Half of all internet traffic is now encrypted and better protected from eavesdropping, censorship and hackers, privacy activists have said.

Statistics released by Mozilla, the creators of the Firefox web browser, revealed that the average volume of encrypted traffic passed the average volume of unencrypted traffic earlier this month.

The shift comes as more websites switch from HTTP to HTTPSthe protocol over which data is sent between browsers and a website, and the letters that come at the beginning of a web address. Without HTTPS, it becomes easier for hackers and other malicious actors to see or intercept the information web users are reading or publishing.

Try Newsweek for only $1.25 per week

The encryption of more than half of all web traffic is an important milestone in making the web better protected from eavesdropping and hackers. EFF

The Electronic Frontier Foundation (EFF), a non-profit organization that has led the push for tech companies to implement the secure HTTPS protocol, praised the milestone but said more work still needs to be done.

Major websites, including Facebook, Google and Wikipedia, have all adopted HTTPS, but many smaller sites face difficulties implementing it. EFF has developed several tools to make it easier for website owners to implement the protocol by default.

Unfortunately, you can only use HTTPS on websites that support itand about half of all web traffic is still with sites that dont, EFF researcher Gennie Gebhart said in a blogpost. However, when sites partially support HTTPS, users can step in with the HTTPS Everywhere browser extension.

Our goal is a universally-encrypted web that makes a tool like HTTPS Everywhere redundant. Until then, we have more work to do.

Here is the original post:
More Than Half of All Internet Traffic Is Now Encrypted - Newsweek - Newsweek

Encryption app leaks sensitive info

An encrypted messaging app called Confide is being used in Washington DC by White House staffers to leak embarrassing or sensitive information.

Since US President Donald Trump's inauguration, a steady stream of leaks have been provided by the White House including reports of national security adviser Michael Flynn's unauthorised talks with Russia.

On Thursday, US President Donald Trump vowed to prosecute leakers. We are looking into this very seriously. It's a criminal act, Trump said. He has reportedly ordered an internal investigation to identify how sensitive information about his calls with foreign leaders and national security matters made their way to the press.

Messages sent via the Confide app are automatically deleted, leaving virtually no paper trail.

According to Jon Brod, cofounder and president of Confide, once messages are read, they vanish without a trace. The message is gone forever, it's deleted from our servers, you can't archive, print it, save it, cut and paste it. Again, just like the spoken word, it disappears, Brod said.

The message self-destructs so I can't go back in and try to piece together a number of screenshots into the actual message, and it notifies both the sender and the recipient that a screenshot was attempted, Brod continued.

White House staffers, and possibly other government officials and business executives, worried about being caught leaking information to the media have adopted this app.

They are likely violating the law if they are revealing that information through any means, whether it's through an email or through a disappearing chat app, said Carrie Cordero, a former national security lawyer at the Justice Department.

Confide's privacy features won't totally protect leakers since it still requires them to register their identities.

Sometimes these apps give users a false confidence that they will never be able to be traced, said Cordero. And although the communication in this particular app might disappear, that doesn't mean that the user is necessarily not able to be traced in any way.

Some security researchers are doubtful about Confide's cryptography since the app is not open-source and may use old protocols. Confide's encryption is closed source and proprietary, so no one outside the company knows what's going on within the app. The encryption protocol is based on the PGP standard and the app's network connection security relies on recommended best practices.

One key is always, do you make code publicly available that's been audited where features have been inspected by the security community so that it can arrive at some consensus, says Electronic Frontier Foundation legal fellow Aaron Mackey. My understanding with Confide, at least right now, is that it's not clear whether that's occurred.

Since its inception in 2013, Confide has seen a spike in usage after key security events took place such as the Celebgate scandal, the Sony Pictures hack in 2014, the Russian group leak of thousands of emails belonging to the DNC in 2016 and, of course, the 2016 US presidential election.

Using an encrypted messaging app such as Confide can pose legal concerns. It is the user's responsibility to make sure they abide by the law and use the app strictly for personal communications.

See more here:
Confide in me! Encryption app leaks sensitive info from Washington ... - SC Magazine UK

In 2017, we need to move past the debate over backdoors.

