> if the server operator was malicious, they could just push different client-side JavaScript
replySame as with OS updates, browser updates, dependencies used by the OS, dependencies used by the browser. Also you can run malicious software such as keyloggers and you're compromised.
That argument doesn't mean E2E (even web based) is snake oil. Browsers just give you more points of failure.
The difference is: in web based cryptography, you get the cipher text and the code to decrypt it from the same source. Hijacking OS updates is arguably much harder than hijacking one particular web server, and there is pretty much no effective defense against malicious OS updates.
replyI know the difference. It doesn't make E2E useless.
replyAgree, but a significant point missed in the article is that of data vulnerability. with E2EE the company db is useless to an external attacker.
replyFor some companies (eg facebook, google, tiktok) i would be mostly worried about the company itself being untrustworthy. For others I would be mostly worried about the company being vulnerable.
> with E2EE the company db is useless to an external attacker.
replyDepends on who is defined as the other end, it may be that the company db is the other end.
deleted
replyIt's a native app what are you talking about
reply> It is worth noting that this law also applies to non-web applications where the service provider supposedly being secured against is also the client software distributor; thus, the “end-to-end encryption” offered by Whatsapp and Signal, amongst other proprietary services, is equally bogus. (Both Whatsapp and Signal ban use of third party clients, and enforce this policy.)
replythe specificity of between web apps that is highlighted by the article is that you receive a bundled code of software every time you open or use the app, as opposed to say, the operating system or desktop apps, which are less frequently updated. (Native) mobile apps are like web apps in that they release updates almost every day.
reply