An Introduction to Encrypted Communication

By far the most secure and private way to communicate with another person is to whisper in their ear.

In today’s hyper-connected world, however, this is rarely practical, but more secure than you can imagine.

The need to communicate securely and privately with other individuals exponentially increased thanks to the tech boom.

While it's vital to keep your data safe, but also creates a severe challenge in your routine.

In this guide, we'll show you how to protect your online communications with ease.

Phone and SMS communication is not secure

The first thing to understand is that more traditional communications technologies are not secure. I’m sure you all know from TV shows we watched back when we were kids that phone calls could be “wiretapped.”

Encrypt Comm Sms Phone

Although the notion of a telephone “wire” now seems rather quaint, the ability to listen in on your calls is very much alive and present. Indeed, advances in technology now make it very easy to bulk collect vast amounts of phone data with little or no effort required.

Governments now routinely store and monitor your phone data. This includes mobile cell phone data and SMS data. Bulk collection usually only involves metadata.

This is bad enough, but because phone calls and SMS messages are not encrypted, it is trivially easy also to access their contents.

In other words, your government and other criminals can listen in on your phone calls and read your text messages.  The solution is to encrypt your communications so that only you and the intended recipient can participate in a conversation and/or read messages you send.

Encrypted Communication

The most straightforward analogy for encryption is a lock. If you have the correct key, then it is easy to open. If you do not have the proper key, then you can try to break the lock. To all intents and purposes, good encryption is impossible to break.

If we think about secure commutation, the idea gets more complicated. Everyone you wish to communicate with needs to be able to open the lock. The easiest way to achieve this is to entrust a third party (such as an email provider) to host your conversation on a centralized server that you all have access to.

This provides a certain degree of security because each participant in a conversation will connect securely to that server (most likely using HTTPS). The actual discussion itself (and records of it) will also probably encrypted to ensure hackers and other malicious actors cannot listen in.  But…

The Problem with Encrypted Communication

For this, to work you need to trust the third party host to secure (lock) the conversion. This means that the host has the keys, and can “open” the conversation whenever it wants (or is required) to.

Encrypted Message

That is, it can listen in on it and access all records of it at a later time. In the case of text conversations, this almost always means it can access all the content of your messages. Most email and messaging services have strict privacy policies that promise not to abuse this position of power. But since this position of power exists, it can be exploited.

Almost every day we read about hackers compromising so-called secure online services, and law enforcement agencies routinely serve legally binding subpoenas and court orders to communications services for information belonging to their users.

So communications hosted and stored by a third party simply cannot be considered truly secure.

End-to-end-encrypted Communication

Widespread alarm at the scale of online surveillance has accelerated the development of solutions to the above problem.  And the key to any such solution is end-to-end (e2e) encryption.

This means that you encrypt communications with your keys. They can only be decrypted by those you choose to share your keys with. This removes the need to trust any third party to keep your data safe.

The big technical challenge is finding a way to share your keys securely, and verifying that the person you think you are sharing them with really is that person. Done well, however, end-to-end encryption is the only way to guarantee communications are genuinely secure.

Open Source

Open Source

Open source software is software whose source code has been made publically available by its copyright holder. This means that it can be independently audited for errors and to ensure that it isn’t doing something it shouldn’t.

With closed source code there is no way to know what the code is really doing, and so closed source code cannot be trusted to keep your communications secure. For this reason, you should only believe open source apps and programs to keep your conversations safe and private. For further discussion on this subject, please see Why Open Source is so Important.

Types of Secure Communications

There are three ways you can communicate securely over the internet. From least to most secure they are:

  • End-to-end encrypted email
  • End-to-end encrypted VoIP (internet telephony)
  • End-to-end encrypted messaging

End-to-end Encrypted Email

Traditional email is one of the least secure ways to communicate. There are ways to improve this situation, but even then, email is best avoided if security is paramount. As a world-renown cryptographer and privacy advocate Bruce Schneier once noted:

Locked Email

“I have recently come to the conclusion that e-mail is fundamentally unsecurable. The things we want out of e-mail, and an e-mail system, are not readily compatible with encryption. I advise people who want communications security not to use e-mail, but instead use an encrypted message client like OTR or Signal.

This is good advice, and I will discuss OTR and Signal later. That said, email is a necessary evil of modern life, so you should try to make it as secure as possible.

To do this, you have three options:

  • Use PGP to encrypt emails with your existing email service
  • Switch to a secure private email service that offers e2e encryption
  • Self-host your own email server.

PGP

Pgp Online

Pros:
  • Free!
  • As secure as email will ever get
  • Works with your existing email service
Cons:
  • The very steep learning curve
  • Good luck getting others to join you!

PGP is a free and open source protocol for securely encrypting emails, and it can be used with your existing email provider. If done right, it will very securely encrypt the contents of your emails, but not metadata such as who you sent them to and when.

If done correctly, PGP is undoubtedly the most secure way possible to send an email. But that “if done correctly” bit is a killer. Using PGP is complicated and confusing for even the more technically competent among us.

