> I don't understand why you and others in this thread describe it this way. "end to end" in this description sounds a lot like "transport security" -- like what you get from TLS (https, e.g.). How is this version of "end to end" (where are the ends?) any better than TLS?
TLS is client-server oriented. When a messaging system uses "transport security", like Facebook Messenger, that normally means that your client's connection to Facebook's server is encrypted, but Facebook's server still has access to your message plaintext. Whereas an "end to end" encrypted system would encrypt messages on your client that are only encrypted by the person you're talking to's client.
(I'm similarly skeptical about how much difference this makes in practice - I don't know what the threat model is where you trust a closed-source app and closed source google play services but don't trust the same company's servers. But it is a real distinction in behaviour)
You may have misunderstood my reply to mean that I don't understand what's different between TLS and end to end encryption.
In fact I don't understand the difference between TLS and -- let's call it E2E' (that which might be "end to end encryption"). If E2E' permits the message broker to intercept messages, does it satisfy the conventional definition of "end to end encryption"? No, certainly not. Is it any better than TLS? No, not in my opinion.
Here's what I quoted, which I believe to be E2E':
> What e2e encryption does do is make messages nearly impossible to be intercepted in transit or on a massive scale by anyone without the cooperation of the company.
> If E2E' permits the message broker to intercept messages, does it satisfy the conventional definition of "end to end encryption"?
By "broker" do you mean the server or are you including e.g. the company's code running on your device? "End to end" conventionally means "device to device" since few if any strong cryptosystems can be implemented by humans without mechanical assistance.
Key exchange is traditionally assumed away as outside the scope of analysis; we assume as a starting point that the users have a preshared secret key. So in theory E2E is very different from TLS. But in practice key exchange is very relevant.
There is still a very real practical distinction though: WhatsApp/Signal/... do not allow the server to passively intercept messages. There are active attacks that the server can perform against they key exchange process, but these would be very likely to be detected if performed on a large scale (even by insiders at the company).
It's also worth noting that a TLS approach leaves a much bigger attack surface for bulk attacks from outside the company: any security hole in the company's servers gives a single point at which an attacker can capture plaintext messages on a large scale (as the NSA is known to have done to GMail).
Yes, that does safisfy the definition of end-to-end encryption. The broker - and anyone else - can intercept messages, which is fully accounted for. That does not compromise the confidentiality or authenticity of the secure channel. What is explicitly disallowed is the intercepting party getting access to the plaintext. That includes the broker.
TLS is client-server oriented. When a messaging system uses "transport security", like Facebook Messenger, that normally means that your client's connection to Facebook's server is encrypted, but Facebook's server still has access to your message plaintext. Whereas an "end to end" encrypted system would encrypt messages on your client that are only encrypted by the person you're talking to's client.
(I'm similarly skeptical about how much difference this makes in practice - I don't know what the threat model is where you trust a closed-source app and closed source google play services but don't trust the same company's servers. But it is a real distinction in behaviour)