Real people don't (just) need encryption


Earlier this month, UK Home Secretary Amber Rudd idiotically insisted that "real people" don't need encrypted messaging apps; but as foolish a statement as that was, there was a kernel of truth to it.

Because real people don't just need encrypted messaging apps that offer end-to-end protection, they also need end-point security — the kinds of thoughtful design and expedient updating and transparent code that enables them to defend their devices from attackers who gain access to their messages by compromising their phones and computers.

Computer scientist Megan Square writes in The Conversation that "Inventing new ways to protect our digital endpoints without reducing their usefulness is very challenging, but some new technologies just over the horizon might help."


Suppose a criminal organization or bad government, EvilRegime, wants to spy on you and everyone you communicate with. To protect yourself, you've installed an end-to-end encryption tool, such as Signal, for messaging. This makes eavesdropping – even with a court's permission – that much more difficult for EvilRegime.

But what if EvilRegime tricks you into installing spyware on your device? For example, they could swap out a legitimate upgrade of your favorite game, "ClashBirds," with a compromised version. Or, EvilRegime could use a malware "network investigative technique" as a backdoor into your machine. With control of your endpoint, EvilRegime can read your messages as you type them, even before they are encrypted.

To guard against either type of EvilRegime's trickery, we need to improve our endpoint security game in a few key ways, making sure that:

* EvilRegime isn't masquerading as the company that makes "ClashBirds" when we install our software.

* No one has tampered with our "ClashBirds" app before or after installation.

* The app doesn't have any backdoors or security holes that could be exploited by EvilRegime after we install it.

In addition, it would be ideal if users could control their apps' security themselves, rather than having to rely on app store security provided by yet another vulnerable corporation.

End-to-end encryption isn't enough security for 'real people'
[Megan Squire/The Conversation]


(Image: johnnymip, CC-BY)