Saturday, June 30, 2018

Encrypted Messaging is Essential - But It Isn't Magic


An article in Wired (June 14, 2018) points out that Encrypted Messaging is Essential - But It Isn't Magic. 

"ENCRYPTED COMMUNICATION USED to be too complicated for mainstream use, but approachable apps like WhatsApp and Signal have become a no-brainer for digital privacy. With all of their security-minded features, like disappearing messages and identity-confirming safety numbers, secure chat apps can rightfully give you peace of mind. You should absolutely use them. As the adage goes, though, there's no such thing as perfect security. And feeling invincible could get you in trouble.

"Good OPSEC will save you from bad crypto, but good crypto won't save you from bad OPSEC" warned security researcher The Grugq.

While end-to-end encryption is a vital privacy protection that can thwart many types of surveillance, you still need to understand the other avenues a government or attacker could take to obtain chat logs. Even when a service works perfectly factors like where messages are stored, who else has received them, and who else has access to devices that contain them play an important role in your security. If you're using encrypted chat apps as one tool in your privacy and security toolbox, more power to you. If you're relying on it as a panacea, you're more at risk than you realize."
--

Yes, always encrypt. Woe betide whomever transmits plaintext. But just because the content of your message is protected by encryption doesn't mean that your communications can't be compromised. Your security plan must include more than just encryption. What happens if the person with whom you are communicating betrays you? What happens if your computer or smartphone is seized or stolen? Is everyone using a strong pass-phrase to protect access to messages? Are your sure?

Everyone's threat model is different, and it is likely that your future threat model will be different than your threat model today - things change over time.  Develop not only a security plan, but develop a security culture that helps to protect you against a variety of possible threats.
--
 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.