The point of E2E is only to make sure that Alice is talking to Bob and nobody else can pretend to be either of them or eavesdrop. There is no reason whatsoever to include where else the message may be sent, encrypted or not.
Consider E2E protected email service. You send me the final designs over this encrypted channel. Then I put the designs onto a USB drive and give them to my printer to print. Then I hang them as billboards all over town. This is a valid use case for E2E. Yet the contents of the message ends up visible from the freeway.
You are confusing Snapchat mechanics for encryption.
>You are confusing Snapchat mechanics for encryption.
I think we're talking about this from two different perspectives. You're considering a user in someone's conversation with a modified, archiving client. Yes, you obviously can't prevent that from a technical side, and it doesn't break Signal's E2E. It would be even simpler to do this with the unmodified Android Signal client, which essentially allows message exports.
I was assuming (possibly incorrectly) that TM's client was being used as an overall messaging system by the government groups involved here, which is how TM seems to advertise it: not a single user running their client, but every (or every internal) user communicating with each other using their client. In that case each user's client would be sending each message to some recipients by Signal Protocol and other recipients by, if other comments and some parts of TM's advertising are correct, SMTP. Yes, some sender-recipient pairs are E2E in that case, but that seems a bit besides the point, as there are others that aren't, and those could be vulnerable to eavesdropping and modification.
I do realize that what I wrote in the initial comment could easily be read as something other than what I meant (it isn't E2E for the messages through Signal that is broken, but separate likely non-E2E messages); I suppose I should have expected here that doing so would result in replies focusing on that interpretation.
Yeah I mean clients that auto-delete messages are a very useful tool in communicating between people. It’s that they aren’t really meant for anything actually sensitive because (regardless of if they have E2E or not) they can’t guarantee that someone isn’t archiving or exporting the messages. It is the wrong mechanic for anything sensitive.
If you want to make sure nothing is ever archived, there is no software-only solution. If you control the hardware, in theory you can mandate that everything from the OS level-up is a reproducible build and you know for a fact that the messaging client does not allow any export feature. But also, you still have the problem of someone taking a picture of the screen. The real way to do this would be to control the software, hardware, and environment, aka a SCIF. If you want me to see classified war plans, confiscate all my electronics then show me what I need to see in a controlled environment where I can’t make copies. Messaging apps just simply can’t do any of that.
Precisely. The security of a message endpoint ends at the point that the opposite party's leverage runs out.
If I care more about my snapchat account than I do about saving your disappearing message minus your ability to leverage snapchat into banning my account or apply outside social pressure, then your disappearing message may actually disappear. As the stakes go up, so does the leverage required for “endpoint security” to be a meaningful security boundary.
Is there a term for any application which offers full control of your messages then, ie, I send you messages on Signal, but I can make them self destruct and you cannot screenshot them? (Pretty sure Signal allows this?). Nothing stopping a user from taking photos of the screen using another device, of course. Or running their own fork of Signal (which, when run from the open source for Android at least, runs on production).
Taking photos of your phone screen is the main loophole and is completely undetectable. Exactly what happened to Waltz and what caused TFA.
If you really need to, you can combine this with a rig that holds the phone and the camera just right, controls the lighting, and interacts with the phone via a hotdog mounted on a gantry. Come to think of it, any 3D printer can be adapted to archive Signal/Snapchat/etc. messages in a completely undetectable way. Could even reply if you rig up another phone to talk to your hot dog finger + camera robot.
Dunno. Like I said, there's no way to do this effectively without some form of leverage over the counter-party. This sort of thing is why SCIF's exist, and is an example of the more extreme ends of leverage, but it still ultimately comes down to leverage: they can make you delete the message and will throw you in jail if you figure out a way to evade it.
Consider E2E protected email service. You send me the final designs over this encrypted channel. Then I put the designs onto a USB drive and give them to my printer to print. Then I hang them as billboards all over town. This is a valid use case for E2E. Yet the contents of the message ends up visible from the freeway.
You are confusing Snapchat mechanics for encryption.