Encryption has long been a cornerstone of sound information security, critical for protecting data, transmitting messages securely, guaranteeing data integrity and achieving regulatory compliance.
Unsurprisingly, interest in fostering an "encryption everywhere" Internet has grown in light of recent vulnerabilities and alleged government spying, but not everyone is eager to accept the drawbacks that end-to-end Internet encryption may bring.
A call for default encryption
The Internet Architecture Board (IAB), a committee of the Internet Engineering Task Force that oversees the process of creating Internet standards, released a statement last week urging designers, developers and operators to "make encryption the norm for Internet traffic."
The statement, written by IAB chair Russ Housley, commented on the growing sophistication of attacks and concluded that encryption must be used wherever possible. The IAB noted that new protocols should prefer encryption to cleartext operations, and that encryption should be deployed throughout the protocol stack. It also urged designers to include encryption by default. Implementing these changes, the IAB said, "will help restore the trust users must have in the Internet."
End-to-end encryption for millions
Mobile messaging vendor WhatsApp Inc. announced this week that it was enabling end-to-end encryption for the 600 million users of its WhatsApp Messenger app.
The company will use partner Open Whisper Systems' Textsecure open source software to encrypt text and chat messages, both over the air and on users' Android devices. Neither WhatsApp nor hackers will be able to read messages sent on protected devices; the encryption key can only be accessed by the device owner and will never leave the device.
Some WhatsApp Messenger deployments may already be encrypted, according to a blog post on Whisper System's website; the most recent version of WhatsApp Messenger for Android already includes support for TextSecure. While the encryption of group chat and media messages is not yet supported, it will be soon, as well as support for additional client platforms, including Apple iOS.
Free digital certificates for all
A nonprofit certificate authority Tuesday announced plans to offer free SSL/TLS certificates. Let's Encrypt, a collaboration between the Electronic Frontier Foundation (EFF), Mozilla Corp., Cisco Systems Inc., Akamai Technologies Inc., IdenTrust Inc. and researchers at the University of Michigan, was created to "clear the remaining roadblocks to transition the Web from HTTP to HTTPS."
Some of the biggest challenges preventing the deployment of HTTPS, according to a blog post by EFF's technology projects director Peter Eckersley, are the "complexity, bureaucracy and cost of the certificates HTTPS requires." Let's Encrypt, which will debut next year, will enable anyone who owns a domain to get an SSL/TLS certificate at no cost. The service, based on an open standard, will provide automated enrollment during server installation or configuration and renew certificates automatically.
The problems with 'encryption everywhere'
While the benefits of encryption cannot be denied, some are speaking out on the issues of an encryption-everywhere state.
Blue Coat Systems Inc. published a report earlier this month highlighting the enterprise challenges associated with achieving visibility into encrypted network traffic and mitigating its unwanted effects, namely the ability for malware to enter a system unnoticed, using encryption as a cloak to bypass security controls.
Another major encryption drawback is degraded storage performance. In test results published yesterday, Motorola Mobility LLC's Nexus 6 devices suffered from degraded read/write performance -- as high as 63% -- with Android 5.0 Lollipop full-disk encryption enabled. On its blog, Google states that Android devices with Lollipop enabled at first boot cannot be returned to an unencrypted state, so users are stuck with the reduced performance.
Encryption has also struck a nerve with law enforcement. According to a Wall Street Journal article published Tuesday, the U.S. Department of Justice doesn't see broad use of encryption as a positive privacy move, but rather as a hindrance to criminal investigations. Because vendors and service providers will no longer have access to their customers' data, law enforcement may be unable to obtain critical criminal evidence. Deputy U.S. Attorney General James M. Cole is quoted as saying that if the police department cannot access a phone, it could even lead to the death of a child. Apple however called the scenario "inflammatory" and said law enforcement could obtain the same information elsewhere.
On the IAB blog, Housley acknowledged encryption's potential drawbacks. "Many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload. For many of these activities there are no solutions yet, but the IAB will work with those affected to foster development of new approaches for these activities which allow us to move to an Internet where traffic is confidential by default."
Still, others are skeptical of encryption everywhere -- including the security issues with certificate authorities and limitations of encryption, and how it is better suited as part of a defense-in-depth strategy.
In other news
- Research published this week revealed that more than half of U.K. companies would consider hiring a hacker or person with a criminal record to improve information security. The poll, conducted by KPMG, showed that 74% of businesses admit new cybersecurity challenges require new skills, and 64% believe that cybersecurity skills are different from conventional IT skills. However, 57% of businesses find it difficult to recruit and retain specialized cybersecurity staff. In a press release, the head of KPMG's Cyber Security Academy, Serena Gonsalves-Fersch, said that since companies won't hire pickpockets to be security guards, they should rethink hiring hackers for cybersecurity measures. "Rather than relying on hackers to share their secrets," Gonsalves-Fersch said, "companies need to take stock of their cyberdefense capabilities and act on the gaps that are specific to their own security needs."
- In the 2014 Mobile Pwn2Own competition held Nov. 12 and 13 in Tokyo, only one mobile device withstood a full compromise: the Lumia 1520 Windows Phone. According to a blog post by competition organizer Hewlett-Packard Co., the device was partially pwned; a hacker "was successfully able to exfiltrate the cookie database; however, the sandbox held and he was unable to gain full control of the system." Both Apple iOS- and Google Android-based devices were compromised on the first day. The HP Zero-Day Initiative immediately disclosed the vulnerabilities to the affected companies for remediation.
- In a blog post yesterday from U.K. privacy watchdog the Information Commissioner's Office (ICO), webcam users were warned that their webcams can be used to spy on them. A hacker website in Russia shows feeds of thousands of webcams that were accessed using default credentials found on the Web. The website, which SearchSecurity has chosen not to identify, claims it was created to highlight the importance of changing default passwords on security surveillance systems. In its blog, the ICO urged users to change their passwords, check their webcam and Internet router security settings, and secure any other devices in the home and office that may be accessible via the Internet.
Check out our Security School "Data encryption demystified"