Mar 13, 2019 22:38:36

User's point of view on security, pt. 2

by @zyumbik | 1394 words | 80🔥 | 100💌

G̷͕̳͝l̴̨̟̏̃̆̚e̷̳͇͖͑̔b̴̞̱̦͕̼͇̔̽̀̽͒ ̸̈́̆͒̀̉ ̵̨̪̈́̒Sa̴͇͊b̵̨̅͆i̶̖͑̄r̶̩̘̊̒̕z̷̟̀͑y̴͚͉̎͘à̸̃͜ͅn̶̤̲̜͊͐ỏ̵͈͔̑v̴

Current day streak: 80🔥
Total posts: 100💌
Total words: 33262 (133 pages 📄)

After reading the first part, you are probably thinking, “So what do all of those situations with the grandma mean?” We talked about the internals of the internet communication — the process of accessing an internet resource is similar to a long chain of phone calls. And each and every one of those phone calls is open to all the risks from a call with your grandma. That's a lot of vulnerabilities!

Security comes with a price

Since each call is generally unsafe, the security gets lower with each call made. Hence the rule of thumb:

The more calls in the chain — the less secure is the connection.

An obvious solution to security in this case would be to make as little calls as possible. However, unless you want to disconnect from the internet and live in a cave, you still want to make those calls, so you can't completely eliminate them. How do you minimize their amount? Unfortunately, security comes with a price of convenience (and sometimes money).

We use passwords, secret codes, fingerprint sensors and other security measures that can prove our identity. It is not as convenient as logging in in one click, but it prevents others from accessing our data or even money.

The more secure the call is, the less convenient it would be to talk.

If you and your grandmother developed a secret language which nobody else would understand, you would save yourself from a bunch of different vulnerabilities (though not all of them). However, it would probably be extremely inconvenient to learn this language and to process it in your head every time.

Encryption ≠ security

The “secret language” in technical words means encryption. You could hear this word quite often nowadays, with all those services offering encrypted storage of personal data, secure encrypted connection and other wonders of the world. This wording gives you a false sense of security. To understand why, I'll explain how it works in general.

The goal of encryption is to turn words and images into symbol salad that nobody understands. You use a special key to turn your words into character salad and store this salad somewhere while keeping the key with you. Even if someone gets access to this mess (e.g. connects to the phone cable and listens to the signal), they would not understand a single thing. Only people who have the key can decode this salad and understand what you said.

I'll illustrate it with a simple example. In the simplest form, encryption is just replacing characters in a word based on some rule. Let's say we replace every character in the word with the next character in the alphabet. According to this rule A becomes B, B becomes C, C becomes D, etc. Let's encrypt the word APPLE with it. A becomes B, P becomes Q... in the end we get the word BQQMF. Do you understand what's written here? No, but if you know the rule — you can easily decode this word by changing letters in the opposite direction.

However, it's not very secure, because there is no key, and everybody who knows the rule can get your data. At the same time keeping this rule secret and explaining it to everyone who wants to decode the message would be a tedious process. So you might want to use some key here and open the algorithm to everyone. What could be the key for this algorithm? It could be the “shift” for all letters in the word. In our case, it was 1 — we changed every letter to the first after it in the alphabet. If the key would be 2, then A would become C, B will become D, etc. For the key equal to 3, A becomes D, B becomes E, C becomes F and so forth. 

Although now we have the key, it's not very strong. There are only 25 possible keys — it would be easy for an attacker to find the one that we used just by checking all the possible keys and finding the one where words make sense. In the modern and more complex encryption algorithms, such method would take years or even centuries to work, so modern encryption is quite secure. So does it mean that if data is encrypted it is secure? Counter-intuitively, it does not!

In order to read your data, you have to decrypt it using the key. But do you remember, or even have the encryption key to all the services which store your data: Facebook, Instagram, Google and others? You don't, and it means that your data is decrypted somewhere along the call chain. Some caller in the chain has the key, and has to decrypt it and send it to the next caller. Usually the caller that decrypts your data is a server. Who owns the server? Well, not you. And who has access to that server? Not you. And who can do whatever they want with that server? Again, not you, but a company or a person who owns that server. 

So technically, before sending this data to you, a server owner could read it, print your photos and put them on the wall, or do whatever else they want — because you will not know. They can even not encrypt your data at all, although they say they do — just because you will not be able to find out. So it's all a matter of trust: can you trust this service to store and process your data?

Third party

Even if you trust the server owner, your data is not 100% safe. There are third parties that have access to this data you might not think about as the computer and everything inside it is a black box for most people. Firstly, your operating system. Be it Windows or macOS, you don't have access to see how it works on the inside. Maybe they are secretly logging everything you type and do on your computer? Nobody knows. Linux is kind of safer in this issue since it's open-source software and everyone can read the code that will make it work when you install it. In the end you have to trust people who made your operating system.

Secondly, all the software installed on your computer and especially your browser. Are you using Chrome or Safari? Again, you don't know what's inside and can't be 100% sure that it only does what you see. Another big thing is browser extensions. Review the permissions they are asking for when you install them. If you give an extension the permission to read data on the site where you enter your credit card information, the creators of this extension may be able to access it if they include the necessary code. They don't usually do that, but still it's technically possible.

Thirdly, there are a large number of other third parties that may or may not be able to access your data, and you need to trust all of them too. You computer parts manufacturers, internet service providers, the server's hardware manufacturers, people who wrote code for all the apps you use, and everyone who is standing behind you.

How to stay safe?

Now we can answer the main question: how to improve your security on the web? Although complete security is impossible, in order to improve it you have to minimize the amount of third parties and be aware of those that you trust. Uninstall unnecessary apps and browser extensions, don't install things and don't sign up for services that you can live without, don't share more than you need to with them, read privacy policy, terms of service and other legal documents that are available on the sites of these services.

Doing all of that and refusing to use some useful services is inconvenient. But as we previously said, security comes at a cost of convenience. It doesn't mean that you have to ditch everything you used before, you are not a caveman and you lived just fine before reading this so don't become paranoid and obsessed with trying to stay safe. I hope this post will make you a bit more aware and explicit about who you trust.

So what do you want: stay relatively safe in the digital world or use all those cool apps and sites? The choice is yours.





contact: email - twitter - facebook