Introduction

First let me state that the use of encryption is a great idea. Even weak encryption is better than no encryption at all. What makes it problematic is that organizations don’t adequately deploy it, the science constantly evolves, and consumers have a hard time understanding it. Unfortunately, the lack of encryption on wireless networks can expose sensitive information whenever you send emails, use social sites, or simply browse the Internet. Unencrypted texts and voice calls are equally susceptible to interception. The lack of encryption has exacerbated the issue of data breaches in the professional sphere as well.

People tend to avoid encryption because it sounds complicated--but there are tools that can make it easy to use. So let’s take the fear out of it. In this article, you will find examples of encryption solutions that you can use as idea starters. Then you can perform your own research and determine what solutions are best for you or your organization.

Protecting Internet Communications

Leakage of communications can happen all along an Internet communication link, from your device to the web server and on to other systems to which the server may forward data. Not only can everything you send over an unencrypted network be captured by anyone with a network sniffer, but accounts that you use could be taken over if they are not protected using encryption. At a minimum, websites should be deploying SSL to protect their visitors.

What is SSL?

Secure Sockets Layer (SSL) was developed by Netscape in 1992 to encrypt Internet traffic. After SSL 3.0 was released, the development work was passed on to the Internet Engineering Task Force (IETF). The IETF changed the name to Transport Layer Security (TLS) and delivered several releases. TLS 1.2 is the current release. TLS 1.3 is in draft. While most people call secure Internet communications SSL, TLS is the protocol that should be used. Though the two are related, they are not compatible.

Use of SSL by Websites

Initially, only websites collecting financial and medical information protected their Internet communications using SSL. Most websites were reluctant to deploy SSL due to the cost and the performance hit. However, hacking and auditing apps such as Firesheep and the more sophisticated Cookie Cadger, the revelations of government surveillance exposed by Edward Snowden, and insistence by privacy advocates such as the FTC and Chris Soghoian have encouraged many sites to enable SSL.

Enabling SSL for Websites

When browsing the Internet, ensuring that SSL is enabled for the connection helps to keep your information private, especially when sending data over wireless connections. It’s a simple matter of using https as the protocol for the website address instead of http. Users often forget, or don’t know how, to ensure that SSL is enabled for a website. To make the job easier, https-everywhere can be used (does not work with IE or Safari). Organizations can help to ensure that users access secure connections to their websites by activating HSTS (not currently supported by IE).

The look of SSL in different browsers

To ensure that a website you visit is using SSL, look at the address bar. You should see a lock and green text for the name of the website (see the image above for examples). You will need to use the current version of your browser to see this.

Server-to-Server Communications

Even when there is encryption between your browser and the web server, it doesn’t mean that the connection between web servers is encrypted, which is important when sending email to a recipient who uses a different email server. By implementing encryption for server-to-server communications and enabling STARTTLS on email servers, online companies can help to ensure that the communication between their servers and other servers is encrypted. Server-to-server encryption can thwart hackers and unlawful government surveillance of Internet communications.

Testing SSL Deployments

Implementing SSL is not an easy task for websites. Getting the right version of TLS, using the right algorithm for certificates and encryption, and knowing when to implement HSTS, STARTLS or other headers can be daunting. Even when you feel you have the best technology deployed, how do you determine if it is working properly? The website https://www.ssllabs.com/ssltest/index.html can help in validating your SSL deployment, and https://ssl-tools.net/mailservers can test email server communications. If your organization does not support SSL you should encourage it to do so. For more info on SSL/TLS get this book.

Encrypting Communications without SSL

If you are using an unencrypted public Wi-Fi network to browse the Internet to sites that don’t support SSL, there are other ways to protect your communications. You can use a virtual private network (VPN) to encrypt the link between your device and any website via an intermediary. For example, SecurityKISS provides a free service that not only encrypts your communications, but helps to protect your identity and browsing destinations. It can also make it appear that you are connecting from another state or country. It assists people in countries who want to access sites that are blocked from them. Other VPN providers can be found here. For those who want to go a step further and move around the Internet invisibly, check out the Tails product, which provides a secure operating system and communications on a memory stick.

