Don’t need to explain what encryption is, just use it!
By Benjamin Cher May 20, 2016
- Encryption: The good, the bad, and the myths
- Data is secure only in transit, not at the endpoint
THANKS to that ‘little flap’ between Apple Inc and the US Federal Bureau of Investigation (FBI), data privacy and encryption – and the tense standoff between governments and industry – have been thrust into the spotlight recently.
This was really brought home to the consumer when WhatsApp introduced end-to-end encryption for its extremely popular messaging service, a move lauded by Alexander Gostev, Asia Pacific chief security expert at Kaspersky Lab.
“This is a really big and great thing, because enduser-to-enduser encryption was the biggest problem in the past for messaging services,” he told Digital News Asia (DNA) in Singapore recently.
“The problem was a man-in-the-middle attack, when you have a connection with another user – all your communications and messages through the server can be intercepted.
“Law enforcement agencies, governments and criminals with access to the server can then read your communications,” he added.
Gostev said he hopes to see encryption in other popular messaging services as well.
The encryption myth
While encryption might prevent people from snooping on your conversations, it does not guarantee privacy, Gostev warned.
“Let’s say you lose your account and you download your logs off the server – if you use encryption, all these messages will be encrypted.
“The only way to get access to the messages is a direct attack on the endpoint, and that can be a laptop or mobile phone; if someone has access to the device, he or she can read everything,” he said.
More mobile malware is coming into the ecosystem, and Gostev warned that a malicious app can also get access to encrypted or unencrypted information at the endpoint.
“It is possible to install a malicious app on a mobile phone and get access to all the information – encrypted or unencrypted, it doesn’t matter,” he said.
“That’s the way for cybercriminals and governments if they want to get access to communications – they can’t read messages on the server, but they can read messages from endusers,” he added.
Encryption will be ubiquitous
So it’s not as easy and all that. How does one explain encryption – its benefits and its limitations – to the layperson?
Don’t bother explaining it, just use it, Gostev (pic) declared.
“For example, five years ago, none of the popular social media services ever used HTTPS, and any hacker could do a man-in-the-middle attack, where traffic between servers was unencrypted.
“Now every service has implemented HTTPS and SSL (Secure Socket Layer) communications, and there is no need to explain to the people what it is – you see a green lock when you type in the URL,” he added.
Having encryption on default should be extended to messaging services as well, Gostev argued.
“People should know it is encrypted by default, there should be no need to enable it,” he said.
Email next
While messaging services might be flipping on the encryption switch, Gostev believes that email should be the next frontier.
“The most popular method of business communications is email, and we don’t have any good email encryption service,” he said.
“The only one real example is ProtonMail, but we need to do something on a larger scale, like Gmail or YahooMail, because everyone needs encryption,” he added.
Email remains a weak point, and it is a critical weak point in today’s environment of increasing cybercrime and cyber-espionage.
“We are seeing new cases of attacks against businesses and governments, and hackers trying to steal email conversations,” said Gostev.
Related Stories:
The global encryption war begins
Encryption genie is out of the bottle: Ex-NSA director
What the Hillary Clinton email issue tells us about mobile security
Trend Micro on how terrorists are abusing online tools
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.
