As surveillance and intrusions into our online privacy become an increasing threat, the demand for answers as to their protection arise, but still allude most people. Many look to the apps that they use, thinking that these will protect their privacy, but they often one of the parts of the problem. Not the solution. End-to-end encryption (E2EE) to protect messages is essential when it comes to privacy. But the problem is that many people do not understand what E2EE is or misunderstand what it does. And when it is talked about, it is often misunderstood or with controversy. In reality, E2EE allows for the user to be properly protected online, making sure your information is secure. But many people fail to see how vital it is, or why it is needed. In this post, we are going to explore E2EE, to help you fully understand how it helps protect against dangers and why it is something you definitely need.
Understanding end-to-end encryption
Secret codes have existed for millennia. Someone creates a message in this code, then teaches others how to understand the code so they can decipher the code. Sharing with the “key” so to speak. Now in the 21st century, we send coded messages through the internet.
The codes used today are far more complex then ones used thousands of years ago, like the Caesar Cipher above, using algorithms and long electronic chains of numbers at the “keys”. The method that is used today to create encrypted messages is public-private key exchange. With this only your public key can be used encrypt messages and the private key does the opposite, decrypting them.
To understand a bit more about encryption, you can check out our post on encryption myths. For this post, however, we are looking at messages being encrypted, and staying encrypted until they get to the receiver. For many years only a few people, the most tech savvy, used E2EE, but in the last decade major strides forward in both hardware, software and the quantity of apps available have allowed for it to be available to all. The diagram below helps show how the process works:
With the support of E2EE, the message begins with the sender, who’s public key then encrypts the message. With it now encrypted, the message is indecipherable whilst travelling. Only the receiver can understand it when their private key decrypts the message for them to read. Only the sender and the receiver can read what is being said. E2EE should always function like this.
We see more and more data breaches, far too regularly
Rewind a few years and headlines such as “the worst security breach of all time” would occur every so often, the article be gripping news. Now, we have major breaches every year. If you are looking for cases, you will be overwhelmed with the options. Many of these could have been mitigated with E2EE and of the worst, we are going to have a look:
- Yahoo: 3 billion accounts were hacked in 2013, which was every single account at the time on Yahoo, as names, password, dates of birth and email addresses were all completely compromised. Yahoo’ sale price is believed to have taken an estimated $350 million price drop from this.
- FriendFinder Network: Over 412 million users were impacted as 20 years’ worth of data was stolen from the network. This included Passwords, Names and email addresses.
- MySpace: Originally one of the main communication tools online, it saw 360 million accounts breached. It is unknown when this happened exactly but is believed to have been somewhere in the mid-2000’s. it was not until 2016 this was discovered.
- WhatsApp: From WhatsApp’s voice calling feature, spyware was injected into a undisclosed number of users devices. Amongst the victims of this was human rights lawyer who was aiding four journalists to mount a legal cases against a NSO Group. Who coincidently were the same creators of the attack tool. Users were urged by WhatsApp to update when they released a new patch to the app.
- Snapchat: Using 3rd party apps, hackers has been able to steal videos and photos for years, before they released an entire 13GB database containing everything that had been sent by users during that time. It was found that 4.6 million users had their phone numbers exposed from the leak.
All of these are, or at the time were, popular tools used for messaging and thanks to poor encryption, they were majorly comprised. Regular people were hit by this hack and it had extreme consequences including multi-million-dollar lawsuits.
So how do hackers steal our data?
Most of us know that we communicate and message information to sources that we consent to. We are happy for them to receive the message we are sending them. The question is how the hackers find a way to get in between, how they can intercept the message at the middle point. There are some common techniques used:
- Fake Wi-Fi hotspots: Simple put, a hacker will cr4eate a Wi-Fi hotspot that appears to be completely genuine, but in fact is being used to harvest unencrypted data that is being sent over the network.
