Forum Discussion
Edge continues to be the only major browser with no end-to-end sync encryption
Every other browser, including Chrome, does end-to-end encryption.
Before, there was no mention of Sync privacy under any privacy pages. The Edge Privacy Whitepaper now describes how Edge secures Sync data:
All synced data is encrypted in transit over HTTPS when transferred between the browser and Microsoft servers. The synced data is also stored in an encrypted state in Microsoft servers. Sensitive data types such as addresses and passwords are further encrypted on the device before being synced. If you are using a work or school account, all data types are further encrypted before being synced using Microsoft Information Protection. All other synced data types are stored until you delete the data, the account is deleted, or the account becomes inactive. An account ID is attached to all synced data, as the ID is necessary to perform sync across multiple devices.
In other words, Microsoft employees can still see your browser history and any other sensitive information with the only exception of securely stored passwords.
Intentions aside, this is really just not a good look.
98 Replies
ragingrei HotCakeX Kam Don't forget that even if Edge exist on stable version it's an unfinished product for now (since all chromium function isn't there).
So all we have to do is wait, and ask Microsoft if they have planned this function and those wo want it will respond to them they want it.
If even if we argue 10 years here that will not change anything, so some of us already have done an asking for this feature, and if some don't have done it and want the feature they do it and after that we wait for edge to have finished to implement all chromium features.
If you want to think like that then no software is ever finished, everything is constantly improving.
Microsoft doesn't have to add everything from Chromium to Edge. not everything Google adds to Chromium is correct and good.
also like I said, there is no way to verify Google chrome is actually end to end encrypting your data, simply because you can't see what happens on their server. so it's all about trust.
when it comes to trust, people are divided. some people trust a company, others don't.
for example, I don't trust Google, some other people don't trust Microsoft.
a lot of people don't trust Facebook and thus WhatsApp's end to end encryption (because same company owns both products).
so I don't see why end to end encryption (in this mode) is important or necessary if the end user can't be 100% sure they data is actually being end to end encrypted.
i personally trust PGP encryption more than Google chrome's encryption which is based on "trust".
HotCakeX i wasn't telling about End to end but in general some function isn't there (like sync who isn't finished) so yes it's an unfinished product, so say it evolve yes and no.
A software evolve with update, for now, edge is in construction, so tell "Edge continues to be the only major browser with no end-to-end encryption" OR "Microsoft doesn't have to add everything from Chromium to Edge" is not relevant here since the software isn't finished (finished if we take what function MUST be their to be a major browser), BUT i agree with you than i prefer a non encrypted data in Microsoft Database since they can't loose trust (just like apple) on privacy, than a promise of my data "Encrypted" By Google.
Kam wrote:
ragingreiMicrosoft employees should have access to our data, the only difference is that Google is stealing data while Microsoft gives you the option to disable tracking. Go to https://account.microsoft.com/privacyWrong,
there is no "should" here. that's not how "privacy" works.
- On Google Chrome, if you use end to end encryption (which Im sure they can still decrypt on their side) and then use Google search engine for your daily searches, then they still have your search history.
HotCakeX That's true of any site that has cookies or requires user accounts. That's not a case where there's a reasonable expectation of privacy, so it's not nearly as much of an issue (though I personally use alternative search engines for this reason). Nor, importantly, is Google aware of what you do on the sites you navigate to from the search results, especially if you block tracking cookies, which a large portion of Internet users do. That's a massive difference from knowing every step you take and every tab you have open or have had open.
End-to-end encryption inherently is unbreakable by whomever is storing the data. That's the whole point of it. In fact, there are famous cases where Apple can't break phone encryption for police access.
There are probably some well-funded, shady organizations out there who can break it, but they can rarely act on it overtly, as then they would be revealing their capabilities to their adversaries, who would then change their encryption scheme.
Meanwhile, without end-to-end encryption, a disgruntled Microsoft employee, or one who gains permission for the sake of the interests of the company, can easily decrypt your entire browsing history and view everything you do in Edge. I'm not even sure it would be illegal for them to, outside the EU.
- Spoiler
ragingrei wrote:HotCakeX That's true of any site that has cookies or requires user accounts. That's not a case where there's a reasonable expectation of privacy, so it's not nearly as much of an issue (though I personally use alternative search engines for this reason). Nor, importantly, is Google aware of what you do on the sites you navigate to from the search results, especially if you block tracking cookies, which a large portion of Internet users do. That's a massive difference from knowing every step you take and every tab you have open or have had open.
End-to-end encryption inherently is unbreakable by whomever is storing the data. That's the whole point of it. In fact, there are famous cases where Apple can't break phone encryption for police access.
There are probably some well-funded, shady organizations out there who can break it, but they can rarely act on it overtly, as then they would be revealing their capabilities to their adversaries, who would then change their encryption scheme.
Meanwhile, without end-to-end encryption, a disgruntled Microsoft employee, or one who gains permission for the sake of the interests of the company, can easily decrypt your entire browsing history and view everything you do in Edge. I'm not even sure it would be illegal for them to, outside the EU.
apple,. they can do it themselves, never believe just anything you read on the news.
there is also Israeli company that breaks apple phones and sells these technologies to whoever pays.
I have a legitimate question though, how can you know Google chrome has end to end encryption? how do you verify that?
how to be sure the password field for data encryption in Chrome isn't just a password field to grab your keywords, save them on their server as plain text, and then you get a message that your data is encrypted, and then you believe it. you can't know what actually happens on their end and whether or not your data is actually encrypted.
if you can, enlighten us too.
ragingrei I may be wrong, but actually i think it's more not implemented for now than we don't want to implement it.
Because for instance the sync isn't finished on stable one, so i definitely thing they will do it later but, not forget even if they do it, some data will be accessible by Microsoft employee.
But in my end i prefer Microsoft employee than Google employee/bot, because if Microsoft screw up their privacy they have a lot to loose (since Entreprise use them), where Google read openly your data whiteout any shame.
but i really thing they will implement it later (if the US law don't forbid them before).
Wittycat I'm not too sure why US law would forbid them from implementing proper e2e encryption if it allows every other major browser to do it.
I agree that I would much rather a Microsoft employee have access to my browser data than a Google employee, but the fact of the matter is that unless you have a weak key, they can't, whereas Microsoft, through Edge, can.
I don't think they're going to implement it unless they receive enough pressure. The fact that they updated their privacy page to include a lot of convincing-sounding talk about encryption, without actually doing it correctly, is very discouraging. It reads to me like they're trying to weasel their way out of it.
ragingrei For the us law i think about the earn it law and other attend from all surveillance country to break encryption.
For Microsoft i just think they need more time to finish the sync (and since they are the first a really implement correctly the passwordless it's even possible that data are already planned to be encrypted without entering a password.
but like i said on stable one, sync isn't finished so i definitely think e2ee will arrive when they will have finished and totally stabilized the sync feature.
