E2E encryption is only (potentially) effective if the threat is a MITM. If your threat model shows any possibility for your threats to be on either end, it is effectively useless.
Now I’m not saying that you should model Chrome as a threat, but I’m certainly saying that you also can’t be certain you don’t need to. The whole thing is closed source, the publisher is a Machiavellian megacorporation; and if I were Google, and had to spy on users for profit, that’s certainly where I’d start. You know, as anonymized metrics, to “help improving Chrome”.
Edit: oh and, I haven’t checked what they mean by that, but potentially, the E2EE is meant in the context of the transit only, meaning the data at rest is not encrypted, on your computer, or on the Google servers.
E2E encryption is only (potentially) effective if the threat is a MITM. If your threat model shows any possibility for your threats to be on either end, it is effectively useless.
Now I’m not saying that you should model Chrome as a threat, but I’m certainly saying that you also can’t be certain you don’t need to. The whole thing is closed source, the publisher is a Machiavellian megacorporation; and if I were Google, and had to spy on users for profit, that’s certainly where I’d start. You know, as anonymized metrics, to “help improving Chrome”.
Edit: oh and, I haven’t checked what they mean by that, but potentially, the E2EE is meant in the context of the transit only, meaning the data at rest is not encrypted, on your computer, or on the Google servers.
under “keep your info private”, this is different than encrypted in transit. I mean I guess they could be lying 🤷♂️
https://support.google.com/chrome/answer/165139
expired