What Really Happens At The Post Office? (Part - 2)
How End-to-End Encryption may lead to potential security threats, within a centralised framework.
Welcome back! Now that you have learnt about ‘encryption’ in my previous article, let’s move on to the next level, i.e. End-to-End (E2E) Encryption — another term that most of us have come across, in some of our social networking apps. Some of us may also have a basic understanding that if it’s E2E encrypted, then the service provider or other third parties can’t read our messages or listen to our calls. That’s a relief! But, does that mean our communications are secure to a major extent? Let’s find out!
I am going back to the same ‘post office’ analogy to explain how E2E encryption works within a centralised framework. After coming to know that my mail got validated by the post office authorities, every time I posted them to my fiancée, I wanted to check, if there were any options where they wouldn’t read my letters. I wasn’t okay with the idea that in the name of validation they were peeping into my personal life!
Turned out there was an option! They suggested that I should opt for their premium courier-box service at an upgraded price. This service lets senders number-lock the letters/documents in a box, and the postmen deliver those boxes to the recipients. When a recipient receives the box, the respective sender shares the code with them over a phone call for them to unlock the box. That’s how the content remains private, out of a third party’s reach. It sounded like a good option to me! Though, as a post office protocol, I still had to keep a copy of my letters with them for their records. But, I didn’t mind as the copies also remained in a number-locked box. This is a real-world example of how E2E encryption operates within a centralised set-up. Now, let’s go back to the instance to see where it can go wrong!
Since using a courier-box seemed to be a safer option, people that wanted to send money orders, cash, valuable documents like — property papers, wills etc. they would use that service, frequently. As a result, post shops were an easy target for burglars or gangs! Unfortunately, one such group happened to attack the same post office that was offering me their services. As expected, my courier-box was filched too, along with others’. Not the original one though; that was delivered already. The copy that was kept for their records was stolen. And there I stood again, perplexed! Going those extra miles to make sure my privacy remained intact, was all in vain! The post office authority tried to console me by saying that the letters were still locked in, so, they might not be able to get their hands on them. But, did I believe them? A gang that could break into a post office breaching different levels of security, how difficult would it be for them to break open a box? Even if it took them some time, sooner or letter it was going to happen!
I hope you understand what I’m getting at. The E2E encryption process within a centralised arrangement works quite in this fashion. Our messages/calls stay protected from third parties because they are E2E encrypted, but even then, it may not provide comprehensive security. Security experts, time and again suggested that our data isn’t susceptible to maximum threat when it’s in transit, but rather when it’s stored (like in the post office)! Like the post shop, servers of the communication service providers often fall on the cybercriminals’ radar, due to the amount of data they store! Now imagine, if your banking data happens to be stored in one of the servers that’s under attack, or records of communications between you and your stock broker, who is investing big money on your behalf. Alarming, isn’t it?
The other concern is, by allowing them to store our communications, we constantly remain at the service providers’ mercy. Even though all communications are E2E Encrypted, and they can’t access them today, doesn’t mean it cannot happen in the future! If they decide to revise their ‘privacy policies’ at any given point of time, then we may have to give them the authority to go through our data, as and when they want to, if we wish to continue with their services.
Now, in light of those facts, do you still think, the centralised E2E encryption process protects our data in the truest sense? Think carefully! The good news is, there is another approach that can provide much better security to our data! There’s something new (well, not that new) in market that, when combined with the E2E encryption process, improves safety and confidentiality to a major extent! Let’s get to know more about it in the last article of this series.
For more related articles, follow our blog post, and stay connected on Twitter, Facebook and Telegram. See you in the next one!
