Capitalizing on the fear of near-daily revelations of data breaches and widespread government surveillance, companies like Google, Microsoft, and Yahoo! are implementing so-called “end-to-end” encryption to much applause. Unfortunately, this provides a false sense of security.
That’s not to say that encrypting data for transit is a bad thing — not at all. That’s also not to say that, despite problems, I know of any gaping, insurmountable flaws in TLS.
However, consider how a typically HTTPS handshake is carried out: the browser negotiates the initial symmetric key exchange using a locally generated asymmetric key. Both the fast symmetric key and the asymmetric key are at some point stored, either in memory, or in a security container on disk. In order to be able to successfully continue to communicate with the remote server, the browser must then have access to the symmetric key at all times.
While there are chances that the keys or pre-encrypted communications may be intercepted by malware running on the host computer, little consideration is given to the browser, operating system, or hardware. We may have some protection against nefarious outside forces, but what about the fact that Google or Microsoft have potentially full access to all of our communications, encrypted or not?
So if Google’s Chrome browser, for example, encrypts your communication, Google has full access to not only the unencrypted communication but also any and all keys used during the crypto operation(s). Microsoft can do one better since they run the underlying operating system. That means that they can capture key strokes, web requests, key storage, and pretty much anything else they like at their whim — in any software. They can also hide network transactions from software like Fiddler or Wireshark; Microsoft provides the network stack, after all.
Naturally, the hardware running the OS and browser, or really any network hardware, are equally as capable of spying on you without your knowledge. In reality we have a three-deep layer of “just trust us” security over which is slapped HTTPS. The HTTPS part is great, but what about the other pieces? As the Wikipedia entry on “end-to-end encryption” points out, “[this] paradigm does not directly address risks at the communications endpoints themselves…”
So HTTPS really only protects you from outside, third-party interlopers, not in any meaningful way from government or corporate surveillance. Heck, they come right out and tell us that this is so — all for our benefit, of course.
Unfortunately, discussion on this topic is often lacking from online security and privacy forums yet this is perhaps a more vital topic than protecting your data in transit. While it’s great that we have improved security to deal with Man In The Middle techniques, privacy and anonymity in corporate and government spheres are essentially non-existent.
This is daunting problem recognized by professional cryptographers and security experts but there doesn’t seem to be much in the way of solutions. We can use something like Tails or Subgraph OS to secure the operating system level but we’re still faced with the hardware both at the host and at the networking level (the router, for example).
Does this mean that there’s practically nothing that can be done? I don’t believe this and there are some proposals that I think are worth discussing, if for no other reason than to inspire imaginations. While this is a somewhat steep uphill climb, it’s also an opportunity for the creation of a whole new class of security-minded software, hardware, and services. If the corporate-government surveillance news did anything, at the very least it made more people aware of just how precious and fragile their own privacy and anonymity are.
In the meantime, by all means keep insisting on HTTPS, just don’t be lulled into a false sense of security.
patrickb August 16th, 2014