With increasing threats from hackers and state-sponsored surveillance, people want to know how to protect their online privacy and security. Each breach and hack raises the issue, but the answers are illusive to most people. Many people think the builders of their favourite apps are protecting them—but they aren’t. Often the apps we rely on are
part of the problem itself
and not a solution. Protecting messages with end-to-end encryption (E2EE) is essential to your privacy, but the catch is E2EE is often misunderstood by the people who need it most. Discussions around end-to-end encryption are often
met with controversy
. However end-to-end encryption is one of the most fundamental, and easiest, ways to protect yourself online. The problem is many people don’t understand it, don’t know how to use it, or see how important it is. This post looks at what end-to-end encryption is so that you can understand why you need it, and how end-to-end encryption mitigates the real risks we face to our privacy and security.
What is end-to-end encryption
Secret messages have been sent for centuries. Someone will invent a secret code, share the “key” to unlock the code, and their secret messages can be sent securely between them. This isn’t anything new. What
is new is sending secret, coded messages via computers over the public internet.
Secret codes today are powered by powerful algorithms with the “keys” being electronic strings of numbers. They’re far more complicated than the first secret codes like the
Caesar cipher, seen above, used by Julius Caesar for his private messages. Today we use a method called public-private key exchange to create encrypted messages. Your public key can only be used to encrypt messages and your secret, private key is the only thing that can decrypt the messages.
You can read more about encryption in our post about
, but for this post we’re looking at making sure when you encrypt a message, it stays encrypted from sender to receiver—from end to end.For decades only the most technical of users could use E2EE, but in the last ten years a number of apps have made it easy to implement—including Sky ECC. Understanding how this process works is best explained in the diagram below where we imagine a very common need for encrypted messages: when someone needs to speak to a divorce lawyer:
In this example, Wade writes a messages to his divorce lawyer, Vanessa, with an app that supports E2EE:
Wade can read his message as he writes it, Vanessa can read it once she receives it, and no one in between—like a snooping partner looking for an advantage during the divorce negotiations—can read what’s going on. That’s a basic look at how E2EE should function.
He uses Vanessa’s public key to encrypt his message.
The message becomes encrypted cipher text which is indecipherable during transport—except for Vanessa who has the private key.
When the message gets to Vanessa in her app, the message is decrypted with her private key and she can read the message.
What does real encrypted text look like?
I put a secret sentence, with a fun message for you to solve, into this website which simulates the German Enigma encryption machine and got the following encrypted text out:
Modern encryption is much more complicated, creating encrypted text many time longer than the original, but the above is a good example. You don’t know the settings I used to encrypt the text above yet, so you won’t be able to decrypt the message. Want to be a super-cool cryptographer? Here are my settings from above so you can decrypt the message:
GWAT DKNV KUQA MXZH QKPK TWPL RHAJ VCXF RZXY JQYF G Why do we need end-to-end encryption?
The example above, with Wade and his divorce lawyer Vanessa, was just one of thousands of real life scenarios where E2EE is essential. It’s important to have encryption from end-to-end because anyone monitoring the network you send messages over can read unencrypted messages. This can include:
The list above can go on and on. End-to-end encryption stops these people in their tracks and protects your information. The goal is simply making sure only the people you Hackers looking for private data to exploit
Service providers who want to collect data for ads (
as Facebook and WhatsApp do) Governments looking to suppress protests or dissent
Criminals trying to suppress journalists and free speech
Rival companies doing corporate espionage
want to read a message can read the message. Generally, end-to-end encryption tools don’t save messages on servers. If they do, the messages stored are encrypted so if the server is hacked and your data is stolen, it is still safe.
Data breaches happen all too regularly
I remember a time when online security journalists, like myself, would write posts on “the worst security breaches of all time” for some good content. Now when we write about the worst security breaches of the past year alone we are overwhelmed with choices.Let’s narrow it down a bit and look at the worst data breaches which could have been migitigated with end-to-end encryption:
These are all tools which were used for messaging in some form or another, and they were all compromised due to poor encryption standards at some point in their structure. The hacks happened to regular people, just like you, and had real consequences for the people involved…multi-million dollar lawsuits weren’t settled for fun by the companies involved.
Yahoo: All 3 billion accounts which existed in 2013 had their email addresses, names, dates of birth, and passwords compromised. It is estimated that this cost Yahoo’s sale price to drop by $350 million.
FriendFinder Network: 20 years worth of data was stolen, impacting over 412 million users, including names, email addresses, and passwords, from the network which included chatting/hookup app Adult FriendFinder.
MySpace: One of the biggest early communications tools online, over 360 million accounts were breached. It is thought that this occurred in the mid-2000s and wasn’t discovered until 2016.
