sotvo

Is end-to-end encryption safe?

A straight answer on end-to-end encryption safety: where the math holds, how real attacks work, and the three weak points that decide the rest.

End-to-end encryption is safe against the threat it was built for: nobody between the two devices, including the company that runs the service, can read what you send. The math behind it has survived fifty years of public review. The honest caveats live elsewhere, on the phones at each end, in backups, and in the metadata around a chat.

Asking whether end-to-end encryption is safe really asks two questions: does the lock hold, and does it cover enough. This page answers both, in that order. If you want the mechanism first, we keep a separate primer on what end-to-end encryption is, with the key exchange drawn out step by step.

Where the safety comes from

The safety of end-to-end encryption comes from where the keys live. The keys that seal and open a conversation exist only on the two devices inside it, so the server in the middle carries ciphertext it has no way to open. There is no master key to steal. The one thing worth demanding from a provider never reaches its servers in readable form.

The math is public and old. Public-key exchange dates to “New Directions in Cryptography,” the 1976 paper by Whitfield Diffie and Martin Hellman, and every messaging protocol worth using since has been published for anyone to attack. In 2017, researchers at the University of Oxford and Queensland University of Technology published “A Formal Security Analysis of the Signal Messaging Protocol” and found no flaws in its design; that protocol now sits under everyday chats in WhatsApp, Signal, and Google Messages. Current protocols go further and change keys with every message, so a stolen key opens almost nothing beyond the moment of the theft.

Can end-to-end encryption be hacked?

End-to-end encryption can be hacked in practice, and the record shows how: attackers go around the encryption instead of through it. Three routes account for the documented cases, and none of them touches the math.

The first route is the phone itself. In May 2019, attackers used a flaw in WhatsApp’s calling code to plant Pegasus spyware on target devices; WhatsApp told a US court that about 1,400 users were hit. The spyware read messages the way their owners did, on the screen, after decryption. The encryption held. The phones did not.

The second route is impersonation during the key exchange. Someone who sits in the middle when two phones first agree on keys can try to hand each side a key of their own. Verification closes this: Signal shows a safety number, WhatsApp shows a QR code, and comparing it once over a channel you trust closes the route.

The third route is a bug in the software around the cipher. The 2018 “Efail” disclosure, from researchers at Münster University of Applied Sciences and Ruhr University Bochum, read encrypted email by abusing how mail clients rendered HTML; the ciphers themselves were left standing, and client patches closed the hole. Keeping an app updated is dull advice aimed at exactly this, the most common real attack surface there is.

The three weak points: endpoints, backups, metadata

Three weak points decide how much privacy an end-to-end encrypted chat delivers in daily use: the endpoints, the backups, and the metadata. Each leaks differently, and each has a counter.

Weak point What leaks there What narrows it
Endpoints, the two phones Everything, in plain text, to whoever holds an unlocked device; the person you write to keeps copies if they choose A passcode, an app lock, and care in who you invite
Backups Whole chat histories, copied to a cloud outside the end-to-end protection Encrypted backups where offered, or none at all
Metadata Who talked to whom, when, and how often, with no words readable Services built to record less in the first place

Backups are the quiet one. WhatsApp has offered end-to-end encrypted backups since October 2021, and Apple’s Advanced Data Protection brought the same idea to iCloud in December 2022, yet both arrive as switches you have to find. On a fresh WhatsApp install we set up in July 2026, the encrypted backup toggle sat off until we turned it on. A conversation sealed in transit for years can still end its life readable in a cloud archive.

Metadata is the one no setting fixes. The shape of a conversation carries meaning on its own: two people, most evenings, replies within seconds. What varies is how much of that shape a service writes down, and the encryption label says nothing about it either way. That silence is why the choice of app matters, which is the next question.

What makes one end-to-end encrypted app safer than another

What separates one end-to-end encrypted app from another is everything around the cipher, because the cipher is broadly the same. Four questions do the sorting: whether protection is on by default, what the service stores about you, where backups go, and how the app behaves at the endpoints.

The differences are concrete. Telegram applies end-to-end encryption only in its opt-in secret chats. WhatsApp applies it by default and holds your phone number and contact graph. Signal applies it by default and retains close to nothing about who you talk to. Same words on the label, three different amounts of trust being asked of you.

Sotvo, the app this site belongs to, was designed with those four questions as the starting point: a room opens with a shared code instead of an account or a phone number, messages live in memory with nothing written to disk, and the server relays what it cannot read. The full mechanics sit on our security page, which walks through how Sotvo applies it, limits included.

the lock almost never fails. safety is decided at the doors.

Common questions about end-to-end encryption safety

Is end-to-end encryption secure?

Yes. Secure and safe name the same property here: a message only the two devices in the conversation can decrypt. The protocols in wide use have stood through formal analysis and years of adversarial attention without a break in the core design.

Has end-to-end encryption ever been broken?

The core math of modern end-to-end encryption has not been broken. Documented failures, like the 2018 Efail attack on encrypted email, exploited the software displaying the message; the fix was a patched client, never a replaced cipher.

Is end-to-end encryption good enough for everyday privacy?

Yes. End-to-end encryption is good enough that it already runs quietly under most conversations: WhatsApp and iMessage apply it to standard chats by default. The gap between apps is what they keep around the message, and that part rewards a deliberate choice.

Can a provider hand over end-to-end encrypted messages?

A provider can hand over only what it holds, and for an end-to-end encrypted chat that means ciphertext plus whatever metadata the service retains. In the cases that reached courts, readable content came from a seized device or an unencrypted backup.