Skip to main content
SpringerLink
Log in

Towards Human-Centric Endpoint Security

  • Conference paper
  • First Online:
Security Protocols XXVIII (Security Protocols 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14186))

Included in the following conference series:

  • 186 Accesses

Abstract

In a survey of six widely used end-to-end encrypted messaging applications, we consider the post-compromise recovery process from the perspective of what security audit functions, if any, are in place to detect and recover from attacks. Our investigation reveals audit functions vary in the extent to which they rely on the end user. We argue developers should minimize dependence on users and view them as a residual, not primary, risk mitigation strategy. To provide robust communications security, E2EE applications need to avoid protocol designs that dump too much responsibility on naive users and instead make system components play an appropriate role.

J. Blessing and P. D. Chowdhury–These authors contributed equally to this work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We were unable to make contact with Wickr Me.

References

  1. Ventura, V.: in(Secure) messaging apps - how side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signal. https://blog.talosintelligence.com/2018/12/secureim.html

  2. Akgul, O., Bai, W., Das, S., Mazurek, M.L.: Evaluating \(\{\)In-Workflow\(\}\) messages for improving mental models of \(\{\)End-to-End\(\}\) encryption. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 447–464 (2021)

    Google Scholar 

  3. BBC: Moxie Marlinspike leaves encrypted-messaging app Signal. https://www.bbc.co.uk/news/technology-59937614

  4. Ceci, J., Stegman, J., Khan, H.: No privacy in the electronics repair industry. arXiv preprint arXiv:2211.05824 (2022)

  5. Chowdhury, P.D., Hernández, A.D., Ramokapane, M., Rashid, A.: From utility to capability: a new paradigm to conceptualize and develop inclusive pets. In: New Security Paradigms Workshop. Association for Computing Machinery (ACM) (2022)

    Google Scholar 

  6. Chowdhury, P.D., et al.: Threat models over space and time: a case study of E2EE messaging applications. arXiv preprint arXiv:2301.05653 (2023)

  7. Howell, C., Leavy, T., Alwen, J.: Wickr messaging protocol technical paper. https://wickr.com/wp-content/uploads/2019/12/WhitePaper_WickrMessagingProtocol.pdf

  8. Christianson, Bruce: Auditing against impossible abstractions. In: Christianson, Bruce, Crispo, Bruno, Malcolm, James A.., Roe, Michael (eds.) Security Protocols 1999. LNCS, vol. 1796, pp. 60–64. Springer, Heidelberg (2000). https://doi.org/10.1007/10720107_8

    Chapter  Google Scholar 

  9. Cremers, C., Fairoze, J., Kiesl, B., Naska, A.: Clone detection in secure messaging: improving post-compromise security in practice. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 1481–1495 (2020)

    Google Scholar 

  10. Cremers, C., Jacomme, C., Naska, A.: Formal analysis of session-handling in secure messaging: lifting security from sessions to conversations. In: Usenix Security (2023)

    Google Scholar 

  11. Element: matrix specification. https://element.io/enterprise/end-to-end-encryption

  12. Hu, H., Wang, G.: \(\{\)End-to-End\(\}\) measurements of email spoofing attacks. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 1095–1112 (2018)

    Google Scholar 

  13. Levy, I., Robinson, C.: Principles for a more informed exceptional access debate. https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate

  14. Albrecht, M.R., Celi, S., Dowling, B., Jones, D.: Practically-exploitable cryptographic vulnerabilities in matrix. https://nebuchadnezzar-megolm.github.io/static/paper.pdf

  15. Matrix: upgrade now to address E2EE vulnerabilities in matrix-JS-SDK, matrix-IOS-SDK and matrix-android-sdk2. https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients

  16. Paterson, K.G., Scarlata, M., Truong, K.T.: Three lessons from threema: analysis of a secure messenger

    Google Scholar 

  17. Renaud, K., Coles-Kemp, L.: Accessible and inclusive cyber security: a nuanced and complex challenge. SN Comput. Sci. 3(5), 1–14 (2022)

    Article  Google Scholar 

  18. Sasse, A.: Scaring and bullying people into security won’t work. IEEE Secur. Priv. 13(3), 80–83 (2015)

    Article  Google Scholar 

  19. Lawlor, S., Lewi, K.: Deploying key transparency at WhatsApp. https://engineering.fb.com/2023/04/13/security/whatsapp-key-transparency/

