By that logic SSL/TLS is also end-to-end encryption, except it isn't

Stefan-H · 2026-01-13T20:03:06 1768334586

When the server is the final recipient of a message sent over TLS, then yes, that is end-to-end encryption (for instance if a load balancer is not decrypting traffic in the middle). If the message's final recipient is a third party, then you are correct, an additional layer of encryption would be necessary. The TEE is the execution environment that needs access to the decrypted data to process the AI operations, therefore it is one end of the end-to-end encryption.

shawnz · 2026-01-13T20:09:25 1768334965

This interpretation basically waters down the meaning of end-to-end encryption to the point of uselessness. You may as well just say "encryption".

Stefan-H · 2026-01-13T20:14:35 1768335275

E2EE is usually applied in contexts where the message's final recipient is NOT the server on the other end of a TLS connection, so yes, this scenario is a stretch. The point is that in the context of an AI chat app, you have to decide on the boundary that you draw around the server components that are processing the request and necessarily need access to decrypted data, and call that one "end" of the connection.

paxys · 2026-01-13T20:04:22 1768334662

No need to make up hypotheticals. The server isn't the final destination for your LLM requests. The reply needs to come back to you.

charcircuit · 2026-01-13T20:31:25 1768336285

If Bob and Alice are in an E2EE chat Bob and Alice are the ends. Even if Bob asks Alice a question and she replies back to Bob, Alice is still an end.

Similarly with AI. The AI is one of the ends of the conversation.

paxys · 2026-01-13T23:14:08 1768346048

So ChatGPT is end-to-end encrypted?

Stefan-H · 2026-01-14T16:36:04 1768408564

No, because there is a web server that exposes an API that accepts a plaintext prompt and returns plaintext responses (even if this API is exposed via TLS). Since this web server is not the same server as the backend systems that are processing the prompt, it is a middle entity, rather than an end in the system.

The difference here is that the web server receiving a request for Confer receives an encrypted blob that only gets decrypted when running in memory in the TEE where the data will be used, which IS an end in the system.

hrimfaxi · 2026-01-14T00:56:18 1768352178

Is your point that TLS is typically decrypted by a web server rather than directly by the app the web server forwards traffic to?

charcircuit · 2026-01-14T03:49:52 1768362592

Yes. I include Cloudflare as part of the infrastructure of the ChatGPT service.

Stefan-H · 2026-01-14T16:40:09 1768408809

See my other comment, but the answer here is resoundingly "No". For the communication to be end-to-end encrypted the payload needs to be encrypted through all steps of the delivery process until it reached the final entity it is meant for. Infrastructure like cloudflare generally is configured to be able to read the full contents of the web request (TLS interception or Load balancing) and therefore the message lives for a time unencrypted in the memory of a system that is not the intended recipient.

lsofzz · 2026-01-14T09:02:45 1768381365

Go read a book on basic cryptography. Please.

charcircuit · 2026-01-14T15:24:58 1768404298

I have read through Handbook of Applied Cryptography.