By Kevin Bankston

Since last summer, Federal Bureau of Investigation Director James Comey has been signaling his intent to make 2017 the year we have an adult conversation about encryption technologys impact on law enforcement investigations. Hes probably going to get his wish, but if a new report from leaders in Congress is any indication, its not going to be the conversation he wants. Rather, as that new report from the House working group investigating the encryption issue recognizes, having the adult conversation about encryption means talking about how law enforcement can adapt to a world where encryption is more common, rather than wrongheadedly forcing the technology to adapt to law enforcements needs.

To Comey, being adult about encryption apparently means agreeing with his conclusion that the existence of unbreakable encryptionfor example, the full-disk encryption that protects your iPhone against anyone who doesnt have your passcode, or the end-to-end encryption that protects your iMessages and Whatsapp texts as they cross the Internetposes an unacceptable threat to law and order. Being an adult, to Comey, means accepting the argument that technology companies should design their products to ensure that the government can access any data it needs in an investigation, whether by building (in the words of his opponents) a backdoor into strongly encrypted products, or by not deploying that encryption in the first place. Being an adult, to Comey, means supporting efforts to legally require tech companies to ensure government access, if they wont do it voluntarily.

When Comey insists that we havent yet had the adult conversation on this issue, hes insulting everyone who has disagreed with himwhich is almost everyone whos voiced an opinion on the subject, that disagreement flowing in an endless stream of expert white papers (issued by adult institutions like the Massachusetts Institute of Technology and Harvard University), editorials, coalition letters, Congressional testimony, National Academies of Sciences proceedings, and more.

Ever since this latest debate over encryption was first sparked in the fall of 2014, when Apple announced that new iPhones would be completely encrypted by defaulta debate that peaked with last years court fight between Apple and the FBI over the locked iPhone of one of the San Bernardino shootersthe clear consensus among experts has been that any kind of mandate on companies to weaken their products security to ensure government access to encrypted data would be devastating to cybersecurity and to the international competitiveness of United States tech companies. It would also be futile, since U.S. companies dont have a monopoly on the technology, making it trivial for bad guys to obtain strong encryption products, no matter what Congress does. It is these exact same arguments that won the day in the Crypto Wars of the 90s when a similar policy debate over encryption arose.

Importantly, its not just privacy advocates and privacy-minded tech experts making these arguments. Opposition to backdoors has been voiced by leaders from the national security and law enforcement establishmentall of them indisputably adults!such as former National Security Agency director and director of National Intelligence Mike McConnell, former NSA and Central Intelligence Agency Director Michael Hayden, former Department of Homeland Security Secretary Michael Chertoff, andin agreement with his fellow members in President Barack Obamas handpicked Review Group on Intelligence and Communications Technologiesformer CIA Director Michael Morrell. And thats just the Michaels! The list of expert adults that have disagreed with Comey at this point is staggeringly long.

Despite that broad consensus, Senators Richard Burr and Dianne Feinstein floated draft legislation last year that would broadly require any provider of any encrypted product or service to be able to produce any encrypted data on demand. Although that bill was almost universally panned at the time, Comey is probably hoping that similar legislation will have a better chance this yearespecially if he has the support of a new attorney general and a new president that appear to share his views, rather than being held back by an Obama administration that chose not to pursue a legislative solution. (Notably, the fact that the Trump administration seems likely to support backdoors is all the more ironic and hypocritical considering the report that high-level Trump aidesalong with key staff for Hillary Clinton, Obama, and many other political figuresare now using the end-to-end encrypted messaging application Signal for fear of being hacked.)

Still, Comey likely will not get his wish, because the long list of people who disagree with him just got longer: As Congress was preparing to depart for its winter holiday, a House Congressional working group tasked with examining the issue of encryption technologys impact on law enforcement issued a year-end report that signaled a major shift in the crypto debate. The working group, established in May as a collaboration between members of the House Judiciary Committee and the House Energy & Commerce Committee, had spent many months meeting with law enforcement, the intelligence community, privacy advocates, security experts, and tech companies, to help guide its bipartisan investigation. The report, signed off on by 10 House members including the top Republican and top Democrat on each of the two investigating committees, came to an unequivocal conclusion: Congress should not weaken this vital technology because doing so works against the national interest, but should instead work to help law enforcement find new ways to adapt to the changing technological landscape.