- Getting in between: Utilizing a tool that can put them between you and the internet connection, hackers can collect data, such as passwords, messages and the sites that you visit.
- Eavesdropping via Networks: Using network administrator tools, they are re purposed to record data packets, which by using a packet analyzer, can be listened to.
- SS7 hacks: A major vulnerability in 3G networks, it allows for hackers to steal data when in transit from mobile networks. And this has been around for 50 years
- IMSI catcher: This involves creating a fake tower, from which phones will try to connect to automatically as they think it is real. Unencrypted traffic can then be stolen by hackers over the network. These include text messages and voice calls.
E2EE stops any of these from happening as it makes sure that the hackers have no way to read the message. Yeah, they could intercept tit, but they have no idea how to read it and cannot gain any useful data from it. All they will find is ciphertext created by the apps encryption. To decipher messages with the current standard of encryption algorithms, it takes billions of years in computing time, maybe even more. And this is for one message.
Who is the protection for? Who needs it?
So, we have talked about what you are protected from, but what about who needs this protection? When you have nothing to hide, surely you do not need this? Well, maybe this applies to you, but for other people this level of protection is needed:
- Whistleblowers researching and investigating corruption
- Lawyers communicating with clients
- Journalists researching stories and protecting sources
- Doctors and any other profession where they have access to medical records
- Celebrities discussing anything from upcoming projects to their everyday life. The News of the World scandal demonstrated how targeted and vulnerable they can be.
- Politicians in every aspect of what they discuss privately
- Stores communicating to consumers, especially if this contains personal details
- Executives and high-ranking employees. This applies doubly so when working or travelling to areas where internet surveillance is a common occurrence.
The News of the World was massive, and it was all centred around phone hacking and insecure messaging:
If any of the victims had encrypted end-to-end protection, their messages would have been safe, and they would not have been at the mercy of corrupt journalists and investigators. With a 521 bit ECC encryption, SKY ECC is resilient and invulnerable to the attacks listed. Many assume that their data will be protected by most apps they use, but none of these can or will provide the same high level as the security features with SKY ECC. You do not have to be a prominent politician or a celebrity, we all have the information we want to keep secure and private. Financial information is a great example, and it does not just apply to the bank. This also includes sensitive information sent to accountants, much of the personal details that need to be sent can be taken to commit identity fraud. From this, medical fraud can be committed, false tax returns could be submitted, and even credit cards being opened under your name. And the consequences fall at your feet.
Too much trust in messaging tools
Consider the sites and apps that you use. How much information do you share, keep and send there? You would assume that as these sites need a password to access, this would mean your information and details are safe. It is anything but. Some of the biggest names in messaging apps do not use E2EE to kee your messages secure:
- AOL email
- Yahoo email
These apps are used by millions to communicate, often on extremely personal or confidential matters, who uses it to speak securely. And these apps completely fail them.
Some apps support E2EE, but not as a default
The next list contains those that have and use end-to-end encryption, but they are not engaged as a default. This means that the users must search it out in the options or turn it on via a third-party tool.
- Outlook (Add-on and integrated)
- Gmail (Requires an add-on)
- Facebook Messenger
Any of these names familiar to you, an app or service that you use? Have you exchanged details over them? Medical, personal, financial information, anything that you wouldn’t want other people to know of? Each of the apps listed have some form of vulnerability, that leaves your security compromised.
However, messaging apps that can provide security and privacy do exist. With a 521 bit ECC end-to-end encryption built in as basic, we believe that SKY ECC offers what you need. To make sure that your communications are secure, we provide many features other messaging apps would fail to provide or equal, such as:
- 256 bit AES for Metadata encryption.
- A global network of servers, supported with always-on security
- Operating systems and hardware protections
- Mobile device management, to protect lost devices
At SKY ECC, we want to make sure you have the privacy and security on your communications that you deserve, a level which other apps cannot provide. For whatever your specific situation is, contact a representative today to see how we can help.