The SafeLogic Blog

I'm nervous... but I'm also inspired.

I'm nervous because there is a widespread lack of understanding of the basics of encryption, and I'm seeing improper and even insecure implementations of encryption.  These create vulnerabilities and potentially lead to the compromise of data and break of privacy.

You've likely seen the wave of press on PRISM (here's a good primer).  I'm not going to debate the privacy or ethical implications of this program.  That's not my place.  But it's very serious stuff. You need to stay aware of it, as it has implications for all of us, and it deals with your data (well, maybe yours, depending upon the EULA with participating companies).

In related news, Ars Technica released a report that Skype messages appear to not be encrypted end-to-end.  The messages are apparently decrypted at the server, then re-encrypted for transmission back down to the peer.  Now, I haven't seen any claims from Microsoft for "end-to-end" encryption, and presumably they're filtering for spam, malicious links, etc., but now your chats, links, files, and everything else are being stored on a server somewhere outside your control. Someone you don't know and someone you shouldn't trust has access.

The Skype issue doesn't bother me so much. I don't have extremely sensitive chats over Skype. I pick up the phone for that.  Oh, wait... that's no good either?  Sigh.

Security is such a complicated field.  End users feel good when their solution provider says, "Trust us, it's secure!" (SnapChat, anyone?)  The public sees the little padlock icon and they feel assured.  But have you ever hit a $9 combination lock with a sledgehammer?  I recommend you try that experiment before you trust one.  

So what's under the hood of these "secure" solutions?  Is it a rock-solid cryptographic library that's been tested and validated to strict standards?  And perhaps more importantly, is it implemented properly?

Here's the fun part.  Instead of getting discouraged, aggravated, or just plain scared, I'm inspired by these questions.  We're working hard to change all that and provide answers. These problems can be solved by using strong encryption the right way. We are giving users and developers the capability to protect their data with validated encryption and to control their cryptography. We are working with leaders in the mobility and cloud spaces to make this happen. We are seeing customers rip out home-grown encryption and replace it with verified, validated libraries. We are seeing teams re-architect products specifically with security and encryption in mind.

At the end of the day, we're helping protect data.  User data, corporate data, financial data, healthcare data.  That, my friends, is inspiring.