Wednesday, 4 March 2015

No Excuses

There are two core reasons why people do not use encryption to make sure their online interactions with friends and colleagues remain private:
  1. They are oblivious to the fact their conversations are being tapped, or otherwise oblivious to the issues with having their conversations tapped, and
  2. Using encryption is a pain in the ass.
Well, as it happens, as of today neither of these reasons need apply. There simply are no excuses for not encrypting your conversations.

Let's start with reason #1. Edward Snowden has already informed us of our friends at the NSA listening in to everything we do online; just the other week we learned the NSA has broken into the vast majority of this world's mobile phones (imagine how many years in jail you would get for committing the same crime). Even if you sincerely do believe the folks at the NSA are your friends, then surely you would have a problem or two with their just as capable counterparts from China or Russia. Face it, you're never alone anymore.
Then there is the mandatory data retention that the Liberal government is about to impose on Australia and Labor will help them do so because Labor are such wimps and because Labor is not much better than the Liberals in the first place. Any criminal with half a brain would be able to avoid their data retained, but you - do you really want the whole of your life to be available to any clerk? Any policeman wishing to check on their ex? Or any hacker managing to put their hands on the data, simply because it's there to be picked and it's looked after by the lowest bidder?
Or do you seriously trust the likes of these two cronies being interrogated by Green Senator Ludlam here to look after you and your retained data?
No, you probably don't. I can't blame you; even our own Communications Minister and wannabe Prime Minister Malbolm Turnbull doesn't. That's why he's using Wickr, a Snapchat like service that seems to actually provide the security that Snapchat was alleged to provide until it turned out to be a complete fraud. Well, if encryption is good enough for the guy in charge of Australian communications, it should be good enough for you.

The question is not whether to use encryption or not, but rather how. And as of today we have an answer.
It comes down to this: if you're an iPhone user, install an app called Signal; if you're an Android user, go for the equivalent app called TextSecure. What Signal and TextSecure do is provide end to end encryption for all your communications with other users of these apps; Signal can also encrypt calls, a service that in Android is handled by another app called RedPhone.
Messaging encryption apps have existed for a while now; Telegram offers a fine example that I still favour. Where Signal/TextSecure rise a level above the rest is:
  1. Signal/TextSecure use of top notch encryption, including forward secrecy. Whereas Telegram uses the same encryption key throughout the life of a secure chat, Signal negotiates a new key for each session. If our NSA friends put their hands on such a key they would find its use rather limited.
  2. Signal/TextSecure use encryption constantly and by default.
  3. Signal/TextSecure can be used by the dumbest of users. Unlike email PGP encryption, for example, the user is not required to know anything special or do anything special.
  4. Signal/TextSecure are open source. We do not need to trust a vendor like Wickr to tell us that we can trust them and that their service is robust; affairs are open for public scrutiny.
  5. Signal and TextSecure are totally free to install and use.
Through these bullet points, Open Whisper Systems - makers of Signal and TextSecure, headed by famous hacker Moxie Marlinspike - has managed to offer the public an incredibly useful service. Us people can, once again, use the Internet in order to communicate with one another freely and without fear.
As for me, I'm stopping my use of insecure chat services. I already got rid of the abomination called Google Hangouts from my phone. I also see no point in investing any more efforts in acquiring and maintaining PGP email capabilities.
If you want to get me, you know how to.

Image copyrights: Open Whisper Systems
Check here and here for more details on Signal/TextSecure as well as installation links.

No comments: