Online guide to the Russian tech market
Home News Ben Hopkins

How would Snowden keep a secret?

0 4 February 2014

Big Brother might not be hiding behind your webcam (at least not yet), but the US National Security Agency’s extensive monitoring of individuals’ private online and phone conversations, revealed by Edward Snowden, evoked plenty of references to George Orwell’s police state. And if the US are doing it, we can be pretty sure that other security agencies around the world are doing it too. 

With online privacy an increasingly important issue for government agencies, international corporations and private individuals alike, we talked to Julia Salnik from VIPole, an ultra-secure online messaging service, about online communication and how to keep it secret.

Who is interested in secure communications?

For governments secure communications is, of course, a must, while for business people it is also critical. Individuals’ interest in secure communications tends to depend on their work, the importance they attach to personal privacy and their level of engagement with contemporary trends. 

We reckon that maybe 10% of normal internet users are required to use secure communication tools because of their job, while perhaps 5% do so because they strongly value their privacy. On top of that, as many as 20% of people are responsive to modern trends and PR campaigns which point them towards secure communications tools.

These groups, naturally, overlap. Taking that into account, we think that around 15% of ‘normal’ internet users are concerned about securing their online communication. As the internet becomes a bigger and bigger part of people’s lives, and monitoring tools become ever more sophisticated we expect the demand for secure communications tools to grow. 

How secure are popular messaging services like WhatsApp, SnapChat, Skype etc? What about Telegram, the service launched by VKontakte co-founder Pavel Durov? Is it as secure as he claims it is?

Most modern messaging services can be divided into three groups:

1: No encryption at all. All data sent and received is transmitted “as is” and can be read by anyone able to capture it from network channels or servers. 

2: Encryption of client-server connections. 

While data is ‘travelling’ it is encrypted. However, the messaging service servers through which all messages pass decrypt the data before re-encrypting it and sending it on to the receiver. This data is sometimes stored on the server, for example, so that it can be sent later to users offline at the moment of sending. 

This means that all user data can be accessed in plain form on the servers. Skype, WhatsApp, TLS-enabled Jabber (XMPP) and many other popular services use this approach. Durov’s Telegram service has its own encryption protocol (MTProto) but it also belongs in this category - the data is only protected during network transmission and is not protected on the server from server operators. However, a “secret chats” option featuring end-to-end encryption was subsequently added for level 8 of Telegram API.

3: End to end encryption. 

Upon sending the data is encrypted in such a way that it can only be decrypted by the receiver’s client. This means that messages cannot be read by servers. 

There are a few services offering this level of security. In the US the most actively promoted service is SilentCircle, co-founded by Phil Zimmerman (whose PGP technology is a popular tool for email protection). OTR (Off-The-Record Messaging), an open source end-to-end encryption protocol, is also popular and is used by many open source messengers (including Pidgin, Adium and IM+). 

What about VIPole? 

VIPole is another end-to-end encryption service. While it is just as secure as these services, it is also much more convenient to use thanks to the keys management system. With other services, private keys (that encrypt and decrypt messages) are generated at the start of a secure messaging session with another user, and lost or destroyed at the end of the conversation. This means that secure sessions are bound to a specific device and period of time. 

In contrast, VIPole provides permanent private keys to users, enabling them to connect to the server from many devices simultaneously, synchronize data between all devices, send messages to offline users and store messages and files to be downloaded later. 

Others

VIPole

Each client knows secret that is used for end-to-end encryption and is not known to server

Yes

Yes

User secret is permanent

No

Yes

End-to-end encryption is enabled

Only in special secure sessions

Always

Synchronization of end-to-end encrypted data between multiple clients (devices) of the same user connected to server

No

Yes

Storage of end-to-end encrypted data at the server

Partial, only while the secure session is alive

Yes

Sending end-to-end message to offline users

Partial,only while the secure session is alive

Yes

Group chats with end-to-end encryption

No

Yes

How secure are messages sent using VIPole?

VIPole is very secure. Due to the key sizes and cryptographic algorithms used by VIPole, it would take many, many years to decrypt them. The service provider itself is unable to read user data, and the only thing it can provide, if required by government security services, is a mess of encrypted data. 

With VIPole all messages are also stored in encrypted form on the server and client computer. This means that even if a computer is stolen, an un-authorized person cannot gain access to it, and the data can be restored by the client on a new device. 

Could your service be used by criminals or terrorists to avoid detection by the security services? Does this concern you?

VIPole is a tool to help people keep their business and private lives private, not a tool for crime or terrorism. Of course, it can be misused by ‘bad’ people, just as they can misuse cars, planes and mobile phones.

If officials suspect a VIPole user of engaging in illegal activities and obtain a court order VIPole can cooperate in three ways. It can block that user so that he/she cannot log in to the VIPole server. It can disclose the IP addresses from which the user logged in to VIPole and it can transfer the encrypted data on the VIPole server to the authorities. However, this data cannot by decrypted unless the user discloses his/her own private keys.

* * * * 

It’s quite clear that in the virtual world, just as in the real one, individuals need to take active steps to ensure their personal privacy. Tools like VIPole make this possible, but most people are yet to double-lock the door on their virtual private lives. I bet Edward Snowden has. 

Top image by Shutterstock

More on the topic

comments powered by Disqus

Author

via social network

Facebook
Google
Twitter
Linked in
Vkontakte