EE Turunen

End-To-End Encryption Is Not Enough

Many applications tend to advertise that their communications are end-to-end encrypted. For example, WhatsApp boasts on their website that “Privacy and security is in our DNA, which is why we have end-to-end encryption. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, status updates and calls are secured from falling into the wrong hands.”

While it is true that your messages cannot be read by man-in-the-middle attackers or parties who deliver them, ISPs for instance, it is factually incorrect to state that the messages are secured from falling into the wrong hands. Sure, WhatsApp’s encryption ensures that the messages cannot be read by anyone while in transmission from the sender’s phone to the recipient’s, but it does not protect the content as soon as it reaches the recipient’s phone.

If the endpoint (e.g. your phone or your contact’s phone or computer) is compromised, end-to-end encryption does nothing to protect your communications. Anyone who might have backdoor access to your device can read everything on there, including your WhatsApp messages.

It is, of course, great that many services have implemented end-to-end encryption and it protects a lot of people in authoritarian countries where governments mostly monitor Internet traffic on ISP level. But you shouldn’t consider end-to-end encryption to be enough to protect your communications. It is highly important to also secure the endpoint and make sure that the software on your device is updated regularly and that you use common sense when installing applications or opening attachments.

There are many undisclosed and unaddressed vulnerabilities in modern operating systems which malware utilize to gain access to a device. In case access is gained, end-to-end encryption does not stand in the way of the attacker.