pass.
April 19, 2023 / Wesley Sukh
Encrypted messaging apps urge for changes to the UK Online Safety Bill
April 17, 2023 / Alex Linton
Why Session is the Perfect Replacement for Wickr
January 24, 2023 / Alex Linton
Session Release Roundup #16: Trio of Changes
October 18, 2022 / Kee Jefferys
Update: Important Changes to Session
October 05, 2022 / Alex Linton