Home Wireless Networks

Home Wi-Fi networks can be a huge exposure for families. There are several things that can be done when setting up your Wi-Fi network to mitigate the risk of an unauthorized person connecting to it or viewing its traffic:

1. Do not broadcast the identifier (SSID) for the network, which makes it difficult to connect to unless it is already known.
2. Use a strong password to protect access to the network.
3. Enable encryption for the network. WPA2 is currently the strongest method to use, superseding WPA and WEP.

Encrypted email

Email often contains sensitive content, for example, when people send a password, credit card number or other personal information to family members. Several services provide encrypted email capabilities. A list of some of them can be found here. They use PGP, PKI and password-based encryption mechanisms. For most users, the password-based encryption is easiest to use as there is no need to deal with managing encryption keys. However, users still have to inform email recipients about the password.

PGP Encryption

Pretty Good Privacy (PGP) is an encrypted email mechanism that has been in use since the early ‘90s. It operates via the use of two keys that are assigned to a user wishing to send encrypted emails. One is a public key that is used to encrypt messages. It should be shared with anyone wishing to send you an encrypted email. The other is the private key that email recipients use to decrypt messages. It should be stored in a safe place. A set of PGP keys can be generated on websites such as https://wp2pgpmail.com/pgp-key-generator/ where an app can also be found for sending PGP emails.

Public keys can be sent in a standard email. For example, you may have seen the following preamble at the bottom of an email you received:

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: BCPG C# v1.6.1.0

You can also find a person’s public key at this MIT site. Many privacy advocates register their public key there. Be sure to place yours there.

PKI Encryption

Public Key Infrastructure (PKI) uses certificates to encrypt content. These certificates can be used with Microsoft Outlook and Mozilla’s Thunderbird to send encrypted or signed emails. A free personal certificate can be obtained from https://www.comodo.com/. This technique is similar to PGP in that it uses a public and private key. However, PKI keys are linked to certificate authorities who manage certificate revocation in case it is compromised, while PGP keys are distributed by several software vendors and revocation is not provided.

Password Encryption

Password-based encryption systems encrypt data and communications without the user having to worry about key management. Microsoft Office and OpenOffice provide built-in encryption of documents, which is activated with a password. These apps require recipients to have a copy of the app to decrypt encrypted content. Lockify is an example of a free app that provides the ability to send encrypted messages and documents using a password. Users can also use the app to have messages deleted after they have been read or a date has passed. Unlike other services, Lockify does not require the recipient to have the app installed to access encrypted messages.

Comprehensive Encryption

For those looking for applications that provide a comprehensive set of communication encryption capabilities, Open Whisper Systems and Silent Circle provide voice and text encryption. The Black Phone provides a secure device platform and incorporates the Silent Circle suite.

Mitigating Data Breach Issues

In 2005, the ITRC started tracking data breaches and found that 67 million records were exposed in breaches. Nine years later, in 2014, despite increased efforts from all those affected, the number of exposed records reached over one billion. Even when databases are breached, why does sensitive data continue to be exposed? Following the minimization principle and using readily available data protection mechanisms would mitigate those risks. Sadly, recent congressional hearings on the Office of Personnel Management (OPM) hack revealed that sensitive data such as social security numbers was exposed in their breach. The reasons given for not encrypting the data were that the older systems did not support encryption and the data needed to be unencrypted to support searches. It is troublesome to see this as an excuse when it is possible to have data encrypted while conserving its utility.

Simple hashing would permit the searching of values such as a social security number while rendering it safe from a breach. Moreover, technologies are available that support research and data mining while protecting the privacy of data. Differential privacy, homomorphic encryption, multi-part data computation and linear secret sharing are all examples of ways to hide data from direct access and still permit necessary functions to be performed on it.

So What Do You Do Now?

Anytime you are sending sensitive information across the Internet, use encryption. To protect what you are viewing online, ensure that SSL is enabled for the site. If you run a website, enable SSL. There are many free services and applications to help people protect their privacy. Grab one today and test it out. We should no longer feel helpless when it comes to protecting our data and communications. Having a strong #PrivacyBillOfRights would require companies to use encryption, and we would all be safer for it.