Why We Need End-to-end Encryption

by | Jan 27, 2020 | Cybersecurity, Privacy | 0 comments

Get posts like this one in your inbox by signing up for our newsletter.

At the same time everyone is concerned with how companies use their data, we’re moving towards an era where virtually everything will be done in the cloud. No longer will we need expensive computers with tons of processing power, and no longer will we need to remember on which computer we put what document on. The future will be a time when you access every file you ever made from any computer anywhere in the world with an internet connection. While that sounds great, it also sounds a bit creepy; I don’t want some company having access to all of my documents and photos, but at the same time, I really want the convenience that comes with that. Luckily, this is possible, and the technology to do that exists right now: it’s called end-to-end encryption.

What is end-to-end encryption?

Simply put, end-to-end encryption ensures that only you can access your data, regardless of where it’s being stored. A simple example of this is if you password-protect a Word document, then upload it to Google Drive. Even though Google now has access to your document, they can’t access its contents because it’s encrypted with a password that they don’t have. Assuming that you used a secure password, no one except for you can access the contents of that document. This assumes, of course, that the version of Word you’re using doesn’t have any security bugs.

What About HTTPS?

Most websites today already encrypt everything in transit, using something called HTTPS (which in turn uses TLS). If you’ve ever wondered what the lock icon in your browser means, it’s there to let you know the site you’re visiting has securely implemented HTTPS. This ensures that everything you send and receive from the website is securely encrypted and that no one besides your browser and web server can see what’s going on*. However, this doesn’t protect your data once it reaches the server. Take uploading an image to social media as an example. While the image is being sent over the internet, HTTPS ensures it’s securely transferred. However, once it reaches the server, anyone with access to that server can view your image and possibly alter it.

Some services, such as iCloud Drive, will go a step further and encrypt your data at rest. Unfortunately, this doesn’t do much from a privacy perspective as Apple knows the encryption keys. What it does help with is situations in which Apple doesn’t own the servers being used. As with many other online services, Apple utilities servers hosted in other companies data centers, such as Amazon’s. By encrypting the data with a key only Apple knows, they prevent Amazon from accessing your data.

About That Asterisk

* This assumes that you’re using a computer you trust. Public computers, such as library computers, may be configured to use a proxy server. These proxy servers can then assist in tasks like web filtering. If the network were to direct your laptop to a proxy server, your browser would display a big red warning. When you use a public computer, its administrators can configure it to not show this warning. In the latter case, your connection is not truly secure, as anyone with access to the proxy server can view and alter the contents any websites you visit.

Websites Don’t Know Your Password

I know this seems unrelated now, but I promise it will make sense in a bit 🙂

Google, or any other online service, doesn’t (or at least shouldn’t) know your password. Instead, they have what’s called a hash of your password, which looks something like this:

 $2y$10$e6Xu11dpZQ13QMa.2Fu.guX0uiDUzrIr3x.rofsf8DUtAbItG0r02

Can you guess the password? The answer is “abc123”, which can only be found through a brute force attack. Anyways, what’s really cool about hashes is that they only work in one direction. The same input will always result in the same hash, but you can’t get the input from the hash.

Further securing things is the use of something called a salt, which is a unique jumble of data added to each password. This protects against rainbow tables, which are basically lists of passwords and their hashes. Since each password has a unique salt, two instances of the same password results in different hashes. As such, rainbow tables are pretty worthless if passwords are properly hashed.

How This Relates To End-to-end Encryption

One of the problems with implementing end-to-end encryption is that users still want a seamless experience. Needing to encrypt each document individually is too time consuming and too big a hassle. However, since websites don’t know your passwords anyways, the password you use to log in could also be used to encrypt files. As long as the encryption happens before the data is sent, only you can decrypt it. This would not alter your experience in any way, while also ensuring that only you have access to your data. However, encrypting data locally comes at the cost of performance, and it could makes sites like Google Drive unbearable to use on slower computers. An approach similar to this is already employed by password managers like LastPass without affecting the user’s experience:

Source: https://www.lastpass.com/security/what-if-lastpass-gets-hacked

Self-hosted alternatives to Google Drive, such as Nextcloud and Seafile, already offer end-to-end encryption, so it is possible.

What’s So Important About End-to-end Encryption?

Security breaches will happen, and there’s only so much companies can do to prevent this. End-to-end encryption is the best way to ensure that even if a breach occurs, your data is still safe. The beautiful thing about end-to-end encryption is that even if someone manages to download all of your data, and has access to the website’s database (i.e. they can see your password hash), they still can’t access your documents. Regardless of how high the bribes get, or how much a government is threatening to fine, as long as your password is secure, your data remains secure. In other words, the most important thing about end-to-end encryption is that the weakest link is your password, which you are in control of.

Newsletter

Sign up here to be one of the first to know when we publish a post, as well as other exclusive blog updates.