Issue 03 - Encryption

December 19, 2018

In this issue, we focus a little more on the issue of privacy by highlighting data leaks from new technologies as well as emphasising again the importance of encryption. In our previous issue, we explained why we should all care about privacy and why we should maintain systems that allow communications to remain private, even if we think that we have nothing to hide.

Consider

Unfortunately, there are current efforts to undermine the privacy and security of digital communications under the auspices of national security. The Australian government recently passed a bill that will allow the government to compel tech companies to build backdoors in their products, including instant messaging platforms. Other countries like the United States, the United Kingdom, Canada, and New Zealand have spent years unsuccessfully lobbying for similar laws. However, as these countries have agreements with Australia to collect, analyse and share intelligence (Five Eyes agreement), it is expected that the backdoors that are developed as a result of Australia's new bill will also be used by these governments. If a tech company offers a backdoor for an Australian government order, it is likely that other governments will soon also demand the same.

Why are backdoors so bad? Crucially, when implemented, a backdoor exists for everyone. Once a backdoor exists, any country, group, or individual can maliciously exploit its existence and access or leak private data from anyone using the affected system. Let's consider the implications of this. It has been reported that Malcolm Turnbull, the former Prime Minister of Australia, is a Signal Messenger user. The Signal Developers have said they will not implement a backdoor. However, if they did, there would be a risk that Malcolm Turnbull's communications could be made public if the backdoor were to be exploited by a criminal group, thus defeating the purpose of the bill. While Signal Messenger will not comply with the new law, other tech companies will. The existence of backdoors can lead to the release of data that security agencies are trying to protect, endangering the very operations that lawmakers say they are trying to protect. Security researchers have spent decades opposing backdoors, but the fundamental privacy and security reasons behind their objections are being ignored by lawmakers.

Become Aware

Preventing data leaks by stripping path information in HTTP Referrers

https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/

In a previous issue, we talked about how your website visits can be tracked through the referrer when you visit other websites (e.g., when you click on a link in your browser, the website you are directed to will know the web address from where you came). In this article Mozilla explains the issue in a bit further detail and announces they will remove some identifying information from the referrer fields when using Private Mode. However, we must point out that even with these changes in Firefox, the website you come from is still leaked to the website tracking you, even though some personal information is stripped from the referrer field. Although Firefox now tries to remove some of this information from the referrer field, not all browsers take these measures to protect your privacy.

Fitness tracking app Strava gives away location of secret US army bases

https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

https://twitter.com/tobiaschneider/status/957317886112124928

When we share data with companies, we do not often want those companies to make that data public. Yet sometimes this is out of our control. The company can leak data even if you or the company does not intend to do so. This article exposes the inferences that can be made from inadvertently leaked data. Military personnel used fitness tracking devices while stationed all over the world and then uploaded that data to Strava. Strava publishes a heat map showing where people exercise all over the world. If you look for locations around military bases, you can see, for example, where the patrol routes are, or where military personal are usually working or exercising.

A Sleeping Alexa Can Listen for More Than Just Her Name

https://spectrum.ieee.org/view-from-the-valley/consumer-electronics/gadgets/beyond-the-super-bowl-a-sleeping-alexa-can-listen-for-more-than-just-her-name

While the article suggests how Alexa listening to more than just her name is a good feature, it also means that Alexa has the capability to listen to sounds that would not normally trigger her to start up. The results is that data that the user would not necessarily want shared is nevertheless recorded.

Amazon's Alexa recorded private conversation and sent it to random contact

https://www.theguardian.com/technology/2018/may/24/amazon-alexa-recorded-conversation

This article focus on an instance where Alexa inadvertently recorded a private conversation and sent it to a random contact. The article illustrates how, even when a device is not designed to leak private data, it can still fail and create privacy problems.

Signature validation vulnerability in German ID cards

https://www.sec-consult.com/en/blog/2018/11/my-name-is-johann-wolfgang-von-goethe-i-can-prove-it/

The article explains how the system that is used to validate German id cards in online platforms had a vulnerability that allowed an attacker to impersonate any individual. Some banks and insurance companies in Germany use this system to authenticate users, as it is believed to provide a better user experience for its customers. The authentication scheme is also used in government portals like the German Justice Department and the German Pension Fund.

Learn

Man-in-the-middle (MITM) Attacks

A man-in-the-middle attack is when a malicious person or machine can intercept a message being sent, read it, and relay it between the parties. For example, if Alice wants to deliver a message to Bob, Mallory could intercept the message, read it, and continue to forward the message to Bob. If Bob and Alice are not using any tool to prevent these types of attacks, they will not even be able to determine whether the message was seen or tampered with by Mallory.

Man-in-the-middle attacks are one of the main types of attacks that end to end encryption tries to prevent. For example, if you suspect your Internet Service Provide (ISP) could be an attacker, you need to prevent it from reading the messages it relays from your computer to the servers you are connecting to, including the ones you use for email or accessing websites. In this case, the ISP is acting as a Man-in-the-middle and if you encrypt your connection end to end you are preventing a Man-in-the-middle attack.

What is end to end encryption?

We see the term "End to End Encryption" being used a lot in the media, and we notice that this sometimes confuses people. What are the two ends? And what connects them?

End to end encryption refers to an encrypted communication channel between two devices. Each device represents the end of that channel. A channel might be, for example, a messenger service or an email communication. If the communication is encrypted end to end, nobody else with access to the channel data can decrypt the information the two devices are sharing.

If, for example, Alice wanted to communicate securely with Bob, she could put a message in a vault and then send the vault to Bob using normal mail. When Bob receives the vault he can open it and read the message but the person delivering the vault, for example the courier, could not read the message.

