Where in that word vomit from Bleeping Computer are the keys stored? It says that decryption is handled by the browser, so unless you synchronize browsers the painful way, I assume Google has the key somewhere. I also wouldn't be surprised if the shit only works in Chrome.
Also, wasn't Zoom sued for bastardizing the concept of "end-to-end encryption" to mislead people?
They're either stored in your choice of third party service or you can host it yourself if you really want.
I don't see if the private half of the key is shared with the web app to decrypt the cypher text, or if the cypher text is sent to the key service which responds with plain text.
> I also wouldn't be surprised if the shit only works in Chrome.
I don't see any evidence of this in the documentation. I can't think what API it would require beyond the widely adopted fetch API.
> Also, wasn't Zoom sued for bastardizing the concept of "end-to-end encryption" to mislead people?
I don't see any reason to think this is much different from any other end-to-end system. All the mobile end-to-end apps require you trust the code they run on your device. As described this requires you to trust the JavaScript they run on your browser.
> I don't see if the private half of the key is shared with the web app to decrypt the cypher text, or if the cypher text is sent to the key service which responds with plain text.
I checked out the ref for that encryption API. Seems like the service stores the key, and the API exposes encrypt/decrypt calls:
So yeah, go trust that third-party provider, or if you have the technical skill, set up your own. Since most people would do the former, this is basically back to square one, and to call this "end-to-end" is misleading.
The idea of storing your keys on an Internet-facing server baffles me too. It will 100% get hacked sooner or later.
> most people would do the former, this is basically back to square one, and to call this "end-to-end" is misleading.
I'm not sure I agree that this is misleading. Google, who is storing the data, never holds the key. Likewise, the key provider never holds the data. To compromise the data you'd need to compromise both gmail and the key provider at the same time. The fact that organizations are delegating the key management is an implementation detail.
> The idea of storing your keys on an Internet-facing server baffles me too. It will 100% get hacked sooner or later.
I mean you can separate it out. You just need to implement the API on an internet-facing server.
Also, wasn't Zoom sued for bastardizing the concept of "end-to-end encryption" to mislead people?
https://www.businessinsider.com/zoom-ftc-lawsuit-end-to-end-...