> 1. What's the point? In end-to-end encryption situations usually the concern is around data storage (perhaps), but for just sending messages typically TLS is enough (or seems it, anyway, from my perspective as a non-security engineer)
One use case I've used e2e for is password storage.
Assuming something like:
Browser -> nginx -> Web API -> Auth Service -> DB
This is a pretty common way to set up something like password auth, but a cleartext password will be exposed to nginx and your web api, for no reason, if you just use TLS. It's not uncommon for passwords to end up in request logs or that sort of thing in a system like this.
You could use ZKP, which gets you slightly stronger guarantees than e2e, but imo e2e is a really good sweet spot for solving this - the plaintext password will only be decrypted within a single function (the one that hashes it) in your secret server.
One use case I've used e2e for is password storage.
Assuming something like:
Browser -> nginx -> Web API -> Auth Service -> DB
This is a pretty common way to set up something like password auth, but a cleartext password will be exposed to nginx and your web api, for no reason, if you just use TLS. It's not uncommon for passwords to end up in request logs or that sort of thing in a system like this.
You could use ZKP, which gets you slightly stronger guarantees than e2e, but imo e2e is a really good sweet spot for solving this - the plaintext password will only be decrypted within a single function (the one that hashes it) in your secret server.