It appears to me (without having pored through the source code in detail) that when a user connects to https://app.wire.com/, encryption is not really end-to-end, as encryption apparently takes place on the app.wire.com server and not in the user's own web client. (Other than the normal https encryption which doesn't make it end-to-end.)
I looked at the pdf documents on the website (“Wire Security Whitepaper.pdf” and “Wire Privacy Whitepaper.pdf”) and they do not seem to make this clear.
It will be very helpful to users to make it clear in the documentation and also on the app.wire.com website itself that end-to-end encryption is not available when they connect to https://app.wire.com/ with a web browser.
Or, if I'm mistaken, and end-to-end security is actually in effect above, then the documentation should say that so users are not left in doubt.
Messages are definitely encrypted locally in your browser with no way for our backend or anyone other then the intended receiving client being able to decrypt the content of that message.
On https://wire.com/privacy we say that "Text, voice, video and media on Wire are always end-to-end encrypted 1:1 and in groups, so all your conversations are secure and private. Conversations are available on multiple devices and platforms without weakening security."
We thought that this implied that the web app was not different.
It uses https://github.com/wireapp/proteus.js to do the end-to-end-encryption.
Thank-you for setting me straight. I have never been so happy to have been mistaken!
Regarding the cited statement on https://wire.com/privacy, it does imply end-to-end encryption in the web app too, provided that the user's web browser, and not the web server itself, is the “end” in "end-to-end”. There's some room for doubt here. It would be better to mention the web app's security too in the white papers.
@fortran77
[...] provided that the user's web browser, and not the web server itself, is the “end” in "end-to-end”
There's some room for doubt here.
Actually, there isn't (IMO at least). By definition, E2EE is a system of communication where only the communicating users can read the messages.
So when Wire is using the term "End-to-end encryption" in their Security Whitepaper, it means they actually established a protocol+system which works in the intended way. Everything else would be a lie and could easily be discovered in the client's source code.
(Yes, I know, not everyone is a developer, but someone would find out sooner or later. Further read: Why Open Source is Not Insecure)