Information Security
encryption
Updated Fri, 12 Aug 2022 11:01:06 GMT

What's the difference between end-to-end and regular TLS encryption?


I've been told that WhatsApp implemented "end-to-end" encryption. In the grand scheme of things, what does this actually mean versus, say, another service which does use HTTPS, such as this website (StackExchange) or some other non-end-to-end encrypted site? Is there some point where even HTTPS/TLS will expose data that doesn't occur in an end-to-end encrypted app like WhatsApp?

Solution

End-to-end is where the message is encrypted by the sender and decrypted by the receiver. Nobody in the middle, not the chat provider nor other entities have the ability to decrypt it.

Compare this to a simple chat over HTTPS. Each message is encrypted in transit, just based on the fact that TLS is used. Now, while the intended recipient is another user, the TLS connection is initiated with a server (think Facebook). TLS terminates at the server, and whoever controls the server has the ability to view the messages since they are not encrypted end-to-end. Then, the message may be passed on encrypted over TLS again to the recipient.

The key difference is that the provider is able to view the messages in this case.

Comments (5)

  • +3 – And what if in some theoretical situation, the receiver is just the server and no further point? Then would it be end-to-end? Because the client is one end and the server the other one. — Apr 12, 2017 at 23:48  
  • +0 – Yes, by definition that would be end to end, since the encryption is terminating... at the end. — Apr 12, 2017 at 23:55  
  • +0 – Wow. Is there any trick to determining which services offer end-to-end versus what you just said where it's just HTTPS to them and then HTTPS out to the other person? I know with email, some services offer encryption of the email message itself and a key which is given to the recipient, so that would be end-to-end over HTTPS as well, right? — Apr 13, 2017 at 00:00  
  • +7 – There's not really a trick, unless the provider tells you so. Even then, you just have to trust them, unless the service is completely open source or if you are using your own keys. I'd say the only verifiable end-to-end email encryption would be S/MIME. — Apr 13, 2017 at 00:02  
  • +1 – @korockinout13 Gotcha. The other option would be a manual encryption (using a proper algorithm ofc) where you literally message the encrypted message in the text, so that even if the organization didn't wrap it at their place, they would only see encrypted message... If I'm not mistaken! — Apr 13, 2017 at 00:12  

References