WhatsApp: An undisclosed number of users had spyware injected on their phones via WhatApp’s own voice-calling feature. One alleged victim was a human rights lawyer helping four journalists and dissidents mount legal cases against NSO Group…who just happen to be the creators of the attack tool. What a coincidence, eh? WhatsApp urged users to update to a new version that was released with a patch.
Snapchat: Hackers were able to steal photos and videos from 3rd-party apps for years before releasing a 13GB database of everything that had been sent by users through the app during that time. This was bad, but was part of a general trend of insecurity as it was also found that 4.6 million users had their phone numbers exposed through a leak. VIDEO
Most people understand that they send and receive information from the sources which they consent to. The mystery is how does a hacker put themselves in the middle of these communications and steal them, or take them after the fact? There are a few common techniques:
End-to-end encryption protects against these because it ensures that encryption makes it so that hackers can’t read it. They can still intercept it, sure, but they can’t get any useful data out of it. They can only get the ciphertext created by the messaging app’s end-to-end encryption. All current encryption algorithms create secret messages that take billions, or more, years of computing time to decipher
Evil twin and Fake Wi-Fi hotspots: This is when a hacker sets up a Wi-Fi hotspot that looks like it should be legit, but is instead used to collect unencrypted data sent over the network.
Man-in-the-middle: Hackers use a tool to put themselves between you and your internet connection, allowing them to collect data—like messages, passwords, and the sites you’re visiting—and harvest it for information worth money to criminals.
Network eavesdropping: Legitimate network administrator tools are used to sniff and record data packets which are then listened to with a packet analyzer.
SS7 hacks: Used for over 50 years, this is a vulnerability in 3G networks which allows hackers to steal data in transit using these mobile networks.
IMSI catcher: A cellphone tower attack where a fake tower is created and phones connect to it automatically believing it’s real. The hacker can then steal any unencrypted traffic sent over the network—like voice calls and text messages. just one single message.
Who needs to be protected?
Those are who we need to be protected against, but who needs this protection? You have nothing to hide…right? Well, maybe you don’t, but these people certainly do:
The News of the World scandal was huge, and it was all about phone hacking and insecure messaging:
Whistleblowers doing research on corruption
Journalists protecting sources and researching stories
Celebrities discussing upcoming projects—or just their everyday life, the News of the World scandal showed us how vulnerable they were
Lawyers speaking with clients
Doctors and all others with access to medical records
Politicians in all aspects of what they say privately
Executives and other high-ranking employees of corporations, especially when travelling to places where internet surveillance is commonplace
Stores communicating with consumers
VIDEO If the data in all of those messages were encrypted end-to-end, there wouldn’t have been anything for those corrupt journalists to find and publish. Sky ECC is a secure messaging tool with end-to-end encryption—
521 bit ECC encryption, to be exact—that is invulnerable to attacks like those listed. You expect your data to be protected by most apps, but it simply isn’t to the same high standard as Sky ECC’s security features.Even if you’re not a celebrity, or fit into the above jobs, there is still data you want to keep private. Your financial information is a prime example, and I’m not only talking about those related to banking:
Proving it wasn’t you doing any of it can be extremely hard if someone has compromised your entire digital life.
Sending information back and forth to your accountant, or the bank for a mortgage, involves sensitive information.
Much of the Information transmitted could be used to commit identity theft and fraud.
Credit cards can be opened in your name, medical fraud can be done, phony tax returns can be submitted, and you’ll be on the hook for all of it.
Misplaced trust in messaging tools
Getting back to your everyday life, think about the apps and sites you use. Think about the information you send, share, and keep there. You probably assume because you need a password to get into the account your information is safe. Sadly, that isn’t the case. Just looking at messaging apps, here are a few you might use that don’t use E2EE to protect your messages:
This list includes some of the most popular messaging tools out there, tools which people depend on to speak securely for a wide range of reasons…but which fail completely.
SMS (standard text messages)
Messaging services that support end-to-end encryption, but not by default
The following do have end-to-end encryption, but they are not on by default so users have to poke around to find the option, or set it up with a third-party tool:
See a name in either of the lists above that you use? What sort of information have you shared over them? Banking, health, sexuality, personal problems…anything else you don’t want people to know about? All of the messaging apps above are vulnerable in some way. Allo
Gmail (add-on required)
Outlook (integrated and add-on)
VIDEO These apps fail their users in some way, but there are much more secure options. Sky ECC was built with 521 bit ECC end-to-end encryption on by default as a basic feature—we think anything else isn’t secure. Here are other features which offer protection that the above messaging tools come nowhere near equaling:
A secure global network of servers with always-on security
Metadata encryption using 256 bit AES Hardware and operating system protections
Mobile device management which protects lost devices
Sky ECC is dedicated to securing your communications in ways that other apps simply are not. Contact a representative right now to see how we can help you in your specific situation.