Abstract
End-to-end (E2E) security is commonly marketed as a panacea to all of a user’s security requirements. We contend that this optimism is misplaced, and that E2E security, as offered by services such as WhatsApp, Telegram, Mega, and Skype, is not sufficient in itself to protect users. In this paper, we discuss various means by which these systems may be compromised in spite of their security guarantees. These include exploitation of flaws in the implementation or even deliberate backdoors in the system. In some cases it may be easier for attackers to bypass the E2E secure channel in the system and attack the communication endpoints instead. Furthermore, the lay user generally has no convenient and convincing mechanism to verify that the system is indeed fulfilling its E2E security properties. We illustrate each scenario with prominent examples of actual real-world security failures and we discuss potential mitigation strategies that users may employ.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barrett, B.: Don’t let Wikileaks scare you off signal and other encrypted chat apps. Wired, 7 March 2017. https://www.wired.com/2017/03/wikileaks-cia-hack-signal-encrypted-chat-apps/
ProtonMail: Secure email based in Switzerland. https://www.protonmail.com
Mega. https://www.mega.nz
Ali, S.T., Murray, J.: An overview of end-to-end verifiable voting systems. In: Real-World Electronic Voting: Design, Analysis and Deployment, pp. 171–218. CRC Press (2016)
Greenberg, A.: Researchers warn: Mega’s new encrypted cloud doesn’t keep its megasecurity promises. Forbes, 21 January 2013. https://www.forbes.com/sites/andygreenberg/2013/01/21/researchers-warn-megas-new-encrypted-cloud-cant-keep-its-megasecurity-promises/#6e4b540150f1
Fox-Brewster, T.: Watch as Hackers Hijack WhatsApp Accounts Via Critical Telecoms Flaws. Forbes, 1 June 2016. https://www.forbes.com/sites/thomasbrewster/2016/06/01/whatsapp-telegram-ss7-hacks/#39455d21178b
Kohno, T., Stubblefield, A., Rubin, A.D., Wallach, D.S.: Analysis of an electronic voting system. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy 2004, pp. 27–40. IEEE (2004)
Bendel, M.: Hackers describe PS3 security as epic fail, gain unrestricted access. Exophase, 29 December 2010. https://www.exophase.com/20540/hackers-describe-ps3-security-as-epic-fail-gain-unrestricted-access/
Shu, C.: Confirmed: Snapchat Hack Not a Hoax, 4.6M Usernames and Numbers Published. TechCrunch, 21 December 2013. https://techcrunch.com/2013/12/31/hackers-claim-to-publish-list-of-4-6m-snapchat-usernames-and-numbers/
Lomas, N.: We want to limit use of e2e encryption, confirms UK minister. TechCrunch, 5 June 2017. https://techcrunch.com/2017/06/05/we-want-to-limit-use-of-e2e-encryption-confirms-uk-minister/
Ganguly, M.: WhatsApp vulnerability allows snooping on encrypted messages. The Guardian, 13 January 2017. https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages
Goodin, D.: Think your Skype Messages Get End to End Encryption? Think Again. Ars Technica, 20 May 2013. http://arstechnica.com/security/2013/05/think-your-skype-messages-get-end-to-end-encryption-think-again
Menn, J.: NSA infiltrated RSA security more deeply than thought. Reuters, 31 June 2014. http://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
Stone-Gross, B., Cova, M., Gilbert, B., Kemmerer, R., Kruegel, C., Vigna, G.: Analysis of a botnet takeover. IEEE Secur. Priv. 9(1), 64–72 (2011)
Welch, C.: Google encrypts Gmail between data centers to keep the NSA out of your inbox. The Verge, 20 March 2014. https://www.theverge.com/2014/3/20/5530072/google-encrypts-gmail-between-data-centers-to-keep-out-nsa
BI Intelligence: Apple is still struggling to keep fake apps out of the App Store. Business Insider, 11 November 2016. http://www.businessinsider.com/apple-still-struggling-to-keep-fake-apps-out-of-the-app-store-2016-11
Turton, W.: Why you Should Stop using Telegram Right now. Gizmodo, 24 June 2016. http://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415
Lerner, A.A., Zeng, E., Roesner, F.: Confidante: usable encrypted email. In: IEEE Euro S&P (2016)
Mailvelope. https://www.mailvelope.com/en/
Bell, S., Benaloh, J., Byrne, M.D., DeBeauvoir, D., Eakin, B., Fisher, G., Kortum, P., McBurnett, N., Montoya, J., Parker, M., et al.: Star-vote: a secure, transparent, auditable and reliable voting system. In: Real-World Electronic Voting: Design, Analysis and Deployment, pp. 375–404. CRC Press (2016)
Braun, U., Shinnar, A., Seltzer, M.I.: Securing provenance. In: HotSec (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Clarke, D., Ali, S.T. (2017). End to End Security is Not Enough. In: Stajano, F., Anderson, J., Christianson, B., Matyáš, V. (eds) Security Protocols XXV. Security Protocols 2017. Lecture Notes in Computer Science(), vol 10476. Springer, Cham. https://doi.org/10.1007/978-3-319-71075-4_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-71075-4_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71074-7
Online ISBN: 978-3-319-71075-4
eBook Packages: Computer ScienceComputer Science (R0)