This series can be read independently, but is mostly designed to complement the article on encrypted communication.
First things first, lets define some terms. Security is the protection of information from unauthorized sources. Obscurity is the concept of something hidden, and typically in this context, not obviously so. Blending in, if you will. Identity is any distinguishing characteristic that separates one party from another.
Let's start with security. The most basic example of security, at least in the context of communication, is authentication. This connects with identity. Authentication means "I am who I say I am, and here is how I'm proving it". In the context of a service or platform, this can be a username/password combination. In the context of communication, it might be a keypair (visible or otherwise), username (which has been validate to belong to the person on the other end via the server), etc. The second part of security is encryption. Encryption is the process of "scrambling" information using encryption keys, so that it can't be read by anyone it isn't intended for. There are two main types of encryption we'll talk about.
The first is "End to End" Encryption, or E2E. This means Person A has a key that encrypts everything they send, with a note to allow Person B, who they're sending it to, to decrypt it with their own key. In general, this is the most secure form of encryption. There are multiple levels of E2E encryption though. E2E encryption is vulnerable to a "man in the middle" attack, which means that Person A sends their message to Person B, but Person C is actually at the other end, pretending to be Person B. They then decrypt the message, forward it on to Person B, and then do the same in reverse. Without physically verifying encryption keys/identities in the same room, next to each other, this type of attack can be very difficult to detect. This obviously poses a problem, since Person C can see everything both parties send, AND both parties think only the other person is seeing everything.
The other type of encryption is "server-side" encryption. In some cases, this can be a perfectly valid and secure way to protect information. Server side encryption prevents unauthorized parties from reading messages, the same as E2E. The problem in this scenario is that the user is (usually) not the decider of who unauthorized parties are. The server has, or should be assumed to have, the keys to encrypt or decrypt data at will. This means that, for example, Meta could decide that an authorized party to read WhatsApp messages is the FBI, ICE, NSA, or even Mark Zuckerberg himself. Depending on the threat model, server side encryption might be worth the trade offs.
In general, all of the recommendations in the encrypted communication article are using End to End, as its more appropriate for situations where the primary concern is government interference. E2EE can include various different protocols. One of the most popular is the Signal Protocol, used by Signal and WhatsApp. Another is Matrix. A more generic method is PGP, which is both encryption and identity verification. Signal and Matrix are their own protocols, which means that, in most cases, the keys used to encrypt data/messages are not controlled/generated by users, but instead are generated by the protocol/apps in question. PGP is different in that users are required to generate their own PGP private/public key pair. I won't dive into that toooooo much but essentially keypairs means that I have a public key (which anyone can have), and a private key (which no one but me should have). You also have these. I encrypt my message to you with your public key, which means only your private key can decrypt it. I can also "sign" the message with my private key, which you can verify by using my public key. To clarify, these are two separate processes, both of which can be done independently of each other. In general, if you use PGP encryption, it's optimal to spread your public key and fingerprint as far and wide as possible to ensure its easy to validate and can't be replaced or compromised by a single point of failure.
Recommended Reading: Matrix Signal (all docs) Signal "Double Ratchet"PGP Overview PGP deeper dive
← Back to blog