This not only means it easy to make mistakes that can compromise the security of your emails but also makes it very unlikely that you’ll be able to rope many of your friends, colleges, and associates into the PGP madness.

Locked Message

But it is the most secure way to send email yet devised.

The Mailvelope browser extension makes using PGP easier but suffers from the same weakness as other browser-based cryptography (see below). It does mitigate this, though, by allowing you to validate a key pair by comparing fingerprints with the sender.

This does not entirely solve the problem if the developers of Mailvelope start to push out malicious updates but does go a long way towards it. And although probably the most comfortable way possible to do PGP, it is still quite a pain in the ass to use.

Secure Privacy Email Services

ProtonMail Webshot

Pros:
  • Easy and convenient to use
  • A lot more secure and private than regular email
  • Metadata hidden (depending on service)
  • Can send encrypted emails to non-users (depending on service)
Cons:
  • Browser cryptography is not very secure
  • You will probably have to pay for it

ProtonMail was the first email service to offer true end-to-end email encryption that is as convenient and easy to use as Gmail. It does now have some excellent competition, however.

In addition to securely encrypting the contents of messages, many of these services will minimize the metadata sent by stripping IP addresses from emails. Very groovy is the fact that some of these services even allow you to send encrypted emails to others who do not use the service.

One downside to all these secure privacy mail services is that, while they are infinitely more secure than regular email, they are nowhere near as safe as adequately done PGP. For many, this trade-off between total security and the convenience these services provide is easily worth it.

The other big downside is that to get the most out of these services you will need to bite the bullet and actually pay for them. In my view, however, switching to secure private email service is one of the most important things you can do to improve the security of your day-to-day communications.

Please see Secure Privacy Email Options for a detailed look at some of these services and for a complete discussion on why browser cryptography is not very secure.

Self-hosted Email

Encrypted Comm Guide Mailcow

Pros:
  • You 100% control your email!
Cons:
  • Hard to do
  • Hard to get right
  • Needs regular maintenance
  • Can give a false sense of security

A more extreme option to either of the above is to self-host your own email server. This can either be done on your own PC, or on a rented server. This pretty much guarantees that Google and the like will not be snooping on your emails (at least directly – they will still be able to read unencrypted emails sent to users of their services).Self-hosted email

Setting up and maintaining your own email server, however, is a non-trivial job for even the more technically inclined.  And as Hilary Clinton learned the hard way, ensuring that it is secure is even more difficult. In fact, if not done right, then running your own email server can be dangerous as it provides a false sense of security.

That is not to say it is impossible, though, and there are plenty of privacy fanatics out there who swear by self-hosting their email.

Software such as Mail-in-a Box and Mailcow make the job easier by automating the process, but for maximum security, you should build your own server from scratch. Excellent tutorials on how to do this can be found here and here.

End-to-end encrypted VoIP

VOIP

Voice over Internet Protocol (VoIP) allows you to talk to others over the internet in much the same way as using a regular phone – often with the bonus of allowing video conversations.

Unlike VoIP hosting services such as Skype (which is known to hand conversions over to the NSA), end-to-end encrypted VoIP apps ensure that only you and confirmed participants that you have invited can hear or see what is said.

Signal

Signal Webshot

Pros:
  • Open Source and fully audited
  • Uses strong encryption with Perfect Forward Secrecy
  • Now available as a .apk file, so no need for Google Play Services framework
  • Stores almost no metadata
  • Group chats are encrypted
Cons:
  • Contacts are matched using real phone numbers
  • (but these numbers are not revealed to Signal)

Signal is widely regarded as the gold standard for secure text messaging (see below), but it also features VoIP capabilities, including video calls.As of March 2017, Signal’s voice and video calls are secured using the same Signal protocol that secures text messages.

Jitsi

Jitsi Webshot

Pros:
  • Open source
  • Secure
  • All the functionality of Skype
Cons:
  • Not Signal

Jitsi is free and open source software that offers all the functionality of Skype on the desktop. Except all VoIP conversations are encrypted using ZRTP. This includes voice calls, video conferencing, file transfer, and messaging.

The first time you connect with someone, it can take a minute or two to set up the encrypted connection (designated by a padlock). But the encryption is afterwards transparent. As a straight Skype replacement for the desktop, Jitsi is challenging to beat.

End-to-end encrypted messaging

Signal is widely regarded as the most secure way yet invented to communicate over distance.  The Off-the-Record Messaging (OTR) protocol, however, is also excellent.

Signal

Pros:
  • Open Source and fully audited
  • Uses strong encryption with Perfect Forward Secrecy
  • Now available as a .apk file, so no need for Google Play Services framework
  • Stores almost no metadata
  • Group chats are encrypted
Cons:
  • Contacts are matched using real phone numbers
  • (but these numbers are not revealed to Signal)

Although a desktop version does exist, Signal is primarily a mobile app. It replaces your phone’s default text messaging app and uses your phone’s regular contact list. If a contact also uses Signal, then any messages sent to or received from them are securely end-to-end encrypted.Encrypted Communication

If a contact does not use Signal, then you can invite them to use the app, or send an unencrypted text message via regular SMS. The beauty of this system is that Signal is almost transparent in use, which should make it easier to convince friends, family, and colleagues to use the app!

