There’s more to communications security than saying it’s encrypted
We —and by “we” I mean techie people— talk about end-to-end encrypted (E2EE) messaging as a must-have feature in any chat app (or service like Facebook Messenger). But we gloss over the details of encrypted messaging—what all the parts of an app do and what’s really important to think about. We make it seem like “okay, your messages are encrypted, you’re safe” when the truth is a lot more complicated than that. Not all end-to-end encrypted messaging apps are created equal and there’s a lot more to private messaging than encryption alone. If you don’t dig below the surface, you might unwittingly share private information. You can read more about the secure and encrypted messaging landscape and how SKY ECC compares to the competition on the SKY ECC blog. Here are seven myths about E2EE people believe and how they get you into trouble:
1) I don’t need encrypted messaging, I don’t have anything to hide
I hear this one a lot. Oh I’m not that interesting, no one would bother reading my messages. I suppose this could be true, but think of it this way, if you’re on the phone with your bank, would you mind if someone was listening in? You would mind, and it’s the expectation of privacy on the phone that requires companies to disclose “this conversation may be recorded for quality assurance and training purposes”. You expect phone calls to be private–nobody listening in.
Chatting online isn’t any different. Encrypting messages means you’re keeping private things private. We don’t use party line phones any longer, unencrypted chat is an electronic party line—you never know who might be listening in.
2) I’m connected by HTTPS, so I don’t need encrypted messaging
HTTPS, the secure version of HTTP, was once the main thing people needed to look for when shopping or banking online. That was ten years ago, and things are more complicated now. If you see the lock (and all the variations that have appeared over the years), you’re protected. You’re safe and all is well in the world. Google thinks HTTPS is so important to privacy that all websites—even a simple website—should use HTTPS or face a search rank penalty. This means today almost all the websites you visit use HTTPS (even if you’re not sending passwords or confidential information) protecting your privacy from prying eyes (for the most part).
So HTTPS good, HTTP bad.
We’re done then, right? Not so much. HTTPS only covers connections between you and the server (for example between you and your bank or you and your favorite online store) the information is encrypted, once information gets to the server, the information is decrypted. This is how things are supposed to work—this isn’t bad or insecure, your bank has to decrypt the information for the website to do its job.
HTTPS protects information coming and going between your bank and a store so no one can snoop your passwords, credit card number, or banking information. This protection is essential but not the whole picture. Let’s look at two examples:
- When you use Gmail, the connection is protected with HTTPS so if someone intercepted the data between you and Gmail, no one should be able to read your messages or password. However all your emails are stored on the servers unencrypted, meaning anyone with access to the email server can read your messages. Yes, Google can read your emails and, yes, uses the information in your emails to target ads to you within Gmail and elsewhere.
- Similarly, Facebook Messenger uses HTTPS to protect the connection, but this doesn’t mean your entire conversation is encrypted, it only means the connection is encrypted. Facebook Messenger conversations aren’t encrypted on the server by default (yet)—you have to switch on private messaging for your conversation to be encrypted. And, yes, Facebook uses conversations for ad targeting—especially in group chats.
There’s more to encryption than just HTTPS, but it’s a good start.
3) I don’t use public Wi-Fi and I even have a VPN
This is great! Taking a pass on free Wi-Fi and using a VPN with Wi-Fi connections away from home or work are two great ways to protect yourself from prying eyes and intrusions. A VPN won’t protect your messages though. Like HTTPS above, these steps only protect your connection as far as the server not the messages themselves. And are you using that VPN on your smartphone and tablet and laptop? We sometimes forget to secure all the links in our security chain. Protecting your connection is important to online security, unfortunately it doesn’t completely protect your messages or information. Still, if you’re skipping free Wi-Fi and using a VPN (our favorites are in the link above), you’re taking an important step to protecting yourself online.
4) End-to-end encrypted means no one can read my messages
I wish this were always true, but sadly it isn’t. E2EE is supposed to mean only you and the person you’re chatting with can read your messages to each other. The key here is, well, a key—your private encryption key. Your private key is how your messages are encrypted so only you can read what’s sent to you. We’ll cover the basics of public key cryptography another time, but the easiest way to think of it is like this:
- You want a friend to send you a secret message.
