No, end-to-end encryption is not a marketing gadget

by



[ad_1]

There are bad catches, then there is bad takes. The Bloomberg Opinion columnist, Leonid Bershidsky, is an example of this, who thinks that today's WhatsApp Security issues prove that end-to-end encryption is "a gadget" and "largely useless".

WhatsApp is one of the largest messaging applications on the market. To put Bershidsky's comments into context, it had appeared earlier in the day that it was possible to use specially armed phone calls to install malware on a target's phone. The company owned by Facebook has since released a patch that users are encouraged to install as soon as possible.

WhatsApp, like many email applications, uses end-to-end encryption, which ensures that an intermediary can not spy on what is being said. Bershidsky's argument, roughly summarized, is that while WhatsApp remains vulnerable to further attacks, end-to-end encryption is nothing less than a "marketing device" designed to "appease" consumers wary of cyber surveillance and give them a false sense of security. "

As far as I know, Bershidsky has no training in cybersecurity or computer science. If he did, he probably would not be embarrassed so publicly. And indeed, the IT security community is delighted to overwhelm it through its favorite media, Twitter. It is important that his arguments, misleading and technically inaccurate, remain unanswered.

First, let's examine his critique that the term "end-to-end encryption" is a "marketing tool".

This is not the case. Damn, it's not. I do not know what else to say here. It is a technical term with a very precise definition, universally accepted. It's just not subject to debate.

Bershidsky's argument is based primarily on the fact that applications that use end-to-end encryption are sensitive to other threats, such as zero-day vulnerabilities and sophisticated Israeli spyware. But the thing is, no credible person has already argued that end-to-end encryption is a panacea for security. On the contrary, it addresses two serious security issues.

First, end-to-end encryption prevents an adversary in the middle of a connection from intercepting and analyzing the contents of data packets. If you send inside information on a public Internet, such as credit card numbers or customers, you will want to protect them from prying eyes. And most importantly, it is almost impossible to intercept and analyze large scale protected traffic.

The second problem that end-to-end encryption solves is that it's much harder for an opponent to launch session-hijacking attacks. If the data is sent unencrypted, an attacker on the same network could easily capture cookies and session cookies, which would allow them to support a user's account on a website or application. all without it being necessary to connect.

It's not hypothetical. Before Facebook introduced default SSL in 2012, ensuring the protection of the connection between users and its servers, it was embarrassing to control someone's account. There was even a Firefox plugin called FireSheep, released in 2010, which made it a one-click process.

Do you need anything other than end-to-end encryption to ensure a secure user experience? Absolutely. But is end-to-end encryption a cornerstone of this secure user experience? Whore, yes.

Security is not a single product or application. You can not buy security. This comes from the outcome of a lot of effort, big and small. At the risk of sounding like the narrator of an advertisement for Lincoln cars, it's a trip, and you're never quite going to the end.

In conclusion, end-to-end encryption is important and Bershidsky's take is ridiculous. Even though the piece was clearly listed as an opinion, Bloomberg should have known better than to publish a fundamentally misleading argument based on uncertain technical grounds.

Read more:

Netflix invades the E3 (and maybe it brings new games)

[ad_2]

Source link