Security5 min read

End-to-end encryption, without the math

E2EE isn't magic. It's not a button either. Here's what it actually means, what it doesn't protect, and the three questions to ask before you believe a tool that claims it.

The Zippytal team

Builders

Table of contents· 4 sections+
  1. 01How it works, without math
  2. 02What E2EE does not protect
  3. 03The three questions to ask a tool
  4. 04Why we care

Every app says it's encrypted now. Most of them are telling the truth in the boring sense: the data is encrypted at rest and in transit. That protects you from someone stealing a hard drive at the datacenter. It does not protect you from the company that runs the datacenter.

End-to-end encryption is different. Here's the whole idea in one sentence:

"E2EE means only the people on the ends of a conversation can read it. Not the server. Not the company. Not a subpoena. Not a breach."

How it works, without math

Each person has two keys: a public one they share freely, and a private one they never share. Messages are scrambled with the recipient's public key, and only the recipient's private key can unscramble them.

The server that ships the messages around only ever sees the scrambled version. Even if the server gets hacked, or the company gets bought, or a court order lands, the messages stay unreadable. The keys never touched the server.

What E2EE does not protect

  • Metadata: who you talked to, when, how often. Unless the tool is carefully designed to minimize metadata, this is often visible to the service.
  • Endpoint compromise: if your phone is infected, encryption doesn't help. The attacker has your keys.
  • Backups: if your messages are backed up to an unencrypted cloud (hi iCloud, hi Google), you've just leaked everything.

The three questions to ask a tool

  • Who holds the keys? If the answer is 'we do' or 'we can recover them', it's not real E2EE.
  • What metadata is collected? Even good E2EE can leak social graphs if the service logs every interaction.
  • Is the client open-source? If you can't audit the app, you can't verify the encryption claims. It's trust-me-ware.

Why we care

Every Zippytal tool is E2EE by default. Keys are generated on your device and never leave it. The server (and there barely is one, because everything runs on your own nodes) only ever sees ciphertext.

Not because we think you have something to hide. Because dignity, intimacy, and trust require a room with a door.

end-to-end encryptione2eeprivacysecurity explainedencryption

Keep reading

More from the Zippytal blog

Privacy·6 min read

The web is not free. It's just on someone else's credit card.

Read
Growth·7 min read

How we got trader-lab.com to 2,000 users with €0 in ads

Read
Playbook·8 min read

The AI Code Academy funnel: how we generated €10k from a small cohort

Read