In particular, the reports authors arrived at four observations, echoing the arguments of Comeys prior opponents: Weakening encryption goes against the national interest because it would damage cybersecurity and the tech economy; encryption is widely available and often open source, such that U.S. legislation would not prevent bad actors from using the technology; there is no one-size-fits-all fix for the challenges that encryption poses for law enforcement; and that greater cooperation and communication between companies and law enforcement will be important going forward and should be encouraged. As next steps, they suggest further investigation into avenues other than backdoors that can help address the challenges that encryption poses to government investigators, including working to ensure that all levels of law enforcement have the information and technical capacity they need to make full use of the wide variety of data that is available to them even without backdoors.

In other words, the key committees in the House that have jurisdiction over the encryption issue have sent a clear signal to Comey, and to his allies in the Senate like Feinstein and Burr: Sorry, but the House is definitely not interested in legislating to require backdoors. How else can we help you? Though news of the report was somewhat buried due to the holiday timing, that signal has now been heard loud and clear across Washington, D.C. The House does not want to waste any more time on childish bickering over backdoors that essentially everyone but the FBI agrees are a bad idea. In 2017, it wants to have the adult conversation that moves beyond backdoors.

Lets hope Comey is listening.

See the article here:
What It Means to Have an 'Adult' Conversation on Encryption - Pacific Standard

When World Wide Web was created in 1989 by Tim Berners-Lee, its purpose was for the web technology to be available to everyone, always, without any patents or royalties. Recently, as the Internet becomes more and more centralized, the creator of the Internet and other people at its heart start calling for a revolution in order to rethink the way that Internet works.

A lot has happened in the years of Internets existence, but the pattern is clear: the tool that was meant to bring profound advance for liberty is too often used by governments and corporations as a means of control. Russia and UK, for example, have passed new intrusive surveillance laws, and China and Vietnam block major websites from their citizens; users are being tracked by corporations and advertisers, and their data is being sold to third parties; Internet giants like Google and Facebook yield big power over the data of all the global Internet users.

Tim Berners-Lee publically speaks against such invasive surveillance laws as UKs Snoopers Charter. According to him and other web activists, the only way to give Internet its original purpose is decentralization and encryption. Some of the so-called Web 3.0 projects are already attracting investors with their idea of more privacy and security.

Blockstack is a startup that is working on open-source software to create a kind of parallel webone powered by the bitcoin blockchain. It hopes to give users more control of their data by avoiding storage with any third-parties. Later this year, Blockstack is planning to release software that will allow surfing this alternative Internet with a regular browser. Its users will generate data by using various services, but the data will not be stored in any of those service databases.

Another example of initiatives aimed at decentralizing the web is MaidSafe, a startup which has spent a decade building a decentralized p2p network, and now allows to create safe websites, store data, host websites and more.

Web 3.0, which could be defined as a platform for decentralized apps, might be the future of the Internet, since decentralization idea is gaining popularity among mainstream developer community. Till then, Internet users must be careful about their Internet privacy, and take initiative to implement available encryption tools.

There already are many existing ways to encrypt ones Internet activities: secure email service providers, such as ProtonMail, or encrypted messaging apps, such as Signal.

One of the must-have encryption services is a VPN (Virtual Private Network). A VPN encrypts all data between a users computer and a VPN server into a secure tunnel. It is important to choose a VPN like NordVPN that doesnt keep any customer logs, offers secure encryption protocols and advanced security solutions like DoubleVPN. A VPN hides a users IP address, disguising the real location, thus giving the user a great layer of protection online from unwanted security threats and/ or surveillance.

At the moment, encryptionbe it via encrypted email, messaging or VPN technologyremains the most secure tool available to protect ones online privacy and security.

For more information, please visit http://www.nordvpn.com.

World Wide Web Creator Calls for Internet Decentralization & Encryption was last modified: February 21st, 2017 by Press Release

Continued here:
World Wide Web Creator Calls for Internet Decentralization & Encryption - The Data Center Journal

WhatsApp is introducing a new feature in its app called Status that uses a similar format to Snapchat Stories,TechCrunch reports. Like messaging through WhatsApp, however, Status will bring encryption to the popular format.

