Wysteria    Home    Archive    Feed

Love, Encryption, and Other Delusions

Jan 24, 2023

What are some of the most important things in this world? Your belongings? Your pets? Your friends? Your loved ones? What if I told you it was none of those, what if it was your data? The stuff on your phone or your computer, yeah, that stuff. That’s (probably not) the most important thing, but it still holds a lot of value. People can use it to know all sorts of stuff about you, and you give out a lot of it, a lot more than you think. So what if we put a stop to that by encrypting it? Making it so only those with the keys can see it. Well, lets discuss the how, and see if its worth it or not.

VPN

I think when people think about encryption, one of the first things to come to mind are VPNs. The ads always say that your internet traffic is encrypted and secure, that you can browse safely and not have to worry about your data, that no one can spy on you, but this assertation is incorrect. To better understand, its best to first understand how the internet works. Think of it like the postal network. Whenever you want to see a website, you first have to send a letter to the server asking for a copy of it. So you write your message asking for it, put it in an envelope, write the address of the server and your return address, and send it off. This letter makes it way through the internet and arrives at the server. The server opens it, reads your message, writes a letter for you with the website you wanted on it, puts it in an envelope, writes the addresses, and sends it back to you. So where do VPNs come into play? It acts as a middleman. You want to visit a website, so you write a letter to the VPN, who then writes another letter to the server. The server sends the letter to the VPN, who then sends that back to you.

So what does this accomplish? Well, a whole lot of nothing. The VPN does not offer any special encryption or anything, your letter is already in an envelope, people cannot see inside it. That is what the https before the website means, its a secure connection. No one can intercept and read the message inside the envelope, regardless of if you send it to the server or the VPN. Most modern websites have that https, but be warned, some older or more insecure websites might have just http, which in that case your message can be intercepted and read, so be careful to not send sensitive data to http websites. Then, what does the VPN really do? It masks who you are to the server, and it makes it so the postal worker delivering your mail doesn’t know what server you want websites from. That is it. If you use the VPN, the server only sees the VPN on the return address, not you. If you use the VPN, when you get letters the return address will be the VPN, not the server. This is not to say VPNs do not have practical uses, its just that they don’t really offer many benefits to most people. Unless you’re trying to get around some web barriers or watch streaming services in another country, its not worth it.

Messaging

To me, this is where things get exciting. Well, as exciting as talking about data security can be. This is probably the thing people use their computers or phones for the most in their life. Messaging. Communication. Exchanging thoughts and ideas with other people. Everyone does it, so where does encryption come in? Lets revise the postal service example from before. Lets say I want to send a message to my friend. I write it, put it in my mailbox, it gets taken a central post office, and then delivered to my friend. Simple, right? Same thing in reverse for when I get a message from my friend. They write the message, it gets taken to a central post office, then it ends up in my mail box. But we have to think about how we write these messages and how that relates to encryption. This is where it starts to differ. Normally, my friend and I exchange postcards, so we write out messages on those. The issue? Everyone at the post office can see my message. There isn’t anything protecting it from prying eyes. This is encrypted messaging. Encrypted messaging would be putting my message into an envelope before sending it off. The postal workers cannot see through the envelope, only my friend can open it and see whats inside.

To remove this from the analogy a bit, the post office is going to be whatever messaging service you use. Discord, WhatsApp, Telegram, Signal, Email, whatever. It really doesn’t matter. What matters is if the service has end-to-end encryption (E2EE) or not. This is the key point, the putting the message in the envelope. With out it, the server sees your message before passing it along to your friend. Who knows what the server is doing with that. It could be reading it, keeping a copy of it, maybe even sharing it with other people you don’t want seeing it. I don’t know about you, but I personally don’t like the idea of my messages being seen by people who are not the recipients of them.

So, it seems like using E2EE messaging services for private discussion is good, right? Well, almost. Switching to an E2EE service just for private discussion is probably not the best idea. If someone is monitoring your mailbox and they see a bunch of postcards with your friends, but then suddenly it switches to envelopes, what does that tell them? Clearly, this is abnormal behavior. Normally you are fine with the risk of people reading your message, so why change now? You must have something to hide. Its suspicious. So just completely switch over to E2EE services, right? If only it were that easy. I touched on this a bit in my post on messaging services, but there’s a little something called the network effect. As more people use a network or service, it becomes more appealing for people to join, but the inverse is true as well. If there are few people on a service, people won’t want to join. And this is a major issue with E2EE messaging services. They aren’t very big or popular. Think to yourself now, are you or any of your friends on E2EE messaging services? Are any of their friends on them? It may be easy to make an account and start using it, but what about your friends? Why would they switch over when all their friends and most people they meet are already on the one they use? This is the fundamental issue, but we need to help others to understand why its important to switch, or to at least try.

But lets say you get over that hurdle, is there anything else to worry about? Of course there is, I’m writing this paragraph. Your letter, even if its in an envelope, still needs the address on it. This information, the metadata, can still be used to paint a picture of whats going on, especially if the other person is less secure about data. Knowing who and when a message was sent is a lot of information, even if it doesn’t seem like much. It can be used with other sources of information to paint a bigger pictures about what you’re up to. So what can be done about it? Not much. You can either trust a service like Signal to not keep that information around. They seem to make it pretty clear they don’t keep much of any informative data on their users. But what if you don’t trust Signal, what about something you can host for yourself, like XMPP or Matrix? Matrix is a complete mess when it comes to its federation. Copies of messages are sent to every recipient’s home server in a chat, so good luck trying to scrub them from other servers. XMPP doesn’t do this (citation needed), but XMPP has other issues. It feels like I’m saying the same things as the messaging services blog post, but they all have different quirks and all kinda suck. Regardless, evaluate your threat model to see if you even need to care about this kind of stuff, most people probably don’t.

Disks

Why do you lock your house? To keep unwanted people from getting in and going through your stuff. So why don’t you encrypt your hard drive? Your data may be behind a password while using your computer, but anyone can power it off an connect it to their own and use it like a massive USB stick. Encrypting it prevents that, but its not the end all to protecting your data. After all, if you let someone into your house, they still have access to everything in the house. That’s why encrypting individual files is also important. Its like putting things in a safe. Even if it gets stolen, the thief has to crack it open to see whats inside. Really, most of this stuff is not as important for protecting your data unless you’re in some situation where you are being physically targeted. For most people this might be a thief stealing a laptop, but targeted attacks are still possible.

Even if its mostly useless, you still should. Why? After all, its kinda suspicious to hide things when everyone else isn’t. But to ignore privacy because you have nothing to hide is like saying you don’t need free speech because you have nothing to say. It doesn’t matter if you want to encrypt your data in case of petty theft or if you have actual secrets to hide, its still worth taking the steps to ensure some privacy to make sure you have control over your life.

Does it Matter?

Yes. These days, your data is the most important thing about you. Our behaviors and activities are described with the data we create, and this data can end up in the wrong hands. People can discover so much about you from it. Your messages, what you do, where you browse on the internet. All this paints a picture of who you are. Even your deepest secrets can be exposed. And this can be used against you. Your once private secrets can be exposed, but more applicable are your habits and likes being used to show you aggressively personalized ads. Ever wonder why it seems like the ads can read your thoughts? Its because they know everything about you. Either way, this information is being weaponized against you, like it or not. The question is, will you take action?