Ken's Korner Newsletter

August 2017

Are Your Messages Really Secure?

Encrypting is Easy but Authenticating is Hard!

Many people communicate through messaging apps like WhatsApp, Facebook Messenger and Viber but how secure are they? Researchers have learned that most users of popular messaging apps are leaving themselves exposed to fraud or other hacking because they don't know about or aren't using important security options.

Just encryption is not enough!

While many, but not all of the popular messaging apps offer “end to end” encryption that is only part of the process. Assuming that the encryption is turned on by default, (and that is not always the case) there is also the Authentication Ceremony to verify the person at the other end is really who you think it is. Most people don’t know about that.

Researchers at Brigham Young University in Utah conducted a two phase experiment. In the first phase users were asked to share a credit card number. The researchers warned the users about potential threats and encouraged them to make sure their messages were confidential.

Only 14% of the users successfully completed the authentication ceremony! Others opted for more ad-hoc security like recognizing their picture or asking details about a shared experience. This leaves them vulnerable to a malicious third party or a “man-in-the-middle” attack.

In the second phase users were again asked to share a credit card number. This time the researchers emphasized the importance of the authentication ceremony. With that information 79% of the users were able to successfully authenticate the other party. This method guarantees that no one, not even the company providing the messaging app, can intercept your messages.

But there was a problem, the average time it took to authenticate the other party was 11 minutes! Most people just won’t take the time to do that.

Automatic Authentication

To be secure you must authenticate the person at the other end.

Software providers often build systems without first finding out what people really need, and want! If we could perform the authentication ceremony behind the scenes automatically or effortlessly, we could address these problems without resorting to user education. Work is underway to streamline that process.

As to why that hasn’t happened already, building a global system to match an identity (your phone number or your email address) to an encryption key is a really big problem. And even if you get that problem right, there are a bunch of related, "secondary" problems:

For every public key that you advertise with your identity, there is a matching private key you have to keep secret -- how do we make sure people keep those secret?
What if those keys are lost or stolen?
How do they move these keys between devices they own safely?

Bottom line:
Never put anything in a text, message, e-mail or voice message that you don’t want thirty million people to get!

Some of the popular messaging apps are;

WhatsApp (https://www.whatsapp.com/)
Viber (https://www.viber.com/)
Google Hangouts (https://hangouts.google.com/)
Voxer (https://voxer.com/)
Line (https://line.me/en/)
Snapchat (https://www.snapchat.com/)
HeyTell (http://www.heytell.com/front.html)
Telegram (https://telegram.org/)
Talkatone (https://www.talkatone.com/)

And remember always back it up!

Go back to the top