The same thing happens when you want to connect to some websites. If you want to make sure only you and the website know about the content of your exchange, you can encrypt data on your device and send it across the network to the website server. The server can then decrypt the data and return an encrypted response back to you. Thus, no one who may be listening to this communication, like your Internet Service Provider or a government agency, can decrypt the data since it is encrypted from your end to the website's end -- the data is encrypted end to end.

In the above example, we assumed Alice and Bob already shared a secret: the vault combination. This is what would allow them to share the encrypted information. But this cannot not always be the case. For instance, what would happen if Alice and Bob had never met before? They would not have any way to securely communicate the combination to each other as someone could be listening and therefore could also open the vault.

The same thing happens on the internet. If someone knows the encryption key used by one end, then they can decrypt the data: the communication would no longer be encrypted end to end.

There are a number of technologies that solve this problem and they are based on Public Key Cryptography (See wikipedia). HTTPS, a technology that you probably use everyday and are using right now when reading this website, uses Public Key Cryptography. If you are interested in how Public Key Cryptography works you can watch this video.

When you use HTTPS you are encrypting your data on your device all the way to the server. Your Internet Service Provider cannot decrypt your data and read what you are actually sending to the server, though it can know you are communicating with that server. This means that when you use HTTPS you are encrypting data from your device to the computer that is serving the information you are accessing.

To check if you are using HTTPS, you can look at your browser address bar and check if you have a green padlock while visiting the website. However, HTTPS has some limitations and end to end encryption is not always used, for instance in the following situations:

HTTPS is still considerably more secure than not using it, so you should consider using https everywhere you can and never give out personal data over a connection not using HTTPS (for how to do this, see Act, below).

The Signal Messenger App, which we have written about in Issue 2, encrypts your messages on your device and sends it across the network to someone. Only that person can decrypt the message and read it. No service relaying the message, including Signal, can read the message.

When using an end to end encryption application, you are trusting that the person or computer to whom you are communicating is really who you think it is. For example, someone contacts you through Signal and they say they are your friend Alex. You immediately start a private encrypted communication using your key and the key that person is using. But how do you know that person is really your friend Alex and not someone else?

This is where out of band key verification comes in. By using key verification before you and Alex start to use end to end encryption, you can make sure that the keys you are using really belong to you and Alex. Many applications support this type of key verification -- Signal Messenger supports this through the safety numbers feature and we encourage you to try it out and verify the keys used by your contacts.

When you email someone, you are sending an unencrypted piece of text from your device through multiple servers until it reaches the person you are emailing. This means all these computers will be able to read your email and your email metadata. If you want to encrypt your emails end to end, meaning the communication is encrypted all the way from you to the person you are emailing, you can use a technology called GPG.

By using GPG you can encrypt the contents of your emails from your computer to the computer of someone reading it, using Public-Key Cryptography. If you want to start using GPG visit the link in the Act section below.

Act

Virtual Private Networks (VPNs) and End to End Encryption

When you use a VPN service, you are encrypting data in your computer and sending it across the internet to your VPN provider. The VPN provider decrypts this data and forwards it to the service you are trying to send the data to. When the VPN provider receives the response, it encrypts the data again and sends it to you.

The VPN service acts as a proxy between you and the service you are trying to use. The data from your device to the VPN provider is encrypted, but any data flowing from the VPN provider to other services may not be encrypted.

This means that the choice of VPN provider is extremely important, as not all VPN providers are secure. If the VPN provider can be coerced into giving away data it has about you, it does not matter what type of encryption you are using because the VPN provider will always be able to decrypt your connection.

Some VPN providers claim they do not log any requests, or keep any data about you, but this cannot be verified and ultimately you will need to trust a VPN provider to not give out data about you. You can visit https://www.privacytools.io/#vpn if you are looking for a VPN provider that is believed to be trusted. However, even if a provider is on that list, it does not mean that it is trustworthy and there will always be a risk that it is a malicious VPN provider.

When deciding whether to use a VPN, you need to think about which types of attacks you are trying to prevent. If you want to prevent your ISP from knowing which websites you are visiting, a VPN provider might offer that protection. If you are trying to prevent anyone from knowing which websites you visit then you need to deploy other measures, since the VPN provider could still know which websites you are visiting. If you are visiting websites that use HTTPS, even though the VPN provider could know what websites you are visiting, the VPN provider could not decrypt what you are sending or receiving from the server as you would be encrypting that exchange end to end.

If you need to encrypt a browser session in a way that nobody can determine which websites you visit, we encourage you to read about the Tor Browser: https://www.torproject.org

Check if your connection is encrypted

When visiting a website, you can check if the connection you are using is encrypted from your computer through to the website's server using HTTPS. To check whether the connection is secure you can check the browser address bar. If the connection is using encryption, you can click on the green padlock and get more information about the type of encryption and algorithms in use. The Crossover website uses an encrypted connection, which means that nothing in the connection from your computer to our website can know what you are reading, including your Internet Service Provider. Although they will know you are visiting this website, they cannot know which content you are reading or what information you are providing. You can check the encryption we use by clicking on the green padlock icon.

Send encrypted email

Visit this website to know more about GPG and how to use it: https://theprivacyguide.org/tutorials/pgp.html

Set up GPG and send us an encrypted email to thecrossover@0io.eu to test your setup. Use this gpg key.

Use HTTPS everywhere

Some websites offer HTTPs encryption but make it difficult to use. They can offer access using HTTPS or HTTP. The Https Extension forces your browser to use the HTTPS connection when you visit a website that is using HTTP but a HTTPS connection is also available.

The extension is available for multiple browsers and you can read more about it at https://www.eff.org/https-everywhere

Understand what private data is being shared when using HTTPS and Tor

This EFF https://www.eff.org/pages/tor-and-https visualisation shows which data is being shared when you use HTTPS and/or Tor.