Communications security does not start and end with ‘encrypted’
When we discuss end-to-end encrypted (E2EE) messaging on this blog, we talk about how it is definite feature for any communication service or app. However, we often only briefly touch upon the details and specifics when it comes to encrypted messaging. What parts are the most important to think about? What does each part of the app do? It may seem that once your messages are encrypted, they are safe, nothing more to think on. In reality, it is more complex. There is more to it than just encryption and not all E2EE apps are equal. Without looking deeper, you could potentially find yourself sharing private information. We have posts on secure messaging landscape, if you wish to learn more, as well as the major apps in the field hold up and how SKY ECC does in comparison. To help you make sure you do not find yourself in trouble, here is seven myths about E2EE that are often believed and really shouldn’t.
I have nothing that I need to hide so I don’t need encrypted messaging
This one gets said a lot. I’m not doing anything that would have someone read my messages. I’m not a major figure so why would anyone try to access my messages? Consider it like this, when you ring up bank, or you phone your doctors would you be comfortable with someone else listening in? You definitely would. This expectancy of a high level of privacy when talking on the phone that means companies have to tell you that the call could potentially be recorded for training purposes and/or quality assurance. With phone calls, you expect that level of privacy that nobody is listening in.
So why should chatting online be seen as different? By encrypting your messages, it means you keep your messages private. Party line phones are no longer used, so think of an unencrypted chat as an electronic party line. You have no idea who may be listening to what you say.
I don’t need encrypted messaging, I’m connected by HTTPS.
Next time you look up at the top of the screen at the search bar, see if you have the lock present (or whatever version it may appear as). This is HTTPS and it means you are safe and protected from any prying eyes. In fact, Google sees HTTPS as so essential that every website has to use it or be penalized with search rank penalty. Because of this, almost all websites will have the lock symbol, meaning they use HTTPS.
Sounds great right? Nothing to worry about? Not exactly. HTTPS keeps your connection covered from you to the server (An example would be from you to your bank). As it goes through, it is encrypted and as it gets to the server it is decrypted. This is not bad or insecure. This is how it is supposed to work. The bank, or whoever you sent the information, their website has to decrypt it for it to function properly.
As it protects your information as it comes and goes, HTTPS makes ure no one will be able to look in at your information, such as passwords, financial details or card numbers. This is essential protection, but it does not show the entire picture. Here is two examples:
- With Gmail, HTTPS protects the connection, meaning that should someone intercept the data, they would be unable to read your password or messages. However, once stored on the server, they are unencrypted. All it needs for someone to read your messages is to access the email server. And yes this does mean that your emails can be read by Google and yes, they do use the contents of these emails to specifically target emails to you.
- Facebook Messenger also uses HTTPS to make sure the connection is protected. However this does not mean that both the conversation and connection are encrypted, just the connection. To have your conversation encrypted, you must switch to private messaging. And yes, Facebook also uses your conversation and group chats to do ad targeting.
HTTPS is a good start, but there is far more to encryption.
I have a VPN and I don’t use public Wi-Fi
That is a great move! Having a VPN, one with Wi-Fi connections, and staying away from using public Wi-Fi sources, be it at home or at work are two good ways to help keep yourself protected from intrusions and prying eyes. Sadly though, a VPN won’t keep your messages protected. Much like HTTPS above. The steps taken here will only help protect the connection to the server, it does not cover the messages. And when it comes to the VPN, are you using it for your tablet, laptop and smartphone? We each have a ‘security chain’ and we sometimes forget to make sure each link is protected. Making sure you protect your connection is important, but it does not mean you have completely protected your information and messages. But passing on free Wi-Fi and employing a VPN is a great step to keeping yourself protected online.
E2EE means that no one can read my messages
This would be fantastic if it was every time, but it sadly is not. It is supposed to be that way, with you and the person you are talking too the only ones who can read the messages. However, there is a problem to this. Your personal private encryption key. We will talk about the basics of public key cryptography at another time, but for now, think of it like this:
You and a friend want to exchange messages securely. You send them a box with an open padlock, keeping the key with yourself. They write their message, place it inside the box and lock the padlock. It is sent back to you and you then open it with the key and have the message.
Your private key works exactly like the key in the example. However, now imagine that there are two keys for the padlock. You have one, but there is also one with the local post office. Now under no circumstances do the post office touch the key. The only reason it is needed is if law enforcement decide they want to open the box and come with a warrant. With that, the police can now open it and read whatever message is in side without you knowing.
Whenever private keys are stored by a company, they could be compelled to hand these over to law enforcement. And with that, the privacy of your messages is instantly stripped away. In certain countries, like China and Russia, the governments force companies like Apple, Facebook, Microsoft and Twitter to store said keys for every one of their citizens using the sites within the country. Whilst this may seem like it only applies to users living in those countries, it effects much further. If you message someone in Russia or China, the messages could potentially all be read whilst in transit.
Nobody can tell who I am talking to
To get a message from the sender to the receiver, certain information is added on that is not encrypted by your private key. This is so the server can know who should which messages. This information, along with others such as your local time, IP address device information and the date are all called ‘metadata’. And whilst this information may be encrypted on the way to the server, it is not when on the server. Most private communication apps keep this metadata, only a few make sure not to retain it. As talked about in a previous post, Metadata can be used to paint a frighteningly accurate picture of who we are, what we do and who we talk to.
Already, companies are using Metadata to target users with adverts. Back in 2018, Facebook, which also owns WhatsApp and Instagram, announced it would start targeting adverts to users from what their metadata told them. Law enforcements also have had access to these databases. For an E2EE app to be secure, it needs to encrypt the metadata when it is in transit and make sure it is destroyed when delivered.
All of my files, photos and backups are protected as well
Yes. And also no. See, when sending files and pictures, they will be encrypted. The only person who will be able to read them is the person receiving them. However, with certain apps, stored files and images are not protected. One of the apps in question is WhatsApp, which takes all photos sent by you saves them automatically to the photo app on the device. To stop this from happening, you have to manually disable it within WhatsApp so that photos and files do not leave the app.
Backups are also a problem, as they are often stored on your device unencrypted when they are backed up. WhatsApp is one of the messaging apps guilty of this. With this, it does not matter if end-to-end encryption is being used. If the other person in conversation has message backups, then the messages are no longer encrypted.
There is no real difference between each app, they are all the same
At a first look, yes. E2EE messaging apps are designed to keep your messages secure from when they are sent from the device, to when they arrive at the receiver. Though as you have probably realised, there is more than meets the eye when it comes to end-to-end encryption apps. To be certain that your messages are secure and private, there are several things that are a must for an app:
- Makes sure that metadata, message and attachments are encrypted in transit
- Utilize encryption algorithms, that are strong and have no backdoors
- Make sure that private keys are not stored on servers, as they should be kept on the device
- Make sure no messages are stored on servers
- To keep the amount of metadata used to the smallest possible amount and to use no personal identifiable information.
- Whilst it is safer to not have them backed up to make sure that messages that are backed up are securely encrypted.
However, these are the minimum of what an E2EE app should do and how to keep messages private. We believe it is also important to:
- Have secure device with both software and hardware protections from tampering
- Make sure the app is installed within a protected container, to help ward off eavesdropping software and malware
- Have all communications encrypted at all times. Along with this, making sure the connection runs through a anonymizing gateway that is secure
- Making sure that usernames have no personally identifiable information (PII), such as a phone number or an email address
- Have round the clock support whenever the need arise
There are more features that are in SKY ECC that we could put here, but this can give you a picture. Secure and private communications is something we take extremely seriously and we believe that communicating easily, simply and privately is what everyone should be able to do.