There’s bad takes, and then there’s bad takes. An example of the latter comes from Bloomberg Opinion columnist Leonid Bershidsky, who thinks that today’s WhatsApp security woes proves that end-to-end encryption is “a gimmick” and “largely pointless.”
WhatsApp is one of the largest messaging apps around. To put Bershidsky’s comments in context, earlier today, it transpired that it was possible to use specially-weaponized phone calls in order to install malware on a target’s phone. The Facebook-owned company has since released a patch, which users are encouraged to install at the earliest possible opportunity.
WhatsApp, like many messaging apps, uses end-to-end encryption, which ensures that an intermediary cannot snoop on what’s being said. Bershidsky’s argument, summed up roughly, is that while WhatsApp remains vulnerable to other attacks, end-to-end encryption is nothing short of a “marketing device” designed to “lull consumers wary about cyber-surveillance into a false sense of security.”
As far as I can tell, Bershidsky has no formal training in cyber security or computer science. If he did, he probably wouldn’t be embarrassing himself in such a public fashion. And indeed, the computer security community is delighting on dunking on him via their preferred medium, Twitter. It’s important that his arguments, which are misleading and technically inaccurate, do not go unaddressed.
This is downright irresponsible and dangerous to claim. End-to-end encryption isn't broken. If the device is pwned, the data is pwned. Saying end-to-end encryption is broken will deter people from using it — when it's perfectly fine to use. https://t.co/5hx6lLtpg6
— Zack Whittaker (@zackwhittaker) May 14, 2019
Firstly, let’s address his criticism that the term “end-to-end encryption” is a “marketing device.”
It isn’t. It just fucking isn’t. I don’t know what else to say here. It’s a technical term with a very precise, universally-accepted definition. That just isn’t up for debate.
Bershidsky’s argument hinges primarily on the fact that applications that use end-to-end encryption are susceptible to other threats, like zero-day flaws and sophisticated Israeli spyware. But the thing is, no credible person has ever argued that end-to-end encryption is a security cure-all. Rather, it addresses two serious security problems.
Getting food poisoning at a restaurant shows transporting drinking water through pipes is a gimmick https://t.co/jnI9xRS1iu
— Alexandru Voica (@alexvoica) May 14, 2019
“Did you know someone can see your stuff if they gain root on your machine??” is truly the stupidest thesis for a tech piece of all time.https://t.co/YvQZhECif4
— Andrew Ewert 🌹 (@acewert) May 14, 2019
Firstly, end-to-end encryption prevents an adversary sitting in the middle of a connection from intercepting and analyzing the contents of data packets. If you’re sending privileged information across a public Internet, like credit card numbers or customer, you’ll going to want to ensure they safe from prying eyes. And crucially, it makes it almost impossible to intercept and analyze protected traffic at scale.
The second problem end-to-end encryption solves is that it makes it significantly harder for an adversary to launch session hijacking attacks. If data is being sent in the clear, an attacker sitting on the same network could easily capture cookies and session cookies, allowing them to take over a user’s account on a website or app, all without the need to log-in.
This isn’t hypothetical. Before Facebook introduced SSL-by-default in 2012, ensuring the connection between users and its servers were protected, wresting control of someone’s account was embarrassingly easy. There was even a Firefox plugin called FireSheep, released in 2010, that made it a one-click process.
Do you need other things than end-to-end encryption to ensure a secure user experience? Absolutely. But is end-to-end encryption a crucial cornerstone of that secure user experience? Hell yes.
This article is basically saying someone learned to pick this lock so lets burn all the doors 🙄 smh https://t.co/uLQH8spTVj
— Craig Williams (@security_craig) May 14, 2019
Security isn’t a single product or app. You can’t buy security. It comes from the culmination of lots of efforts, big and small. At the risk of sounding like the narrator in a commercial for Lincoln cars, it’s a journey, and you never quite get all the way there.
In conclusion, End-to-end encryption is important, and Bershidsky’s take is moronic. Even though the piece was clearly listed as opinion, Bloomberg should have known better than to publish an argument that was fundamentally misleading, and based on shaky technical grounds.