WhatsApp describes the new status feature as easy to use and secure:

We are excited to announce that, coinciding with WhatsApps 8th birthday on February 24, we are reinventing the status feature. Starting today, we are rolling out an update to status, which allows you to share photos and videos with your friends and contacts on WhatsApp in an easy and secure way. Yes, even your status updates are end-to-end encrypted.

Previously, WhatsApps status feature was simply text-based like older chat clients. The new version uses rich media and annotations much like Snapchat Stories. WhatsApp is owned by social network giant Facebook which similarly introduced a Snapchat Stories clone last year through Instagram.

While the new status feature is billed as secure, last monththe security of WhatsApps encryption was called into question however. WhatsApp denied reports that a backdoor was built-in for governments to access chat logs.

Earlier this month, WhatsApp took steps to improve account security with the roll out of two-step verification for users.

WhatsApp is rolling out the new featurenow. WhatsApp for iOS is a free download on the App Store.

Continue reading here:
WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature - 9 to 5 Mac

As data encryption is more widely adopted to protect sensitive applications and information, Gemalto, has launched two new solutions that encrypt data across the cloud, enterprise applications and high-speed corporate networks.

Gemalto's new SafeNet Luna HSM 7 (Hardware Security Module) performs simultaneous cryptographic operations including encryption, decryption, authentication and digital signing while providing total, tamper-resistant protection for cryptographic keys.

The new capabilities enable enterprises to support encryption at massive scale and secure even larger volumes of encryption keys that protect sensitive information and applications in the cloud and on-premise.

In addition, Gemalto also launched its new 100 Gbps SafeNet High Speed Encryptor that provides unmatched performance and security to protect data and sensitive communications across large-scale, high-capacity networks. The new SafeNet CN9100 High Speed Encryptor, developed by Gemalto and encryption partner Senetas, encrypts network traffic at Layer 2 to protect information sent across networks, between corporate offices and into the cloud at native speeds of 100 Gbps.

"As organizations increasingly embrace the Internet of Things (IoT) and cloud-based applications, their requirements to cope with big data intensify. Streamlined management of data security controls have become vital in securing data as it moves between enterprises, multi-cloud environments, networks and devices," said Todd Moore, Senior Vice President of Encryption Products at Gemalto.

"This necessitates organizations to conduct more cryptographic operations in the same, or a shorter amount of time, which means they need an easy, scalable way to attach security directly to the data in order to protect it while in motion and at rest."

"Because organizations are faced with securing more data, identities, transactions and connection points, highly scalable and frictionless data encryption is critical," said Garrett Bekker, principal security analyst at 451 Research. "It's no longer an option to secure one part of the ecosystem, security is required throughout the entire data lifecycle, from the cloud and core of the enterprise to the edge of the network."

Excerpt from:
Gemalto unveils encryption solutions for cloud and on-premise environments - Networks Asia

Recent geopolitical changes are driving concern about data privacy in the security industry, resulting in the increasing use of encryption to protect data, a survey has revealed.

Learn about fighting the ever evolving ransomware, IoT botnet malware and data manipulation attacks.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Nearly three-quarters of more than 900 RSA Conference 2017 attendees polled at the event in San Francisco said recent political events had made them more concerned about privacy.

As a result, two-thirds (66%) said their organisations are looking to increase their use of encryption, according to the survey by Venafi, a provider of protection for cryptographic keys and digital certificates.

The tension between data privacy and national security is going to continue to escalate, said Jeff Hudson, CEO of Venafi.

Encryption is the lynchpin of our entire global digital economy. It controls the privacy and security of everything from our personal photos to the most sensitive national security data.

Our collective ability to secure encrypted data has a profound impact on digital privacy and trust around the world, he said.

However, only 29% of security professionals polled said they are 90% confident in their organisations ability to secure and protect encrypted communication.

Nearly a third said they are not confident or have only 50% confidence in their organisations ability to protect and secure encrypted communication, while 7% admitted they have no idea if their organisation can protect encrypted communication.

Around three-quarters of security professionals said they are more concerned today about encryption backdoors than they were a year ago.

Encryption plays a fundamental role in data privacy, whether its protecting data from hackers or governments, said Paul Turner, CTO of server products at Venafi.