Some may consider the fact that Signal uses your phone’s contact list to match you with other Signal users a privacy risk, but your contacts are not revealed to Signal. In fact, the only metadata information Signal retains “the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.” This claim has been proven in court.

In the past, Signal’s reliance on the Google Play Services framework to push message notifications concerned privacy fanatics, but it is now officially available as a .apk file. So no need for Google Play Services framework.

OTR

Encrypted Communication Guide Pidgin Messenger

Pros:
  • Open source
  • Secure
  • Contacts are identified by pseudonyms
Cons:
  • Mainly desktop only (except Adium)
  • Not as secure as Signal

PluginThe OTR protocol is not as safe as that used by Signal but is nevertheless very secure. It was developed as a plugin for the Pidgin messenger, but can be used as a plugin for other messenger apps such Miranda IM. OTR is also natively supported by other messengers such as Jitsi (for text), Adium and Gibberbot (developed by The Guardian Project).

OTR is used mainly by desktop messenger apps, although Jitsi is now available for Android and iOS. Thanks to Jabber/ XMPP, most OTR-compatible apps can seamlessly talk to each other.

One potential advantage OTR has is that pseudonyms identify contacts rather than matched using real-world phone numbers. But as I have discussed, I do not consider this to be a significant problem with Signal anyway.

Addendum

A note on apps that use the Signal protocol

As I’ve said, Signal has become the gold standard for secure end-to-end encrypted messaging. This reputation has encouraged some reasonably unlikely-sounding companies to partner with it to protect their users’ privacy and security with the underlying Signal protocol.

WhatsApp, Facebook Messenger, and Skype now all use the Signal protocol to end-to-end encrypt messages. In theory, this means users of these favorite messaging apps can communicate with each other just as secure as if using the Signal app itself….Skyep WhatsApp Messenger logo

Except for the fact that these apps are closed source proprietary software, so there is no way to know for sure that they are not sending a copy of users’ encryption keys back to Facebook or Microsoft. And even if they are not now, malicious code could easily be slipped into future updates.

The actual Signal app, on the other hand, exclusively uses fully audited open source code which you can even recompile for yourself should you wish.

On the other hand, however, you probably have a bunch of friends and associates who already use WhatsApp, Facebook Messenger, and Skype, and who are unlikely to switch to Signal any time soon. Despite some theoretical issues, the fact that they now use end-to-end Signal encryption is a significant win for privacy and security.

A note on Telegram Messenger

Telegram Messenger is notorious because of its wide-scale use by ISIL. Indeed, this notoriety has fueled a popular conception that Telegram is highly secure and private, and you will often see it recommended in articles such as this one.

This is unfortunate because it is not a view shared by privacy and security experts. Like Signal, Telegram authenticates users using their phone numbers, but unlike Signal, Telegram Messenger LLP stores this information.

Telegram Webshot

This means it can (in theory) associate non-end-to-end encrypted conversations with individual users. Would it ever divulge this information to governments? Probably not, but who knows?

Of more concern is the fact that Telegram stores this information on its servers. It is therefore vulnerable to hacking and surveillance. In Russia last year, two activists’ Telegram accounts were hacked, probably by Russian security services with the cooperation of the activists’ mobile provider.

Central to Telegram’s privacy and security claims is its Secret Chat option. This uses end-to-end encryption to allow for private and secure conversations. The Telegram has been heavily criticized for not enabling Secret Chat by default. Unless you specifically activate Secret Chat, messages sent using Telegram are not secure.

Telegram logo

This means that Telegram Messenger LLP and hackers could access them. When combined with Telegram’s method of authenticating users using their phone numbers, this makes it very easy for governments to seize accounts and access unencrypted messages.

In addition to this, researchers are critical of the encryption used by Telegram. Rather than use tried, tested, and fully audited encryption standards, Telegram uses its own MTProto encryption protocol. Roll-your-own encryption is widely regarded as a significant no-no by security experts.

To make matters worse, although the Telegram client is a primarily open source, it contains some elements (called binary blobs) that are not. Some experts have also criticized Telegram for being slow publishing recent versions its open source code. This is a security problem, as the code could be modified without anyone being aware of it.

So to cut a long story short, I do not recommend using Telegram if privacy and security are a priority for you.

Conclusion on Encrypted Communication

Innovations such as ProtonMail and Signal have had a massive impact on the encrypted communication landscape. The rise of end-to-end encryption, in general, and Signal in particular, means that it is now possible to remotely talk to other people more securely and privately than ever before.

Although not without issues, the fact that the world’s most famous messenger apps now use end-to-end encryption courtesy of the Signal protocol is very significant.  It means that even if they are oblivious to it, ordinary people’s day-to-day communications are also more secure than they have ever been.

Written by: Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

0 Comments

There is no comments.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.