- So you send your friend a box with a padlock and the padlock is open.
- You keep the key to the padlock with you.
- Your friend writes you a message, puts it in the box, locks the padlock and gives you the box.
- You take your key and unlock the padlock, open the box, and read the message.
The key in this example works exactly like a private key for encrypting messages. Now imagine you have two keys to the padlock. You keep a key, but you also keep one at the post office. The post office isn’t supposed to ever use or touch your key, unless law enforcement officers come with a warrant and say “give us access to the key”. Now when you send that box back and forth, the police can open the box, read the message, and relock the box so you never know it was opened in the first place.
When a company stores your private key on their servers, they can be compelled to turn over the key to law enforcement. With that key in hand, your messages aren’t private any more—and you’d never know. In countries such as Russia and China, the government compels companies like Facebook, Twitter, Microsoft, and Apple to store private keys for their citizens on the servers in those countries. This is supposed to only apply to users living in those countries, but the truth is if you’re sending a message to a friend in China or Russia, some, or all, of the message could be read in transit.
5) Nobody can tell who I’m talking with
In order for a message to get from you to your friend, it needs to have information tacked onto the message that isn’t encrypted with your private key so the servers know who should get what messages. This data, plus information such as your IP address, your device information, the time, and date are called “metadata” and this information might be encrypted to and from a server, but not on the server. Some private messaging apps don’t keep this metadata on their servers, but a lot of them do. Metadata can be used to piece together who you talk with, when, and for how long.
Facebook, who own Instagram and WhatsApp, has already announced it will be using metadata from all its services to target ads to users. Law enforcement has long had access to these datasets and while metadata can’t expose your messages, it does provide a lot of context to your conversations. A secure E2EE app should encrypt the metadata in transit anddestroy it once the message is delivered. We go into more detail why metadata is important in this earlier post on the SKY ECC blog
6) Photos, files, and my backups are protected too
Yes…and no. When you send pictures and files they are encrypted and can only be read by the people you’re sending them to. Except depending on the app you’re using, the stored images and files, might not be protected. For example WhatsApp stores all the photos you receive to your device’s photos app automatically. Probably okay if you’re sending photos of your kids to grandma and grandpa, but maybe not if you’re sending other stuff to friends. Even if it’s something like getting a picture of a bank statement or receipt, you might not want that on your phone visible to all. You have to explicitly turn this feature off in WhatsApp to make sure files and photos don’t escape the secure confines of the app.
Message backups are related to photos and files because, often when messages are backed up—and WhatsApp is guilty of this—they are stored unencrypted on your device. Doesn’t matter if your conversations with someone were end-to-encrypted, if your friend has backups enabled, those conversations might not be encrypted any more. This has come back to bite more than a few people when law enforcement gets a warrant to have access to those message backups.
7) All apps are the same, they all do the same stuff
On the surface, this is correct. End-to-end encrypted messaging apps make sure your messages are secure from when they leave your device until they get to the person you’re chatting with. However, as you’ve gathered, the Devil is in the details. To be really secure, to make sure your messages are truly private, an app must:
- Use strong encryption algorithms without backdoors
- Encrypt metadata in transit
- Encrypt the message and all attachments in transit
- Not store your private keys on their servers (private keys should only be generated and stored on the device)
- Not store messages on their servers
- Limit metadata stored on the servers to only the bare minimum (list of active users with last connection, but not who they message), without personally identifiable information attached
- Store files securely on the device
- If messages can be backed up—it’s safer if messages aren’t backed up—they are encrypted as well
Those are the bare minimums. We think it’s important to also:
- Use a secure device with hardware and software protections against tampering
- Install the messaging app in a protected container on the device, to protect against malware and eavesdropping software
- Encrypt all communications all the time. And better still, pass the connection through a secure, anonymizing gateway
- Be able to revoke messages and clear all chats from the device if needed with an emergency password
- Use random usernames without personally identifiable information (PII) like a phone number or email address
- Have 24/7 support when you need it
There are more features included in SKY ECC we could add here, but this gives you picture. We take secure chat very seriously and believe everyone should be able to communicate in private simply and easily.