7heo, 1 year ago (edited 8 months ago)

Seeing as other answers are either links, or wall of texts, I’ll try to keep it short and approachable:

• Encryption, asymmetrical or symmetrical, relies on private keys being private. Once those keys are compromised, the encryption also is (read on).
• By default, in the most simplistic form, it doesn’t matter when the content was encrypted, the private key can decrypt it. There are solutions to this problem, making encryption time (or iteration) sensitive.
• For an attacker with enough means, the private keys can always be exfiltrated, and content can be intercepted, but usually there are much simpler solutions for snooping on encrypted content: the devil is in the (implementation) details (this link is an illustration, and by no means an exhaustive list).
• Cryptography is always simpler to go around than to break. So never be satisfied with a cryptography only (or protocol only) audit. There are near infinite of ways to neutralize encryption with a single line of code in a client.
• The architecture is also essential. Client-Server encryption has entirely different use cases than Client-Client encryption (EE2E).
• And finally, Schneier’s law:

Any person can invent a security system so clever that she or he can’t think of how to break it.