Tuesday, September 17, 2013

When is Encrypted really Encrypted?

   With all the discussion on the NSA and what they can, and cannot, see, collect and decrypt on the net, the picture is pretty muddy.  Google has the announced plans to enhance their encryption.  Perhaps most confusing is what this means for home users.  Is your data safe?  Is it being collected?  Who can see your data and how can it be kept private?

   First, a few concepts... you can skip this and jump right to the "how-to's" if you want.  Without getting too deep into the bits and bytes, there are basically 2 forms of encryption: transport and file.

   Transport encryption is perhaps the more common type of encryption these days.  It's kind of like road going through a tunnel.  To an outside observer, cars go in one side and come out there other.  If the tunnel is really long, so that the observer can't see the entrance or exit, they won't even know if there are any cars coming through.
   This is a good analogy, because we usually refer to encrypted transport as tunnels.  This is the kind of encryption you use for online shopping, between your browser the merchant's server, or often with email, between the sender's and receiver's email servers.

   The "key" here is how "long" the tunnel is, or actually, where it begins and ends.  In the online shopping example, one end of the tunnel is at your web browser.  That's pretty good - the only observers who can see that end of the tunnel are: you (and anyone looking over your shoulder), any malware on your computer, and possibly someone on your local network (that's why you don't do important transactions on an open wi-fi network like at the coffee shop).  We don't know exactly where the other end is.  Or, more accurately, we don't know what is between the server where the tunnel ends, and the person at the end company who needs to see your data.  And we don't know if that is encrypted.

   Banks and financial institutions tend to do a pretty good job here, both in their use of technology and encryption, and in detecting possible fraudulent transactions.  Of course, they have had their problems as well.

   Our best protections here are:
  1. always be sure that you are using https for any online transactions;
  2. do online business with known/reputable merchants, and;
  3. use one credit card for your online transactions.
   There is also file encryption.  This is when the actual contents of your files or directories are scrambled so that only a person with the key can unscramble them.  Problems come in when software providers use a weak encryption algorithm (like when someone invents their own encryption... this is usually a bad idea) or have a poor implementation of a good algorithm (we, unfortunately, see this all the time).

   So, back to the original problem.  There are very good reasons to keep data online.  Primary ones are convenience, accessibility and backup.  If you want to protect your data from prying eyes then you need to encrypt it, on your computer, before it is uploaded to the internet.  Steve Gibson coined the term Pre-Internet Encryption or PIE, to describe this.  We also have to choose a good tool that does a good job of implementing the encryption.

   Some of my favorite methods and tools for protecting my data are:
  • Password Vault - I've written about this many times.  My favorite tool is LastPass, and they talk about this data privacy issue here.  There are other good password vaults out there like KeePass and Password Safe.
  • Secure Backup - you need to keep copies of your data somewhere in case your computer crashes.  My favorite tool is CrashPlan.  There are other good choices out there like Carbonite and Mozy.
  • General File Encryption - if you need to share files and want to ensure only the recipient can read them, then file encryption is the way to go.  My favorite tools are GPG (or PGP) for file encryption and sharing, and trucrypt or Bit Locker for encrypting your computer.
   This is a complicated topic for home users.  But we can simplify things by keeping to the basics.  Think about what data you need to protect.  Use good tools like the ones mentioned here and be sure to keep the tools up to date.

   What are your favorite tools for protecting your home data?

No comments:

Post a Comment