Take back control with end-to-end encryption

The other day I was thinking about how I could possibly explain the differences between encryption-in-transit and end-to-end/client-side encryption and show the importance of the latter and the realistic weaknesses of the former. Cue Scarlett Johansson in the movie Lucy (2014).

Image source: https://www.youtube.com/watch?v=nUfDN59PTvc

This is a scene in the movie where Lucy played by Scarlett Johansson has a briefcase handcuffed to her, she has no idea what the briefcase contains or what the combination is to open it. In the same scene, Mr. Jang (the recipient of the briefcase) gives Lucy the combination to open the briefcase. This is an example of end-to-end encryption.

End-to-end encryption

Image source: https://martin.kleppmann.com/2015/11/10/investigatory-powers-bill.html

Step back into the real world for a moment and imagine Lucy being your messaging app provider, for instance WhatsApp or Signal. They are responsible for getting the message from your phone, over the internet, and to the person you’re trying to message or send a picture to. Do they care about the contents of your message? No they don’t, they only care about getting it to the person you’re trying to reach. Therefore, their app encrypts your message before picking it up and trying to deliver it. The app on the phone of the person you’re trying to reach has a key. This key is used to decrypt the message you sent so the person can read it or view the picture you’ve sent. This key is analogous to the combination that Mr. Jang in the movie provides Lucy to open the briefcase. The contents of the briefcase are your message. Make sense?

We call this end-to-end encryption. See Fib. 1b, in the diagram below, the Service provider (i.e. WhatsApp or Signal) doesn’t have access to view your message in-transit between you and the person you’re sending the message to.

Encryption in transit

Let us visualise something a little bit different. Cue Dumb and Dumber (1994).

Image source: https://www.youtube.com/watch?v=7GSXbgfKFWg

It’s hard to imagine that anyone in the western world hasn’t seen this movie. For those that haven’t (no judgement), this scene depicts Nicholas (played by Charles Rocket) discovering that while the briefcase has been in Lloyd’s (played by Jim Carrey) possession all the money it contained has been replaced with IOU’s. There is a whole lot more to this story, and some may argue this isn’t the best comparison, however I’m going to run with it anyways.

This is a great analogy for what could happen if you don’t ensure that the message you are sending is encrypted end-to-end. This is an example of the service provider or messenger having access to the message they have been tasked with sending.

With the service provider having access to your message, you are putting the message at risk of being altered by the service provider, read, or even leaked through a data breach or some other data sharing agreement they may have.

On a daily basis, the majority of the online platforms and messaging systems you use fall under this model. Facebook messenger does not have end-to-end encryption enabled by default, but you can enable it.

An article on Recode last year written by Kurt Wagner, April Glaser, and Rani Molla has a great info graphic that shows which popular messaging apps and platforms are end-to-end encrypted and which are not.

Image source: https://www.recode.net/2017/4/15/15297316/apps-whatsapp-signal-imessage-hacking-hackers-messages-privacy

To be fair, Skype has apparently implemented an opt-in, end-to-end encryption feature since last year. Allowing Skype to move into the purple (or center) category.

Wrapping up

Hopefully you’re coming away from this article with a bit of a better understanding of the differences between end-to-end encryption and in-transit (between sender-provider-recipient) only encryption.

Going forward to protect our data, privacy, and security we should always endeavour to use services that provide end-to-end or client side encryption, it shows that an organisation knows that no matter how hard they try to protect your data there is a possibility of them being breached. By offering end-to-end or client-side encryption they are putting the power back in your hands as a consumer or user to protect your data, even from themselves.

Why does a provider need to have the ability to read the messages you send to your mother, wife, husband, partner, kids, and friends anyways?

If this was informative or an enjoyable read, I challenge you to Like & Share. If you have any thoughts, please don’t be shy and use the comment section below!

Originally published at https://www.linkedin.com.

Founder at Lockdrop | CISSP | AWS-SAP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store