Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
groxx91537dIf the middle layers can expose your info (ignoring metadata), it's not end-to-end encrypted
korrat54137dTLS is not end-to-end encryption.
And end-to-end encryption is a security measure, not a safety one.
fuckwit124137dBy definition end-to-end encryption means that only the sender and receiver know how to decrypt the message. A MITM can just grab the encrypted message but can't to anything with it.
shoop919137dIf you can read the message even though you aren't the receiver it's a flawed end to end encryption. Also TLS is not supposed to be end to end
linuxxx15299437dPretty much what the rest said. With end to end encryption, nobody can see the content without the private key(s) of the recipient and/or the sender, whether TLS is used or not.
Mr-Myrk63737dITT: People who don't know how MITM attacks work.
Before browsers verified certs, it was possible to do this very simply by ARP poisoning, i.e browser thinks it is making a https connection to a server, while actually it is making it with the attacker, the attacker then decrypts your message, and negotiates a https connection with the server. Browser thinks it is securely connected to the server, but in actuality there's a machine in the middle decrypting and recrypting each message reading the contents.
korrat54136d@Mr-Myrk you're right, it is possible to circumvent TLS with a MITM attack (as long as nobody verifies certs). And if you do that you can read the data exchanged between the participants. But that does not mean that end-to-end encryption is broken. If I encrypt my stuff on the application layer, an attacker who broke TLS would not be able to read anything in the stream, since the data is still encrypted by the application.
Additionally, end-to-end encryption means that data is stored encrypted, while TLS only encrypts data in transit. For the above example of mail servers end-to-end encryption means encrypting all mails using PGP for example.
Of course, MITM attacks are still possible on end-to-end encryption. But it's harder than ARP poisoning.