The challenges organisations are already facing in managing and securing encryption keys, combined with concerns about the integrity and strength of encryption implementations, is undermining confidence in the privacy and security of data, he said.

See more here:
RSAC17: Geopolitical changes driving encryption usage, survey ... - ComputerWeekly.com

Forbes

Privacy Versus Security: How Americans View The Issue Of Encryption [Infographic] Forbes Remember last year when Apple refused to give the FBI the ability to unlock a cell phone that belonged to Syed Rizwan Farook of the December mass shooting in San Bernardino, CA? Apple said that by creating new software to break into the iPhone it could ...

Continued here:
Privacy Versus Security: How Americans View The Issue Of Encryption [Infographic] - Forbes

Security researchershave wanted a peek at Wickrs code since the secure messaging app launched in 2012, and now theyre finally getting that chance. Wickr is publishing its code for Wickr Professional, the subscription-based enterprise version of its free messaging app, today for public review.

The public review builds on private third party code reviews by security experts like Dan Kaminsky and Whitfield Diffie, and has been a long time in the making for Wickr.

For years, Wickr has been at the forefront of ephemeral communication. With Wickr Professional, they are allowing teams to be confident that what is discussed is not distributed. And by opening their code, they are giving the engineering community strong reasons to trust their platform, Kaminsky said in a statement.

Users might not be interested in the inner workings of most of the apps they use, but for encrypted messaging, trust is paramount. Users need to know that the apps security claims are verified that theres math behind the marketing and so its common for the makers of encryption products to make their code available for public inspection. This makes it possible for experts to reassure users that their messages are private, and lets researchers hunt for bugs that could make the app less secure.

But Wickr hasnt gone open-source until now. Thats made it tough for Wickr to gain the trust of the most privacy-conscious users. The Electronic Frontier Foundation marked Wickr down in a 2015 edition of its Secure Messaging Scorecard because the company had no public documentation of their encryption protocol and had not made their code available for review.

Wickr tried to strike a balance later that year, when it published a white paper describing its methods. But the company still stopped short of making its code public.

After all, Wickr is a business, andits easy to see how offering up code for free could cut into the companys profit. But Signal, a competing encrypted messaging app that has surged in popularity, has open-sourced its code from the beginning. Google, Facebook, and WhatsApp all implemented Signals encrypted messaging protocol in their own apps last year, demonstrating that open-source doesnt inherently harm a companys growth.

Joel Wallenstrom, who joined Wickr as CEO in Nov. 2016, says thathis willingness to publish the code is based on what he sees as a change in the way Wickr competes in the marketplace.

Where were going to compete is really good customer service and customer support, Wallenstrom tells TechCrunch. Id like to collaborate on crypto and really go out there and stake our claim in the marketplace by helping people understand how to use ephemeral communications. The next thing is, how does a general counsel really understand and wrap his or her brain around how to use this? How does this work within our organization? These are big challenges. People are looking to us and maybe to others as well, saying, I need help with that part too, not just the math.'

Wallenstrom also wanted to please the security community, which has embraced open-source as a way to ensure the integrity of encrypted communication. It was important to some corporations, and it was very important to the security community, obviously, Wallenstrom says. What I found is that Wickr messenger users typically are in the security community and there was just a big, Why not?'

The encryption protocol Wickr releasedtoday is only used in Wickr Professional, an enterprise messaging service the company launched in private beta last month. (Think of Professional as the encrypted and ephemeral competitor of Slack.) Wickr Professional allows group chats of up to 30 people and enables file transfers, calls, and video chat. The company also offers SCIF, an enterprise product that enforces rapid destruction of messages. Professional and SCIF will be available for an annual subscription fee, while Wickrs main chat app will remain free.

The protocol used in Wickr Me, the free app for iOS and Android, is still closed-source. Wallenstrom says that the open-source protocol will be implemented in Wickr Me as soon as possible, but for now the company is focused on its enterprise offering.

This is a multi-party, multi-device protocol, explains Tom Leavy, one of the creators of the protocol.

Wickr launched as a one-to-one communication service, allowing a single user with a single device to securely chat with another user. But over time, usershave begun to use more devices and gravitate toward group chat, so Wickr added those features too. But these featurescan cause problems for encrypted messaging because of the slow, sometimes data-heavy process of key exchange and encryption.

