Talk:End-to-end encryption

This article has not yet been rated on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Computer security: Computing Start‑class Mid‑importance This article is within the scope of WikiProject Computer security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer securityWikipedia:WikiProject Computer securityTemplate:WikiProject Computer securityComputer security Start This article has been rated as Start-class on Wikipedia's content assessment scale. Mid This article has been rated as Mid-importance on the project's importance scale. This article is supported by WikiProject Computing (assessed as Mid-importance). Things you can help WikiProject Computer security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here. Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Telecommunications Start‑class High‑importance This article is within the scope of WikiProject Telecommunications, a collaborative effort to improve the coverage of Telecommunications on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.TelecommunicationsWikipedia:WikiProject TelecommunicationsTemplate:WikiProject TelecommunicationsTelecommunications Start This article has been rated as Start-class on Wikipedia's content assessment scale. High This article has been rated as High-importance on the project's importance scale. Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Espionage Start‑class End-to-end encryption is within the scope of WikiProject Espionage, which aims to improve Wikipedia's coverage of espionage, intelligence, and related topics. If you would like to participate, visit the project page, or contribute to the discussion.EspionageWikipedia:WikiProject EspionageTemplate:WikiProject EspionageEspionage Start This article has been rated as Start-class on Wikipedia's content assessment scale. ??? This article has not yet received a rating on the project's importance scale.

This article is literally mostly about Tetra. Is Tetra notable enough to get its own article so that this one can focus on its title and just reference Tetra as an example? Chris Arnesen 14:26, 25 March 2014 (UTC)[reply]

I removed the "Example: Tetra" section because it gave undue weight to one particular example, and it was written like a personal essay. --Dodi 8238 (talk) 13:28, 17 November 2015 (UTC)[reply]

When non-certified/uncertified (is there a difference?) E2EE is used, there is potential for Man-in-the-middle attacks, especially between parties that have not previously exchanged public keys in a more secure manner. Because the article presently does not describe this potential, a reader might wrongly conclude that E2EE is by itself a complete solution to privacy and security, which would be a very dangerous misconception. The article should at least briefly describe the MITM problem, as well as means for mitigation (e.g. web of trust). While I'm very familiar with the problem, I don't have the expertise to adequately describe the possible means of mitigation, and in particular can't explain how (or even whether) those methods are used by the cited examples of E2EE protocols, software and services (e.g., ZRTP, TETRA). --Brouhaha (talk) 18:49, 14 March 2015 (UTC)[reply]

I removed a mention according to which Lavabit and Hushmail were not E2EE, which was not supported by the source (I put it back again later). I think to have read somewhere that Lavabit was E2EE before it closed, i.e. knowledge of the server's private key would not allow one to decrypt stored emails; the possible attack medium was by impersonating the server in the key exchange between the sender and the recipient of email, so that one could recover the client's key and read subsequent emails (and possibly the previous ones as well). Said otherwise, the server could be made insecure by changing the protocol, but the mail itself was secure until then.

However, by hunting around the web, I did not find it again. Does someone have a good source for that? The Wired one is the typical example of a layman journalist writing on a technical subject...

Tigraan^{Click here to contact me} 15:14, 19 May 2016 (UTC)[reply]

I note that the key exchange section is pretty odd.

pre-shared secret (PGP)

Pre-shared secrets / keys are typically used in symmetric systems and PGP (which can use symmetric keys) is best known as an asymmetric system where each party only needs the other party's public key, not a shared secret.

or a one-time secret derived from such a pre-shared secret (DUKPT)

The parenthetical link appears to be a method, not an example system like the others

They can also negotiate a secret key on the spot using Diffie-Hellman key exchange (OTR)

This seems fine

But perhaps a better way to look at this would be the Unger et al paper, SoK: Secure Messaging, section IV, Trust Establishment, which helpfully differentiates between authenticated and unauthenticated key exchange (which this current section fails to do).