Let's build a precise model. End-to-end encryption means that a message is encrypted on the sender's device, travels encrypted through all intermediaries, and is only decrypted on the recipient's device. No server in the middle — not the service provider's infrastructure, not your ISP's routers — can read the content.
This is genuinely powerful. It means that even if Signal's servers are compromised, even if a government serves Signal with a lawful demand for your messages, even if someone intercepts your traffic at a coffee shop, the message content is unreadable to anyone except the intended recipient.
What it does not mean is that using an E2EE app makes you private. These are different claims, and the gap between them is significant.
How E2EE Actually Works
The mechanics differ between systems, but the core structure is consistent. We'll use the Signal Protocol as a concrete example since it's the most widely deployed and publicly documented.
Key Exchange
Before two parties can exchange encrypted messages, they need to establish a shared secret without transmitting it — because transmitting a secret over an untrusted network defeats the purpose. The Signal Protocol uses a construction called X3DH (Extended Triple Diffie-Hellman).
Each user generates several key pairs when they register:
When Alice wants to send Bob his first message, Alice fetches Bob's public keys from the server. Alice then performs a series of Diffie-Hellman operations combining her private keys with Bob's public keys, producing a shared secret that Bob can derive independently on his end — but that no third party who observed the key exchange can compute. This is the "ratchet" that makes Signal's encryption forward-secret.
Forward Secrecy and the Double Ratchet
Forward secrecy means that compromising today's keys does not decrypt past messages. Signal achieves this through the Double Ratchet Algorithm, which generates a new encryption key for every message.
The practical implication: an attacker who intercepts and stores your encrypted Signal messages today cannot decrypt them even if they obtain your device's private key in the future — because the keys that decrypted those messages have already been deleted.
Group Messaging and MLS
The Double Ratchet scales to two-party conversations. Group messaging is harder. Traditional approaches (like iMessage groups) encrypt to each member individually, which means the sender's work scales linearly with group size, and adding or removing members is complicated.
RFC 9420 — the Messaging Layer Security (MLS) protocol — solves this with a tree-based key structure. The group shares a key derived from a binary tree where each leaf is a member's identity key. Adding or removing a member requires only a logarithmic number of key updates rather than a full re-key of every pair.
MLS also provides stronger security guarantees than ad-hoc group encryption: post-compromise security (PCS), meaning that if a member's device is compromised, they can be healed back to security through key rotation without the attacker being able to read future messages.
What E2EE Protects Against
What E2EE Does Not Protect Against
The Key Distribution Problem
The most underappreciated weakness in practical E2EE deployments is key distribution. The security of an E2EE system depends on you actually encrypting to the right key. How do you know the key your app fetched for "alice@example.com" actually belongs to Alice?
In practice, most users trust the key server. Signal publishes your public key; when Bob wants to message you, Signal's server tells Bob's client what your key is. If Signal's server were compromised or malicious, it could substitute a different key — an attacker's key — and Bob's client would silently encrypt to the attacker.
The cryptographic solution is key verification: comparing key fingerprints out-of-band (in person, via phone call) to confirm you're both using the same keys. Signal calls these "safety numbers." PGP calls them key fingerprints. In practice, almost no users do this.
This is not a theoretical problem. Law enforcement and intelligence agencies have legal mechanisms to compel service providers to serve modified key material to specific targets. A well-designed E2EE system makes this detectable — safety number changes trigger alerts — but only if the user pays attention.
Zero-Knowledge Architecture Goes Further
E2EE protects messages in transit. Zero-knowledge architecture extends the protection to stored data: your messages, email, and files are encrypted before they leave your device, using keys derived from your passphrase that the server never sees.
The difference matters for stored data. An E2EE messaging app that stores encrypted message history on its servers has protected your messages in transit, but the server holds ciphertext that it can hand to a third party. A zero-knowledge system means the server has ciphertext and no ability to derive the keys — even a lawful demand for the encrypted data produces data that cannot be decrypted without the user's passphrase.
Haven implements zero-knowledge architecture for email: your email is encrypted client-side using PGP keys derived from your passphrase. The server never sees the plaintext. Combined with E2EE chat via MLS, the system applies end-to-end encryption to transit and zero-knowledge encryption to storage — two different security properties that together close the gap between "encrypted in transit" and "actually private."
E2EE is necessary but not sufficient for private communication. Metadata protection, zero-knowledge storage, identity without a phone number, and key verification are the remaining layers. Any one of them missing represents a gap that content encryption does not fill.
The question to ask about any "encrypted" app is not "does it use encryption?" but "what threat model does it actually address, and what does it leave to other mitigations?" The answer should come from the technical architecture, not the marketing copy.