The actual article title uses the phrase "end-to-end encryption". The HN OP just missed the word.
I'm still honestly looking for an answer to my question below. The only thing this seems to do (to me) is add another minor step for a Hacker to read your email. Adding another authentication factor seems much more secure than this half-baked E2EE approach.
Isn't the goal to prevent someone from hacking into your email account and reading your email? If someone already hacked I to Alice's email account, and pretends to be her to access the decryption key (which they can do because they can prove they have control of the account - which is all key access requires), then they can decrypt the message.
Seems pretty pointless, unless I'm missing a key point (perfectly possible)
Seems pretty pointless, unless I'm missing a key point (perfectly possible)
No, you got it. Any case where the keys used for E2EE are not created and managed out of band by the client is not really E2EE. If a server can update the code used to manage the keys i.e. javascript it can also swap out keys, obtain keys, etc... Everything a lawful order to intercept would require.
> end-to-end messages
As opposed to what? I think they accidentally a word.
The actual article title uses the phrase "end-to-end encryption". The HN OP just missed the word.
I'm still honestly looking for an answer to my question below. The only thing this seems to do (to me) is add another minor step for a Hacker to read your email. Adding another authentication factor seems much more secure than this half-baked E2EE approach.
It didn't before, arstechnica fixed it.
I don't get it.
Isn't the goal to prevent someone from hacking into your email account and reading your email? If someone already hacked I to Alice's email account, and pretends to be her to access the decryption key (which they can do because they can prove they have control of the account - which is all key access requires), then they can decrypt the message.
Seems pretty pointless, unless I'm missing a key point (perfectly possible)
Seems pretty pointless, unless I'm missing a key point (perfectly possible)
No, you got it. Any case where the keys used for E2EE are not created and managed out of band by the client is not really E2EE. If a server can update the code used to manage the keys i.e. javascript it can also swap out keys, obtain keys, etc... Everything a lawful order to intercept would require.