Meta has added end-to-end encryption (E2EE) to Messenger. In the process, the tech giant is relatively late compared to competitors. Still, research shows that E2EE still leaves much to be desired for many messaging apps.
According to Meta, it took a while for Messenger to have E2EE because it had to overcome a number of hurdles before implementing total encryption of messaging traffic. In general, the entire messaging and calling code had to be rewritten.
Causes of delay
The main cause of this was that the original software did not encrypt messaging traffic on Facebook’s servers, creating a major “loophole. So this had to be rewritten. In addition, Messenger runs on multiple desktop and mobile browser platforms. The underlying code for these was also not good for E2EE and had to be rewritten.
Another cause of the delay was that user-desired functionality was causing problems. These included group conversations, sharing (multimedia content), out-of-app links and calling calls. These features also all had to be completely encrypted.
The encryption work on Messenger also had to be done at scale and without affecting users.
All this work led to E2EE only being available now. The functionality is now being tested and should be fully implemented by the end of this year.
E2EE still a problem for many apps
Digital Forensic Research Lab’s survey of 15 major messaging apps shows that Meta is not alone in the problems surrounding the implementation of the two main encryption protocols, E2EE and TLS.
Among other things, it appears that not all messaging apps, while promising to do so, can fully comply with E2EE. For example, Apple’s iMessage has full encryption between Apple devices, but not between an Apple and Android device.
Also, many large companies give many third parties access to conversation logs and in some cases outsource the entire messaging processing to a third party. This allows non-encrypted messaging traffic, including server logs, to be shared without end users being aware.
Furthermore, messaging apps sometimes go very far in blocking certain accepted content, often at the request of authorities. So for messaging apps, there is still a lot of work to be done in the area of E2EE.