alt Hacker NewsDo people expect that Instagram can't read their Instagram private messages? I don't think people expect that. And E2EE is not nearly as cheap as the HN crowd likes to pretend—how do those devices get those keys if not through a central service? Especially if one of them is a web browser?
Replies
I would expect any message facilitated by a company's software, and going through that same company's servers to be compromised.
The answer to most everyone question you’re asking is just, “public key cryptography”. It’s kind of disheartening to me that such basic 1990s tech as implemented by Phil Zimmerman is now obscure enough to merit questions like this.
Both parties exchange public keys through the central service. Only the possessor of the respective (on device, Secure Enclave ideally) private keys can decrypt the messages encrypted to the public key. The process can also work in reverse, encrypting with the private key so only holders of the public key can decrypt: this is called “signing”.
Exactly. E2EE comes with UX consequences that you can't just bolt on later. There might be something to be outraged about, but this alone isn't it.
Ok, so drop all pretense then and blatantly scavenge through private conversations? Then take whatever from there and maybe sell it to highest bidder?
>Do people expect that Instagram can't read their Instagram private messages? I don't think people expect that.
A deeper question is why we reached a point where people can't reasonably expect their communication to not be spied on.