Data encryption has been the subject of much recent debate during the fallout of the WhatsApp breach revealed by the Financial Times on May 13, 2019. With 1.5 billion WhatsApp users worldwide, the news that the secure messaging application could be breached has caused concern for many, especially human rights activists, lawyers, and journalists, who were the apparent targets of the recent breach. Some people have used this opportunity to declare end-to-end encryption (E2EE) redundant and pointless, while others have insisted that this is a pertinent reminder that all things — even secure messaging applications — have vulnerabilities, and must be coupled with user vigilance and continued development of more sophisticated security measures. With these recent debates in mind, StormFree thought it a good time to offer advice as to how individuals can secure their data on a daily basis to better protect their digital selves.
Instant Messaging (IM) applications are widely used today, often replacing traditional SMS messaging for smartphone users. Many of these convenient apps are unencrypted and offer little protection of the private user conversations. A good way to provide some security for your private conversations is to utilize a messaging app that features end-to-end encryption (E2EE). When data is secured with E2EE, it is decrypted by the sender of that data and can only be decrypted once it has arrived at its intended destination, hence the name end-to-end encryption: the data is fully encrypted from one end of its transmission all the way to the other end, and is not decrypted at any point in between. Because E2EE does not have any middleman like a server that can decrypt the message data, it offers fewer points of vulnerability than something such as hop-by-hop encryption, in which the data is decrypted on one or more servers in between users before being re-encrypted for transmission onwards.
Encryption, in its various forms, relies on cryptographic keys to verify which parties should be allowed to decrypt data. Older forms of encryption often relied on single, permanent secret keys to encrypt messages sent between users, which meant that an attacker could steal a single cryptographic key and decipher all of the messages in an encrypted conversation, even future messages. The solution to this problem is called "perfect forward secrecy", and is a feature in many modern encrypted messaging applications. Forward secrecy refers to a cryptographic protocol that generates a unique cryptographic key for each message being sent. The way that these unique keys are generated ensures that an attacker having knowledge of one key would not permit them to figure out what the other keys are. This ensures that if an attacker were to steal a cryptographic key, it would only be capable of decrypting a single message and could not be used to decrypt past or future messages. All of the messaging applications that will be recommended in this post incorporate perfect forward secrecy.
While the recent breach of WhatsApp serves as a reminder that even E2EE is not without vulnerabilities, using an E2EE messaging app can limit the chances that someone is reading your private conversations. Here are some of the best messaging apps that feature E2EE with perfect forward secrecy available today:
Riot.im, developed by New Vector, is an entirely free and open-source software designed to help popularize the Matrix federated communication protocol that it is built on. Developed by the same team at New Vector (under the name The Matrix Foundation) Matrix is another open-source offering that allows users to exercise greater control over their data by running their own homeservers which connect to a large, federated network of homeservers run by other users. Riot.im is only one of many chat clients that can use Matrix to transmit messages to other users, part of New Vector's goal of breaking down the barriers between the multitude of chat clients currently available. Most significantly, chat rooms in Riot.im can be encrypted end-to-end ensuring that the network of servers between users cannot access the content of your messages. Using Riot.im is a great way not only to bolster your data security, but also to experience the emerging benefits of a federated communication network.
Popularized by the endorsement of famed whistleblower Edward Snowden and originally developed by Open Whisper Systems, Signal is one of the foremost secure-messaging applications on the market today. Signal began as two separate applications: a secure SMS app called TextSecure and a secure VoIP app called RedPhone, both developed by Moxie Marlinspike and Stuart Anderson. In July 2014 the two applications were combined, forming an all-in-one secure messaging and VoIP application dubbed Signal. This application uses the Signal Protocol (formerly TextSecure Protocol) to enable end-to-end encryption between peers. Free to use, Signal also includes customizable message-retention periods so that your device will periodically wipe old messages, and since October 2018 has offered sealed-sender messaging between contacts who have established trust with each other.
Despite the recent May 2019 breach of this messaging app, WhatsApp remains a popular and highly secure option for protecting messages. With over 1.5 billion users worldwide, WhatsApp is by far the most widely-used E2EE messaging service in the world. WhatsApp's E2EE relies on the same Signal protocol developed by Open Whisper Systems, who partnered with Facebook's WhatsApp team to implement encryption in 2016. WhatsApp enables E2EE on all messages and calls within the application and can sync your conversations with a WhatsApp desktop application.
Disk encryption tools are used to protect the data stored on your computer's hard disk by converting the data into an unreadable format. When used to encrypt the hard disk on a computer, this ensures that the data on the disk can only be accessed by a user who has successfully logged into the machine. As a result, disk encryption offers protection against the unauthorized access of files on a computer when it is not in use, but typically does not protect this data when a user logs in and then leaves their machine unattended. It is therefore recommended that disk encryption be used in conjunction with another data security measure called file-level encryption.
To protect files on a computer that has been successfully logged into, it is necessary to use file-level encryption. In contrast to disk encryption, this type of security encrypts data at the individual file or directory level and is done by the file system itself. Most typical file systems that include file-level encryption do not encrypt the metadata of these files, meaning that things like filenames, sizes or modification timestamps will remain accessible while all of the information within the file becomes unreadable.
Contrary to what some commentators have written, the recent WhatsApp breach does not signal the futility of end-to-end encryption. Instead, this breach emphasizes the importance of taking steps to secure your daily digital life, because attempts to steal user data may come at any time. It serves to remember once more that the breach of the world's most popular encrypted messaging application did not crack the encryption of the messages, but instead exposed a vulnerability which allowed an attacker to eavesdrop on a target's device where messages can be read in plaintext. Just like any other security system, data encryption is never perfect, but it can have a positive impact on protecting your private data from unwanted eyes.
