Usually the term is used outside the context of programming. Although often what we do in a typically web application is technically similar to encryption end-to-end, by the definition of the term is something different. The term is used to indicate the security of data traffic between two private agents without interference from any third party.
This end-to-end means that communication takes place between two endpoints. This is used in emails and instant messages, things that usually don’t go through a server or happen, only transiently.
The term is not used when a client communicates with a server. Although technically it is possible to use PHP to make a communication end-to-end, he not usually used for this.
Let’s say you create applications that do encrypted communication end-to-end going through your PHP server. If communication really is end-to-end, your PHP application doesn’t even need to know the content, it only handles generic data. She doesn’t know if it’s encrypted or not, she doesn’t know what’s in there. If she needs it and can tell, then you no longer have a communication end-to-end.
And this "can know" can be directly or indirectly. Even if the communication is all encrypted, if there’s some way around it, we’re already seeing a glitch and I don’t think the term could be used. Especially the exchange of keys for encryption can become problematic. And I don’t see how to solve this through browsers.
To head start of it is precisely not to let intermediaries interfere in the content. A downside is that the two ends need to ensure secure communication by their own means and this is not simple to do mainly because users - in general they are laypeople - need to take actions that they do not understand and may be mistaken.
Any security is inviolable until someone breaks in. As the term is only a concept and not a specific technology it can be more or less inviolable according to what and how it is being used.
Let’s assume you have a Javascript application on your phone and a PHP application on your home computer. Both are not compromised and have effective means of encrypting the data they traffic between themselves without intermediaries, eventually even via HTTPS. I think we can say that PHP was used for communication end-to-end. Technically I think it’s E2E. But doing this isn’t typical, and it’s not even simple. And it doesn’t even make much sense, it has better ways and technologies to get the same or better result.
Some technologies used to ensure secure communication end-to-end:
They are all specific ways to use "traditional" encryption. They work on application layer. The user is responsible for making them work. They use an application from one vendor, an encryption utility from another, a transport from another, an intermediary server, when there is another, a certificate from another and the service of putting all this together another and that should preferably be the user himself. They should all be trusted. Ideally they should be publicly audited. A service like Telegram seems to solve large parts of the difficulties but has a problem, they provide everything that is needed. You have to trust them. You can’t have any back-door. And many companies do, not to have legal problems.
All encryption is done between the final parts and even if the encrypted data goes through intermediaries, until proven otherwise, they cannot have access to the flat data nor for a minimum moment to not hurt the concept.
I doubt it is possible with current technology that standard web pages can do the whole process on their own without intermediaries at least for key exchange.
It is possible to make applications for E2E communication using other protocols or even web protocols but differently from browsers.
It would probably still need a server to put the two tips in touch, which is already a breach of privacy because someone will know who is contacting whom. Ever thought about it? Privacy and total E2E inviolability is very hard to get even in real life.
If the applications at the tips provide all the means to do the rest of the communication, exchange keys that can be authenticated (needs a private certificate) without being able to be used to decipher the data trafficked by those who are not the tip, is E2E.
Make a chat and ensuring things that you cannot or do not know effectively guarantee can bring legal problems depending on how it is sold to the end user. How to ensure inviolability by being an intermediary? It is possible but not simple to implement, especially using fragile technologies like scripts PHP and browsers. It will certainly not be reliable if stored on the message and key server in databases or other ways.
I’m not an expert on the subject but in general it’s this.
Trying to bring together all the pieces of the subject:
Interestingly, I thought it was an algorithm or something of the kind, Telegram for example uses end-to-end to save your data, I have some questions, I think you can clarify me, "This is used in emails and instant messages, things that usually don’t go through a server or happen, albeit transiently." How so do not go through the server? The data does not have to be saved in a database for example? I got lost there..
– Elaine
Well, I developed a project and from the beginning I found the idea of leaving the data of the database "raw" without any kind of protection absurd, since then I encrypt my saved data and decrypt them at the time of displaying to the final user, an example of this was a chat I developed, all chat data was recorded in the database and all were encrypted and at the time of listing I decrypted.. The question is, can this be considered end-to-end encryption? Or does the fact that the data passes through my server change..?
– Elaine
Instant messaging doesn’t usually go through. In the case of email passes but if the encryption was made between clients only (usually by PGP), the server does not participate in the encryption process, although it is an intermediary agent of the transport it is not agent of the application. For the server they are only indecipherable data. Only the clients will know what to do with this data. Which is different from data traffic between a browser and a PHP server under normal conditions. Then the server participates, who has access to the server, can intercept the data at a given time.
– Maniero
This example of chat is not end-to-end, your server is participating and may interfere with the process. You, owner of chat is not in a end neither the other end. Only people talking are. You’re an intermediary and you can tell what’s going on in the conversation. And even other people could if they could access your server. Encrypting the data in DB does not guarantee much. Is the transport encrypted? Are you using HTTPS, for example? When it arrives at the server this is decrypted and until you encrypt to put in the database, it is unprotected.
– Maniero
Really I’m very confused at the moment, I thought I was doing it in a correct way, My God did I miss my project? Anyway... But the data should not be saved? Like, how do they display the already exchanged conversation then?
– Elaine
What I think can be considered end-to-end if the encryption happens in the browser and traffic so independent of the protocol and you take this data already encrypted and that you can not do anything with this data this way other than write and send to another place, can not read or change it. There only those who can be considered the owner of this data (one way or another) could receive and decrypt the data.
– Maniero
Now it became clearer to me, ie I (server) just use the data to send to another person, this was clear, but how would be made this encryption in the browser, HTTPS?
– Elaine
What I can tell you is that almost no one understands security, even experienced developers. I even know some security experts, who are far from my case, who make several mistakes on the subject. If you want to ensure security hire an expert. Security is an extremely tricky topic. Somehow a chat need to be saved. This is a very naive way to do this. Unless you want to save the conversation history, you have exactly zero reasons to save the data. Depending on the case the server does not even need to exist p/the chat itself.
– Maniero
Thank you so much I will study and do research, Thank you!!
– Elaine
It can’t be HTTPS, it has to use its own means, with its own keys that users have and that to do it right they must have personal certificates, something that almost nobody has, and they don’t even imagine how to make it work. It’s complicated for lay users and only they can do this on their computers (of course they can ask a technician, but you as a server can’t help at all). This more or less I spoke on the answer. the subject is too extensive to fit into a question. To understand everything would have to ask very specific questions.
– Maniero
Understand that end-to-end cannot be influenced by intermediaries. You as a server in this example you are using cannot help users to have security/privacy end-to-end. Only they can do something. The most you can do is put a script that makes their lives a little easier and instructions on what to do but the rest have to be with them. If you meddle technically speaking it is no longer end-to-end. And even this script can already compromise, because they would have to trust him, trust that you did not fail him, on purpose or unintentionally.
– Maniero
"since then I encrypt my saved data and decrypt them when displaying to the end user" And where do you keep the key? Have you considered that if an attacker has access to your server, he will see not only the encrypted messages but the key as well? The only exception is if this key is outside the BD, in a settings file for example - SQL Injection is a very common attack, well more than a complete access to your file system. That is, it helps a little bit, yes, but it’s not nearly as safe as simply storing raw data. Sometimes the simplest is better.
– mgibsonbr
I have been searching and I did not succeed, there is some way to send information from user 1 to user 2 without needing a server (I do not see how because the server directs the data but ok), so to achieve the end-to-end...?
– Elaine
This is already another question but for standard web? Not that I know of. Web is not solution to all problems.
– Maniero