2013/07/08

Cryptography for Everybody: Introduction

The latest stories about governments spying on pretty much everybody sparked my interest on privacy and cryptography again. I will be writing a series of blog posts about tools and methods that make life a lot harder for NSA and friends, focusing on easy to use apps and easy to follow tips for everybody (and not just computer science experts). I will not go into much technical detail if it can be avoided (you will not see math at all!).

Problems with cryptography

I'll start off with a list of problems that I see why cryptography is not used. This list is later used to evaluate the tools and methods that I will suggest.

It's complicated

If you don't do cryptography correct, it almost immediately becomes pointless or vulnerable to some form of attacks. The math that's involved behind every cryptographic procedure is seriously hard and must be followed exactly. This is also a problem for people developing tools in this area (see the history of cryptocat).

It's cumbersome

Nobody wants to enter passwords all the time, nor does everybody have the ability to remember over 9000 passwords. Cryptography must never be in the way of the object the user is trying to accomplish or it will be disabled immediately.

It's irritating

People that don't know about cryptography often don't know what to do with cryptographic software or encrypted information and the internet is not really helping them either. Also, many people think that cryptography is only for people that do something illegal and if you don't do anything wrong you don't have anything to hide. In fact everybody has something to hide and should do that as much as possible.

It's frustrating

When you get an encrypted message that you can't - for any reason- decrypt, you feel like you lost something. It sucks to lose messages of friends, family or even business partners, but on the other hand it would be absolutely idiotic if you could decrypt the message with easy methods - others would be able to do the same.

It's not used

Most of my emails are written to other people that are in the software business as well - and less than 1% of them ever bothered to install any cryptographic tool for their email. Cryptography is not in widespread use and this is used as an excuse for not using it. The thing with problems is this: they normally don't go away by themselves. This circular reasoning is used in many discussions and never helps to solve the problem.

Benefits of cryptography

Since there is quite some bad stuff, what's the good stuff?

It keeps things private

Privacy is a fundamental human right that is violated all the time, without the victim noticing it. The EU has implemented a data retention directive that was just recently installed in Austria. Most people think that it's not a big deal when their communication metadata is stored. What they do not realize is that this makes them trackable close to 90% of the time. Imagine there's a guy standing at virtually every corner in a whole state, no matter where you go, that writes down who comes past, where he came from, where he's going to and who he is talking to. Sounds scary, right? That's exactly what data retention does - it keeps track when and where your cellphone is connected and who you are talking to.

I know who I am talking to

Cryptography can also be used to make sure that somebody on the internet is indeed the person he claims to be. Faking the sender address of an email is a very easy task and less experienced users will have problems noticing the difference and signs. However, when your email program tells you in big red letters "signature verification failed", even them will have a closer look at what is going on and hopefully ask somebody (or call the "original" sender by phone) before sending out personal data.

It brings peace of mind

If you set up your cryptographic tools once and do it correct, you will have a lot more security on your side immediately. It will be a lot harder for anybody to attack you, which in term will make it less likely to happen. If you use the right tools you will not face a lot of overhead and will, after a while, not even notice the fact that your life got a lot more secure.

What does this teach us?

I am 100% sure that I did not list all negative aspects of cryptography, nor all the positive ones. The interesting thing is this: The good stuff is about your life and security, the bad stuff is about the work and the effort needed. This means that your life will get better, which is great,  but some of the tools are bad - they must be substituted with something usable. I will therefore focus on easy to use tools that are secure in the next posts.