This week, we again explore the breaking points of encryption, while basking in its unexplored potential. It’s a complicated relationship. Japan races to be quantum ready, struggling to catch up with China and the US, and what was thought to be secure communication in China—isn't. And it may not even be China’s fault. How Telegram may have let down it’s pro-democracy users with the fine print, and why your firewall provider may need a firewall provider. Plus, at a time where blockchain never ceases to amaze us, we’re asking it to do one more trick—all in this week’s Encryption Digest.
“Need help from @telegram.”
Popular among democracy seekers in China, (banned-but-cracked) Telegram is the app-based communication haven for Chinese activists who would otherwise be putting their wellbeing at risk. Well, it may not be such a haven anymore.
According to the Chinese software developer who outed the vulnerability on Twitter, the app allows those who have your number to see who you are on public messaging boards, even though you may have turned the settings to private. In a few swift steps, the Chinese government could pair with local Telcos to track those numbers to the users themselves.
To protesters who already claim to have been targeted by the Chinese government, this is a bug. To Telegram, simply a little-known feature. In either case, this parallels the encryption backdoor debate, showing what could happen when—by any means—a government has increased access to what were intended to be secure communications.
In the race to quantum computing, no one wants to be left behind.
China had quested quantum information science as a flagship in their 2006-2020 plans and has already constructed a quantum landline between Shanghai and Beijing. It works. The United States has been investing heavily in quantum cryptography, and Japan is now formalizing plans to follow suit.
$14 million dollars will be petitioned for research and development in 2020, per Japan’s Ministry of Internal Affairs and Communications. The country that is re-upping efforts to recycle old electronics will also investigate the use of existing fiber optic networks to make the technology run.
Right now, encrypted government communications are just that, and the cyber-spies are held at reasonable distance. That might not be the case for long.
With experts estimating anywhere from 3-10 years before quantum computing cracks our current encryption, 2025 seems like … a good timeline.
Why We Need Quantum Cryptography, Now
Soon, we might be able to make a shorter list of things blockchain doesn’t do. We already see it revolutionizing the futures of IoT, refugee aid, voting machines, medical records and supply chains. Now, it’s gearing up for its latest role—as real estate broker. It’s like the astronaut-doctor-lifeguard Barbie of the '90s, only less plastic. We hope.
Implementation is still contingent upon acceptance by regulators and the industry at large, but should blockchain ever be utilized for house-hunting, here are some foreseeable benefits:
It’s no Chip and Joanna but given the increased digital speed of nearly everything else, maybe we’ll settle for fast, safe and viciously accurate.
No one is immune.
“For a security-as-a-service provider like Imperva, this is the kind of mistake that’s up there with their worst nightmare” confided Rich Mogull, founder at DisruptOps, a cloud security firm.
On August 20, Imperva disclosed a breach in their cloud-based Web Application Firewall (WAF) product, Incapsula. The attackers made off with API keys, client-provided SSL certificates, email addresses and passwords.
According to Mogull, Imperva is one of the top three web-based firewall providers in the industry, and this attack—is significant.
In a worst-case scenario, attackers could divert traffic going to Imperva clients’ web pages to their own. Or whitelist venomous sites. Or lower WAF security settings for all users.
These breaches can come down to small mistakes, says Alissa Knight, senior analyst at Aite Group, which is a point of concern. Cloud-based security providers are often given the “keys to the kingdom,” and it’s important to ask them the “tough questions” - like how they are securing the platforms that secure your data.
You can find out the hard way that you've been compromised, or you could automate code signing across all encrypted assets to make sure that what you see, is what you get. See how it works.