  20. Signal community forum: vulnerabilities. https://community.signalusers.org/t/vulnerabilities/4548/7

  21. Signal-desktop GitHub: add option to lock the application. https://github.com/signalapp/Signal-Desktop/issues/452#issuecomment-162622211

  22. Signal-Desktop GitHub: all exported data (messages + attachments) are *NOT* encrypted on disk during (and after) the upgrade process! https://github.com/signalapp/Signal-Desktop/issues/2815#issuecomment-433556965

  23. Signal-Desktop GitHub: based upon Kevinsbranch encrypted key in config.json using cryptojs & & start performance fix. https://github.com/signalapp/Signal-Desktop/pull/5465#issuecomment-923300524

  24. Telegram: MTProto Mobile Protocol. https://core.telegram.org/mtproto/description

  25. The Matrix.org Foundation: “Client-Server API (unstable), May 2021”. https://spec.matrix.org/unstable/client-server-api/

  26. Threema: Version history. https://threema.ch/en/versionhistory

  27. UK Parliament: Online Safety Bill. https://bills.parliament.uk/bills/3137

  28. Vasile, Diana A.., Kleppmann, Martin, Thomas, Daniel R.., Beresford, Alastair R..: Ghost trace on the wire? Using key evidence for informed decisions. In: Anderson, Jonathan, Stajano, Frank, Christianson, Bruce, Matyáš, Vashek (eds.) Security Protocols 2019. LNCS, vol. 12287, pp. 245–257. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57043-9_23

    Chapter  Google Scholar 

  29. Vaziripour, E., et al.: Is that you, alice? a usability study of the authentication ceremony of secure messaging applications. In: Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), pp. 29–47 (2017)

    Google Scholar 

  30. Viber: Viber Encryption Overview. https://www.viber.com/app/uploads/viber-encryption-overview.pdf

  31. Wu, J., et al.: Something isn’t secure, but i’m not sure how that translates into a problem: promoting autonomy by designing for understanding in signal. In: Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pp. 137–153 (2019)

    Google Scholar 

  32. Yang, Y., West, J., Thiruvathukal, G.K., Klingensmith, N., Fawaz, K.: Are you really muted?: a privacy analysis of mute buttons in video conferencing apps. Proceed. Priv. Enhan. Technol. 3, 373–393 (2022)

    Google Scholar 

Download references

Acknowledgements

– We thank Bruce Christianson for the discussions and feedback reflected in the paper.

– This University of Bristol team is supported by REPHRAIN: National Research centre on Privacy, Harm Reduction and Adversarial Influence online (EPSRC Grant: EP/V011189/1).

Author information

Authors and Affiliations

  1. University of Bristol, Bristol, UK

    Partha Das Chowdhury, Maria Sameen, Joseph Gardiner & Awais Rashid

  2. University of Cambridge, Cambridge, UK

    Jenny Blessing & Ross Anderson

  3. University of Edinburgh, Edinburgh, UK

    Ross Anderson

Authors
  1. Jenny Blessing
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Partha Das Chowdhury
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maria Sameen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ross Anderson
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Joseph Gardiner
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Awais Rashid
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Partha Das Chowdhury .

Editor information

Editors and Affiliations

  1. University of Cambridge, Cambridge, UK

    Frank Stajano

  2. Masaryk University, Brno, Czech Republic

    Vashek Matyáš

  3. University of Hertfordshire, Hatfield, UK

    Bruce Christianson

  4. Memorial University of Newfoundland, St. John’s, NL, Canada

    Jonathan Anderson

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Blessing, J., Chowdhury, P.D., Sameen, M., Anderson, R., Gardiner, J., Rashid, A. (2023). Towards Human-Centric Endpoint Security. In: Stajano, F., Matyáš, V., Christianson, B., Anderson, J. (eds) Security Protocols XXVIII. Security Protocols 2023. Lecture Notes in Computer Science, vol 14186. Springer, Cham. https://doi.org/10.1007/978-3-031-43033-6_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-43033-6_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-43032-9

  • Online ISBN: 978-3-031-43033-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation