While it’s a good solution, it is entirely untrue. A message is either End to End Encrypted or it is not. If the message is decrypted at any point between the sender and the intended recipient, it is definitively not End to End Encrypted.
E2EE means it’s End-to-End Encrypted. If it’s decrypted at any point during transit then it’s by definition not E2EE and Beeper shouldn’t be making that claim.
If it’s decrypted in the middle, it’s not end to end encrypted. I guess you could invent a term like end to end to end encrypted for a trusted middle server, but Matrix bridges do drop the security E2EE provides. Now you’re back to “all of my messages can be stolen if a server gets hacked” again, which real E2EE should prevent.
If MLS and MIMI make it to chat messengers, we could see real E2EE across chat services. Until every service speaks the same protocol, we simply won’t have cross service E2EE.
The WhatsApp bridge has access to the messages it has sent over Matrix, at least in the standard bridge setup. Plus, a hacked server can leak the messages in real time (the most common WhatsApp bridge even logs the messages it forwards to the server log by default).
The Matrix (Beeper) server stores the messages even if the bridge doesn’t. Plus, the bridge has a valid authentication token for the app on your phone, so it can pull down your entire chat history straight from your device if it wants to.
Beeper’s security is done about as well as you can with a bridge setup, but there are certain risks that can’t be mitigated given the limitations of the bridging system.
Sticking two E2EE tunnels together with a plaintext middleman doesn’t result in a single E2EE tunnel.
The reason the distinction is important is because the security profile is vastly different—a compromised server leads to a compromised message—which isn’t true for actual E2EE services like a pure Matrix link.
Side note: the first thing you should ask of a “end-to-end encrypted” product to you is “which ‘ends’ do you mean?” I’ve seen TLS advertised as E2EE before.
Adding: TLS is actually a pretty apt analogy here.
You could make a chat server that just accepts plain text messages over a TLS link, and that’s basically the same security topology as with this Beeper bridge.
deleted by creator
While it’s a good solution, it is entirely untrue. A message is either End to End Encrypted or it is not. If the message is decrypted at any point between the sender and the intended recipient, it is definitively not End to End Encrypted.
deleted by creator
deleted by creator
You can’t change encryption in the middle without decrypting, however briefly.
It’s encrypted at the beginning and at the end, but NOT from beginning to end.
E2EE means it’s End-to-End Encrypted. If it’s decrypted at any point during transit then it’s by definition not E2EE and Beeper shouldn’t be making that claim.
If it’s decrypted in the middle, it’s not end to end encrypted. I guess you could invent a term like end to end to end encrypted for a trusted middle server, but Matrix bridges do drop the security E2EE provides. Now you’re back to “all of my messages can be stolen if a server gets hacked” again, which real E2EE should prevent.
If MLS and MIMI make it to chat messengers, we could see real E2EE across chat services. Until every service speaks the same protocol, we simply won’t have cross service E2EE.
deleted by creator
The WhatsApp bridge has access to the messages it has sent over Matrix, at least in the standard bridge setup. Plus, a hacked server can leak the messages in real time (the most common WhatsApp bridge even logs the messages it forwards to the server log by default).
The Matrix (Beeper) server stores the messages even if the bridge doesn’t. Plus, the bridge has a valid authentication token for the app on your phone, so it can pull down your entire chat history straight from your device if it wants to.
Beeper’s security is done about as well as you can with a bridge setup, but there are certain risks that can’t be mitigated given the limitations of the bridging system.
deleted by creator
Then it’s not E2E encrypted.
One end is your device, the other end is the other device. It’s only E2E encrypted if it is not decrypted until it reaches the other device.
deleted by creator
Sticking two E2EE tunnels together with a plaintext middleman doesn’t result in a single E2EE tunnel.
The reason the distinction is important is because the security profile is vastly different—a compromised server leads to a compromised message—which isn’t true for actual E2EE services like a pure Matrix link.
Side note: the first thing you should ask of a “end-to-end encrypted” product to you is “which ‘ends’ do you mean?” I’ve seen TLS advertised as E2EE before.
Adding: TLS is actually a pretty apt analogy here.
You could make a chat server that just accepts plain text messages over a TLS link, and that’s basically the same security topology as with this Beeper bridge.
But no one would call that a E2EE chat.
deleted by creator
How does one host their own beeper server?
Edit: found it
deleted by creator