Skip to main content
SpringerLink
Log in

End to End Security is Not Enough

  • Conference paper
  • First Online:
Security Protocols XXV (Security Protocols 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10476))

Included in the following conference series:

Abstract

End-to-end (E2E) security is commonly marketed as a panacea to all of a user’s security requirements. We contend that this optimism is misplaced, and that E2E security, as offered by services such as WhatsApp, Telegram, Mega, and Skype, is not sufficient in itself to protect users. In this paper, we discuss various means by which these systems may be compromised in spite of their security guarantees. These include exploitation of flaws in the implementation or even deliberate backdoors in the system. In some cases it may be easier for attackers to bypass the E2E secure channel in the system and attack the communication endpoints instead. Furthermore, the lay user generally has no convenient and convincing mechanism to verify that the system is indeed fulfilling its E2E security properties. We illustrate each scenario with prominent examples of actual real-world security failures and we discuss potential mitigation strategies that users may employ.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Barrett, B.: Don’t let Wikileaks scare you off signal and other encrypted chat apps. Wired, 7 March 2017. https://www.wired.com/2017/03/wikileaks-cia-hack-signal-encrypted-chat-apps/

  2. ProtonMail: Secure email based in Switzerland. https://www.protonmail.com

  3. Mega. https://www.mega.nz

  4. Ali, S.T., Murray, J.: An overview of end-to-end verifiable voting systems. In: Real-World Electronic Voting: Design, Analysis and Deployment, pp. 171–218. CRC Press (2016)

    Google Scholar 

  5. Greenberg, A.: Researchers warn: Mega’s new encrypted cloud doesn’t keep its megasecurity promises. Forbes, 21 January 2013. https://www.forbes.com/sites/andygreenberg/2013/01/21/researchers-warn-megas-new-encrypted-cloud-cant-keep-its-megasecurity-promises/#6e4b540150f1

  6. Fox-Brewster, T.: Watch as Hackers Hijack WhatsApp Accounts Via Critical Telecoms Flaws. Forbes, 1 June 2016. https://www.forbes.com/sites/thomasbrewster/2016/06/01/whatsapp-telegram-ss7-hacks/#39455d21178b

  7. Kohno, T., Stubblefield, A., Rubin, A.D., Wallach, D.S.: Analysis of an electronic voting system. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy 2004, pp. 27–40. IEEE (2004)

    Google Scholar 

  8. Bendel, M.: Hackers describe PS3 security as epic fail, gain unrestricted access. Exophase, 29 December 2010. https://www.exophase.com/20540/hackers-describe-ps3-security-as-epic-fail-gain-unrestricted-access/

  9. Shu, C.: Confirmed: Snapchat Hack Not a Hoax, 4.6M Usernames and Numbers Published. TechCrunch, 21 December 2013. https://techcrunch.com/2013/12/31/hackers-claim-to-publish-list-of-4-6m-snapchat-usernames-and-numbers/

  10. Lomas, N.: We want to limit use of e2e encryption, confirms UK minister. TechCrunch, 5 June 2017. https://techcrunch.com/2017/06/05/we-want-to-limit-use-of-e2e-encryption-confirms-uk-minister/

  11. Ganguly, M.: WhatsApp vulnerability allows snooping on encrypted messages. The Guardian, 13 January 2017. https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages

  12. Goodin, D.: Think your Skype Messages Get End to End Encryption? Think Again. Ars Technica, 20 May 2013. http://arstechnica.com/security/2013/05/think-your-skype-messages-get-end-to-end-encryption-think-again

  13. Menn, J.: NSA infiltrated RSA security more deeply than thought. Reuters, 31 June 2014. http://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

  14. Stone-Gross, B., Cova, M., Gilbert, B., Kemmerer, R., Kruegel, C., Vigna, G.: Analysis of a botnet takeover. IEEE Secur. Priv. 9(1), 64–72 (2011)

    Article  Google Scholar 

  15. Welch, C.: Google encrypts Gmail between data centers to keep the NSA out of your inbox. The Verge, 20 March 2014. https://www.theverge.com/2014/3/20/5530072/google-encrypts-gmail-between-data-centers-to-keep-out-nsa

  16. BI Intelligence: Apple is still struggling to keep fake apps out of the App Store. Business Insider, 11 November 2016. http://www.businessinsider.com/apple-still-struggling-to-keep-fake-apps-out-of-the-app-store-2016-11

  17. Turton, W.: Why you Should Stop using Telegram Right now. Gizmodo, 24 June 2016. http://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415

  18. Lerner, A.A., Zeng, E., Roesner, F.: Confidante: usable encrypted email. In: IEEE Euro S&P (2016)

    Google Scholar 

  19. Mailvelope. https://www.mailvelope.com/en/

  20. Bell, S., Benaloh, J., Byrne, M.D., DeBeauvoir, D., Eakin, B., Fisher, G., Kortum, P., McBurnett, N., Montoya, J., Parker, M., et al.: Star-vote: a secure, transparent, auditable and reliable voting system. In: Real-World Electronic Voting: Design, Analysis and Deployment, pp. 375–404. CRC Press (2016)

    Google Scholar 

  21. Braun, U., Shinnar, A., Seltzer, M.I.: Securing provenance. In: HotSec (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Newcastle University, Newcastle upon Tyne, UK

    Dylan Clarke

  2. National University of Sciences and Technology, Islamabad, Pakistan

    Syed Taha Ali

Authors
  1. Dylan Clarke
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Syed Taha Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dylan Clarke .

Editor information

Editors and Affiliations

  1. University of Cambridge, Cambridge, United Kingdom

    Frank Stajano

  2. Memorial University of Newfoundland, St. John’s, Newfoundland and Labrador, Canada

    Jonathan Anderson

  3. University of Hertfordshire, Hatfield, United Kingdom

    Bruce Christianson

  4. Masaryk University, Brno, Czech Republic

    Vashek Matyáš

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Clarke, D., Ali, S.T. (2017). End to End Security is Not Enough. In: Stajano, F., Anderson, J., Christianson, B., Matyáš, V. (eds) Security Protocols XXV. Security Protocols 2017. Lecture Notes in Computer Science(), vol 10476. Springer, Cham. https://doi.org/10.1007/978-3-319-71075-4_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-71075-4_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-71074-7

  • Online ISBN: 978-3-319-71075-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation