What is end-to-end encryption
Secret messages have been sent for centuries. Someone will invent a secret code, share the “key” to unlock the code, and their secret messages can be sent securely between them. This isn’t anything new. What is new is sending secret, coded messages via computers over the public internet.
Secret codes today are powered by powerful algorithms with the “keys” being electronic strings of numbers. They’re far more complicated than the first secret codes like the Caesar cipher, seen above, used by Julius Caesar for his private messages. Today we use a method called public-private key exchange to create encrypted messages. Your public key can only be used to encrypt messages and your secret, private key is the only thing that can decrypt the messages.You can read more about encryption in our post about encryption myths, but for this post we’re looking at making sure when you encrypt a message, it stays encrypted from sender to receiver—from end to end. For decades only the most technical of users could use E2EE, but in the last ten years a number of apps have made it easy to implement—including SKY ECC. Understanding how this process works is best explained in the diagram below where we imagine a very common need for encrypted messages: when someone needs to speak to a divorce lawyer: In this example, Wade writes a messages to his divorce lawyer, Vanessa, with an app that supports E2EE:
- He uses Vanessa’s public key to encrypt his message.
- The message becomes encrypted cipher text which is indecipherable during transport—except for Vanessa who has the private key.
- When the message gets to Vanessa in her app, the message is decrypted with her private key and she can read the message.
What does real encrypted text look like?I put a secret sentence, with a fun message for you to solve, into this website which simulates the German Enigma encryption machine and got the following encrypted text out:
GWAT DKNV KUQA MXZH QKPK TWPL RHAJ VCXF RZXY JQYF GModern encryption is much more complicated, creating encrypted text many time longer than the original, but the above is a good example. You don’t know the settings I used to encrypt the text above yet, so you won’t be able to decrypt the message. Want to be a super-cool cryptographer? Here are my settings from above so you can decrypt the message:
Why do we need end-to-end encryption?The example above, with Wade and his divorce lawyer Vanessa, was just one of thousands of real life scenarios where E2EE is essential. It’s important to have encryption from end-to-end because anyone monitoring the network you send messages over can read unencrypted messages. This can include:
- Hackers looking for private data to exploit
- Service providers who want to collect data for ads (as Facebook and WhatsApp do)
- Governments looking to suppress protests or dissent
- Criminals trying to suppress journalists and free speech
- Rival companies doing corporate espionage
Data breaches happen all too regularlyI remember a time when online security journalists, like myself, would write posts on “the worst security breaches of all time” for some good content. Now when we write about the worst security breaches of the past year alone we are overwhelmed with choices. Let’s narrow it down a bit and look at the worst data breaches which could have been migitigated with end-to-end encryption:
- Yahoo: All 3 billion accounts which existed in 2013 had their email addresses, names, dates of birth, and passwords compromised. It is estimated that this cost Yahoo’s sale price to drop by $350 million.
- FriendFinder Network: 20 years worth of data was stolen, impacting over 412 million users, including names, email addresses, and passwords, from the network which included chatting/hookup app Adult FriendFinder.
- MySpace: One of the biggest early communications tools online, over 360 million accounts were breached. It is thought that this occurred in the mid-2000s and wasn’t discovered until 2016.
- WhatsApp: An undisclosed number of users had spyware injected on their phones via WhatApp’s own voice-calling feature. One alleged victim was a human rights lawyer helping four journalists and dissidents mount legal cases against NSO Group…who just happen to be the creators of the attack tool. What a coincidence, eh? WhatsApp urged users to update to a new version that was released with a patch.
- Snapchat: Hackers were able to steal photos and videos from 3rd-party apps for years before releasing a 13GB database of everything that had been sent by users through the app during that time. This was bad, but was part of a general trend of insecurity as it was also found that 4.6 million users had their phone numbers exposed through a leak.
How the heck do hackers steal data?Most people understand that they send and receive information from the sources which they consent to. The mystery is how does a hacker put themselves in the middle of these communications and steal them, or take them after the fact? There are a few common techniques:
- Evil twin and Fake Wi-Fi hotspots: This is when a hacker sets up a Wi-Fi hotspot that looks like it should be legit, but is instead used to collect unencrypted data sent over the network.
- Man-in-the-middle: Hackers use a tool to put themselves between you and your internet connection, allowing them to collect data—like messages, passwords, and the sites you’re visiting—and harvest it for information worth money to criminals.
- Network eavesdropping: Legitimate network administrator tools are used to sniff and record data packets which are then listened to with a packet analyzer.
- SS7 hacks: Used for over 50 years, this is a vulnerability in 3G networks which allows hackers to steal data in transit using these mobile networks.
- IMSI catcher: A cellphone tower attack where a fake tower is created and phones connect to it automatically believing it’s real. The hacker can then steal any unencrypted traffic sent over the network—like voice calls and text messages.
Who needs to be protected?Those are who we need to be protected against, but who needs this protection? You have nothing to hide…right? Well, maybe you don’t, but these people certainly do:
- Whistleblowers doing research on corruption
- Journalists protecting sources and researching stories
- Celebrities discussing upcoming projects—or just their everyday life, the News of the World scandal showed us how vulnerable they were
- Lawyers speaking with clients
- Doctors and all others with access to medical records
- Politicians in all aspects of what they say privately
- Executives and other high-ranking employees of corporations, especially when travelling to places where internet surveillance is commonplace
- Stores communicating with consumers
- Sending information back and forth to your accountant, or the bank for a mortgage, involves sensitive information.
- Much of the Information transmitted could be used to commit identity theft and fraud.
- Credit cards can be opened in your name, medical fraud can be done, phony tax returns can be submitted, and you’ll be on the hook for all of it.
Misplaced trust in messaging toolsGetting back to your everyday life, think about the apps and sites you use. Think about the information you send, share, and keep there. You probably assume because you need a password to get into the account your information is safe. Sadly, that isn’t the case. Just looking at messaging apps, here are a few you might use that don’t use E2EE to protect your messages:
- SMS (standard text messages)
- Yahoo email
- AOL email
Messaging services that support end-to-end encryption, but not by defaultThe following do have end-to-end encryption, but they are not on by default so users have to poke around to find the option, or set it up with a third-party tool:
- Facebook Messenger
- Gmail (add-on required)
- Outlook (integrated and add-on)
- A secure global network of servers with always-on security
- Metadata encryption using 256 bit AES
- Hardware and operating system protections
- Mobile device management which protects lost devices