The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on May 14, 2019

[Best of 2019] No, end-to-end encryption isn’t a marketing gimmick

Sound the bad take claxon.

[Best of 2019] No, end-to-end encryption isn’t a marketing gimmick
Matthew Hughes
Story by

Matthew Hughes

Former TNW Reporter

Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twi Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twitter.

There’s bad takes, and then there’s bad takes. An example of the latter comes from Bloomberg Opinion columnist Leonid Bershidsky, who thinks that today’s WhatsApp security woes proves that end-to-end encryption is “a gimmick” and “largely pointless.”

WhatsApp is one of the largest messaging apps around. To put Bershidsky’s comments in context, earlier today, it transpired that it was possible to use specially-weaponized phone calls in order to install malware on a target’s phone. The Facebook-owned company has since released a patch, which users are encouraged to install at the earliest possible opportunity.

WhatsApp, like many messaging apps, uses end-to-end encryption, which ensures that an intermediary cannot snoop on what’s being said. Bershidsky’s argument, summed up roughly, is that while WhatsApp remains vulnerable to other attacks, end-to-end encryption is nothing short of a “marketing device” designed to “lull consumers wary about cyber-surveillance into a false sense of security.”

As far as I can tell, Bershidsky has no formal training in cyber security or computer science. If he did, he probably wouldn’t be embarrassing himself in such a public fashion. And indeed, the computer security community is delighting on dunking on him via their preferred medium, Twitter. It’s important that his arguments, which are misleading and technically inaccurate, do not go unaddressed.

Firstly, let’s address his criticism that the term “end-to-end encryption” is a “marketing device.”

It isn’t. It just fucking isn’t. I don’t know what else to say here. It’s a technical term with a very precise, universally-accepted definition. That just isn’t up for debate.

Bershidsky’s argument hinges primarily on the fact that applications that use end-to-end encryption are susceptible to other threats, like zero-day flaws and sophisticated Israeli spyware. But the thing is, no credible person has ever argued that end-to-end encryption is a security cure-all. Rather, it addresses two serious security problems.

Firstly, end-to-end encryption prevents an adversary sitting in the middle of a connection from intercepting and analyzing the contents of data packets. If you’re sending privileged information across a public Internet, like credit card numbers or customer, you’ll going to want to ensure they safe from prying eyes. And crucially, it makes it almost impossible to intercept and analyze protected traffic at scale.

The second problem end-to-end encryption solves is that it makes it significantly harder for an adversary to launch session hijacking attacks. If data is being sent in the clear, an attacker sitting on the same network could easily capture cookies and session cookies, allowing them to take over a user’s account on a website or app, all without the need to log-in.

This isn’t hypothetical. Before Facebook introduced SSL-by-default in 2012, ensuring the connection between users and its servers were protected, wresting control of someone’s account was embarrassingly easy. There was even a Firefox plugin called FireSheep, released in 2010, that made it a one-click process.

Do you need other things than end-to-end encryption to ensure a secure user experience? Absolutely. But is end-to-end encryption a crucial cornerstone of that secure user experience? Hell yes.

Security isn’t a single product or app. You can’t buy security. It comes from the culmination of lots of efforts, big and small. At the risk of sounding like the narrator in a commercial for Lincoln cars, it’s a journey, and you never quite get all the way there.

In conclusion, End-to-end encryption is important, and Bershidsky’s take is moronic. Even though the piece was clearly listed as opinion, Bloomberg should have known better than to publish an argument that was fundamentally misleading, and based on shaky technical grounds.

Also tagged with