Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Private I: It's time to encrypt everything

Glenn Fleishman | Nov. 21, 2014
If we've learned anything from the last few years, it's that given the opportunity to snoop on or scarf up our data or our metadata, criminals, business, and governments have a lot in common. They may have different ends that drive why they want to look at our email and transactions, listen in to phone calls, track with whom we communicate, and follow our location, but it all involves a lack of consent.

A VPN is comprehensive, covering all your traffic, but it's also incomplete. Because it isn't fully end-to-end (it terminates at a data center somewhere), it's better at protecting weak local and nearby links, such as in coffeeshop or even a local ISP.

Use client-to-server encryption. I remember a time when it was rare and a pain to use encryption for receiving and sending email. Now, it's nearly universally available, and Apple Mail and other email clients do their best to set up a secure connection by default. For any server connection, prefer or configure your settings to use a secure option. With some sites or services, you may need to set up your account first, and then use a security preference to require HTTPS or an encrypted connection. With software that uses Web services, preferentially find the HTTPS endpoint — you may have to search for it — instead of the plain HTTP.

Like a VPN, client-to-server encryption has a termination point: if the mail, file, or other server is compromised by a criminal, an employee (including executives!), or a government agency's demands, your information can be intercepted. Data has to be encrypted and decrypted at the server, whether it's Dropbox, email, or what have you. Almost always, you can have secure transit (SSL/TLS, SSH, or other) and secure storage, but a stage in the middle where decryption must occur to transfer back and forth.

There's work happening on the Web in this regard, too: many Web sites could and should use SSL/TLS, but the cost and technical complexity for small firms outside of ecommerce, finance, and health have prevented a full-scale adoption. The Electronic Frontier Foundation just announced a plan called Let's Encrypt to integrate the creation, installation, and automatic renewal of security certificate for Web sites that could dramatically expand encrypted Web connections, keeping one's casual habits safe as well.

Use end-to-end or peer-to-peer encryption. The gold standard is having client software that allows for no compromise between users on either end, offering only the parties on either side to interact with the data that's flowing. This has been relatively rare in the past, because a client/server architecture allows for heterogeneity — a fancy way of saying that you can have a clever server that speaks either a standard or can handle many different protocols, and then many different kinds of clients.

Heterogeneity avoids the need for everyone to use the same client software, and makes the reach of a given service or product much broader, because it avoids platform or OS version lock-in. There are thousands upon thousands of email clients, even though a handful are the most widely used. Likewise, hundreds of Twitter clients remain, even after the firm tightened its access rules a few years ago.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.