The user has to trust the business no matter what. Even if the chat was e2e encrypted, the business could just choose to share the messages with somebody else.
This use case is more for the business, who knows that the chat is hosted by a 3rd party, but is reassured that the 3rd party wont have access to messages.
The point is that the host can modify the code at will and can therefore access the messages if they wanted to. It defeats the idea of e2ee which is to make it impossible for a middleman to access the messages.
With e2ee you have to trust the client. But a client that is running as a website hosted by someone else can't be trusted as the host can modify it and you'd never known because browsers don't have a way to alert you when a site changed.
The only way this makes sense is if you (or your business) self-hosts.
There are other considerations though aren't there? Assuming that you trust the hosting entity:
* You may not want to trust the hosting entity for all of time. If you trust that E2E is deployed now, then you don't have to trust the future version of the host
* You may want additional protection against the host database being compromised. If you trust that E2E is deployed then a compromise of the host would not mean anything for your users privacy
woojoo666|3 years ago
This use case is more for the business, who knows that the chat is hosted by a 3rd party, but is reassured that the 3rd party wont have access to messages.
eis|3 years ago
With e2ee you have to trust the client. But a client that is running as a website hosted by someone else can't be trusted as the host can modify it and you'd never known because browsers don't have a way to alert you when a site changed.
The only way this makes sense is if you (or your business) self-hosts.
memorythought|3 years ago
* You may not want to trust the hosting entity for all of time. If you trust that E2E is deployed now, then you don't have to trust the future version of the host
* You may want additional protection against the host database being compromised. If you trust that E2E is deployed then a compromise of the host would not mean anything for your users privacy
tcfhgj|3 years ago