We collected a lot of overhead, to the point where it was becoming difficult to scale, Leavy says. For Professional, we had an opportunity to say, Okay, lets take apart all the components here and really decide what operations need to happen in order to maintain end-to-end encryption between all the parties. The end result of that process was figuring out that there was a lot of replication of data and calculations in the key exchange and we were able to get a 50 percent reduction in larger group chats in the size of the message.

The result is a faster, more agile protocol that Wickr hopes will attract enterprise customers who are warming up to the idea of encrypted communication but want more hands-on customer support than other apps can offer. Researchers who find errors or security vulnerabilities in the code can report the problems through Github and Wickrs vulnerability disclosure program.

The best way for us to understand what were going to be doing ten years from now is to be part of this dialogue, Wallenstrom says.

You can read Wickr Professionals white paper below and check out the code on Github.

Go here to see the original:
Encrypted chat app Wickr opens code for public review | TechCrunch - TechCrunch

U.S. Attorney General Jeff Sessions call for a way to overcome cryptography met with scorn from a panel of elite cryptographers speaking at this weeks RSA Conference 2017 in San Francisco.

Any one of my students will be capable of writing good crypto code, says Adi Shamir, the S in RSA and a professor at the Weizmann Institute in Israel.

Sessions use of the term overcome during his confirmation hearings actually means installing backdoors, says Ronald Rivest, the R in RSA and a professor at MIT. He cited a joint Congressional study that concluded that weakening encryption works against the national interest, and that encryption is global anyway -- so the U.S. cant call all the shots.

Shamir noted that the current, most respected encryption algorithm was devised by Belgians, and noted that other major crypto advances were made by Japanese, Israelis and others. Its not uniquely American, he says. Forcing backdoors in American crypto products would be shooting U.S. interests in the foot, he says. Other countries would be happy to step in with un-backdoored cryptography, he says.

+ MORE FROM RSA: Hot products at RSA 2017 +

Susan Landau, another panelist and professor at Worcester Polytechnic Institute, says there are other ways to get around cryptography than backdoors, so the call for them is overblown. These include court-authorized, legal hacking of end devices.

Landau notes that in the Apple v. FBI case last year, the problems of decrypting a terrorists iPhone were overblown by the FBI, which said it could only get in with Apples help. Later, the FBI hired a private firm to do the work, and a researcher demonstrated how to do it with about $150 worth of off-the-shelf gear.

Shamir says that the Israeli company that purportedly helped the FBI was later hacked and its methods publicly disclosed by the attackers. You need to be careful about helping the FBI, he says with a smile.

The group was asked about the impact artificial intelligence will have on security and seemed unimpressed.

Shamir says AI will be good for security defense because it can find anomalous behaviors and make associations quickly that humans would take longer to make or not make at all. But as an offensive weapon to devise zero-day attacks, AI is lacking. That requires ingenuity and originality, something only humans can contribute, he says.

The group seemed unafraid of the advent of quantum computing and the threat it might pose to cryptography, but said that work is needed to create cryptography that can withstand quantum-backed cracking.

Shamir says if RSA were to be broken, its more likely to be broken by advances in math that will make it possible to crack keys much faster than current brute-force techniques.

Landau says there needs to be more math research into quantum-resistant cryptography. The current efforts lag behind what went into creating the Advanced Encryption Standard (AES) and should be stepped up.

The security of the U.S. presidential elections should have been audited to erase doubts of their validity, Rivest says. Election officials had the ability to check the integrity of the hardware and software used, but didnt. Theres no proof now, he says. Auditing would have been good hygiene to determine whether the election technology was hacked. Rivest calls for 100% paper ballots which can be readily recounted and verified.

+ MORE ON THE ELECTION: Q&A: The myths and realities of hacking an election +

Landau, who is a professor of cybersecurity policy, says the hack of Democratic National Committee emails was nothing new in terms of what was stolen and how. The way the information was used was new, she says. The drip, drip, drip of information, had a more powerful effect on public opinion than dumping it all at once would have.

See more here:
RSA: Elite cryptographers scoff at idea that law enforcement can 'overcome' encryption - Network World