No, end-to-end encryption isn’t a marketing gimmick

Posted on by

Theres bad takes, and then theres bad takes. An example of the latter comes from Bloomberg Opinion columnist Leonid Bershidsky, who thinks that todays WhatsApp security woes proves that end-to-end encryption is a gimmick and largely pointless.

WhatsApp is one of the largest messaging apps around. To put Bershidskys comments in context, earlier today, it transpired that it was possible to use specially-weaponized phone calls in order to install malware on a targets phone. The Facebook-owned company has since released a patch, which users are encouraged to install at the earliest possible opportunity.

WhatsApp, like many messaging apps, uses end-to-end encryption, which ensures that an intermediary cannot snoop on whats being said. Bershidskys argument, summed up roughly, is that while WhatsApp remains vulnerable to other attacks, end-to-end encryption is nothing short of a marketing device designed to lull consumers wary about cyber-surveillance into a false sense of security.

As far as I can tell, Bershidsky has no formal training in cyber security or computer science. If he did, he probably wouldnt be embarrassing himself in such a public fashion. And indeed, the computer security community is delighting on dunking on him via their preferred medium, Twitter. Its important that his arguments, which are misleading and technically inaccurate, do not go unaddressed.

Firstly, lets address his criticism that the term end-to-end encryption is a marketing device.

It isnt. It just fucking isnt. I dont know what else to say here. Its a technical term with a very precise, universally-accepted definition. That just isnt up for debate.

Bershidskys argument hinges primarily on the fact that applications that use end-to-end encryption are susceptible to other threats, like zero-day flaws and sophisticated Israeli spyware. But the thing is, no credible person has ever argued that end-to-end encryption is a security cure-all. Rather, it addresses two serious security problems.

Firstly, end-to-end encryption prevents an adversary sitting in the middle of a connection from intercepting and analyzing the contents of data packets. If youre sending privileged information across a public Internet, like credit card numbers or customer, youll going to want to ensure they safe from prying eyes. And crucially, it makes it almost impossible to intercept and analyze protected traffic at scale.

The second problem end-to-end encryption solves is that it makes it significantly harder for an adversary to launch session hijacking attacks. If data is being sent in the clear, an attacker sitting on the same network could easily capture cookies and session cookies, allowing them to take over a users account on a website or app, all without the need to log-in.

This isnt hypothetical. Before Facebook introduced SSL-by-default in 2012, ensuring the connection between users and its servers were protected, wresting control of someones account was embarrassingly easy. There was even a Firefox plugin called FireSheep, released in 2010, that made it a one-click process.

Do you need other things than end-to-end encryption to ensure a secure user experience? Absolutely. But is end-to-end encryption a crucial cornerstone of that secure user experience? Hell yes.

Security isnt a single product or app. You cant buy security. It comes from the culmination of lots of efforts, big and small. At the risk of sounding like the narrator in a commercial for Lincoln cars, its a journey, and you never quite get all the way there.

In conclusion, End-to-end encryption is important, and Bershidskys take is moronic. Even though the piece was clearly listed as opinion, Bloomberg should have known better than to publish an argument that was fundamentally misleading, and based on shaky technical grounds.

Read next: Netflix to invade E3 (and it might be bringing new games with it)

Continue reading here:
No, end-to-end encryption isn't a marketing gimmick

Related Posts
This entry was posted in $1$s. Bookmark the permalink.