With two recent vulnerabilities making headlines this month, notably CVE-2019–14899, impacting VPNs running on Linux distros and Atlassian’s zero-day flaw reported by SwiftOnSecurity concerning leak of private keys, it should be no surprise anymore as to why encryption merely breeds a feeling of security rather than guaranteeing it.
From Hollywood flicks dropping buzzwords like encryption, VPN, private keys, along with the vendors who must now convince the public to hype up product sales, the ultimate message that gets communicated inadvertently (or deliberately) comprises half-baked distorted assumptions. For example, “if I’m on a public hotspot, flicking one-switch of my VPN equates total security,” or something along those lines conveys the general mindset of an unsavvy user. Likewise, one popular myth is “if a webpage has a padlock icon, that implies it’s secure.” When in reality the page could very well be a phishing setup made to look and feel secure by the hacker using a free SSL (LetsEncrypt) certificate.
Then follows the other side of the issue: legitimate website names sounding like ‘phishing’ domains which are actually being used today by mainstream banks and companies. Just another day when rescheduling my
flight, the Virgin Atlantic representative transferred me to a “secure form” to collect credit card information, hosted on the mysterious lpsnmedia.net domain. If you’re a tad vigilant, this would raise multiple red flags, unless of course you are familiar with LivePerson (therefore the letters, lpsn) chat software and every single domain they own. Similarly, “phishy” sounding domains like myonlineaccount.net and clc-consumerservices.com are valid and actively being used as of today by legitimate banks and payment providers where users are asked to make credit card and loan payments.
My point is that the security industry has done a poor job of communicating what is secure and what isn’t to a layperson, whereas the mainstream game-players in charge of assuring customer security i.e. banks and online businesses, continue to confuse the public with their choice of weird sounding domain names and inconsistencies when it comes to practicing security.
Military-grade encryption as implemented and marketed by VPN vendors, SSL certificate issuers and ‘secure’ apps, is no exception. Assuming the technology is indeed unbreakable and secure given today’s resources, it is truly the ‘weakest link’ surrounding encryption that matters.
For messaging apps like WhatsApp claiming ‘end to end security,’ the weakness lies in the phrase itself: your communications are only as secure as the ends. Should one of the parties inadvertently download malware and compromise the security on their device — their end, this guarantee ceases. And, really, how hard is tempting a naive user to trust a phishing website that looks like the real deal, with so many legitimate websites looking ‘phishy’?
That is the conversation security professionals and stakeholders need to be having. Without it, we can only create a market that works for security vendors and their sales, with the general public remaining deficient and in