A few words about the title: The first seven letters are written using a very simple code, or cypher. Each of the letters in the original word is replaced by the non-alphabetical character to which it is closest on a US keyboard. The process of hiding a message by substituting other letters, numbers or symbols is known as encryption. When the code is reversed, the title reads ‘Explaining Encryption’.
But it also looks like swearing, doesn’t it? In fact, the use of characters like this to denote swearing is a simple (dare we say crude?) kind of encryption. A child too innocent to know such words derives no meaning from the random collection of characters. Someone well versed in the ways of the world, though, can add up the number of characters and quickly deduce what was intended.
On and off over the last two months, we’ve been looking at various aspects of online security. This week, we’re going to consider what steps we can take to make the information we send over the Internet secure from prying eyes.
We’ll also consider why it is that no one uses these measures, and why most of us won’t any time soon.
When you talk with someone over the Internet, it’s useful to imagine that you’re sitting down with them in a busy café. It’s not exactly a wide-open place, but it’s not very private either. As long as you keep your voice down – and as long as the waiter doesn’t eavesdrop – you have a reasonable expectation of privacy. Nonetheless, there are some things you simply would not say.
The Internet, unfortunately, has very few truly private places. It takes a great deal of effort to establish security strong enough to be guaranteed that nobody knows who you’re talking to, or what was said. It’s often easier to learn a few little tricks to make sure that no one understands what you’re saying, even if they can hear you.
One technique that works really well for some people is to speak in a language that nobody else understands. The US Army used this trick during the Second World War. They enlisted a number of Navajo Indians to work as radio operators. The Navajo language was not documented anywhere, and the US was confident that no one aside from the Navajo people themselves spoke the language, so they took advantage of this, and used them extensively to provide secure communications in places where going through a lengthy encryption/decryption process would cost lives.
That’s more or less what encryption is. It’s a newly-minted code (language, if you like) that only you and the computer at the other end of the link can understand.
The most common kind of encryption on the Web today is something called Secure Sockets Layer, or SSL. It uses a fairly simple process to establish a kind of a tunnel between you and the server you’re connecting to. The mechanics of the transaction are actually somewhat complex, but in layman’s terms, the process works something like this:
Joe wants to log into GMail. He goes to gmail.com and clicks on the login link. The server sends some information back to the browser that says, “I really am the server that he meant to click on. Here’s my ID. I want to talk to Joe privately.” The browser examines the ID and, provided it’s legit, cooperates with the server to invent a language that only the two of them understand. Joe can now talk with the GMail server without fear of anyone else understanding what’s being said.
Setting up something like this is fairly easy when each party in the transaction is known to the other. Public servers can obtain virtual ID cards, called certificates, which allow us to verify that someone else isn’t just pretending to be them. A good web browser will warn you before it establishes a secure connection with a server that isn’t trusted in this way.
The process isn’t foolproof, but it’s much better than nothing.
There are two big problems with encryption, though. First, it’s too easy. Second, it’s too hard.
When used in a web browser, the process of establishing trust between two machines usually happens without any intervention from the user. The idea is that it should ‘just work’. Developers went to very great lengths to find ways to make that happen. Unfortunately, that means that most people are never aware whether they’re sending their information securely or not, or whether the information is actually going where they think it’s going.
In effect, browser makers are victims of their own success. They were so good at hiding the complex process of establishing trust that they made it too easy for users to ignore security completely. In fairness, they have all worked hard recently to try to provide visual clues about the nature of the sites people visit, but many users remain oblivious to the warning signs when things are not as they should be.
So the most common kind of encryption is one that we use everyday, but we never actually see. That’s possible because it’s based on knowing a given computer’s identity. Google is not likely to change from one day to the next; therefore it’s possible to infer that if it was trustworthy yesterday, it will be trustworthy tomorrow. It’s also well-known enough that we don’t have to rely so much on our own judgement as on the experience of others.
But what about those numerous occasions when someone whom you don’t know very well asks you to send them confidential information? Let’s say you want to send the results of a recent pregnancy test from the hospital in Australia to a doctor here in Port Vila. This is absolutely not the kind of information you would want to send out in the open. You wouldn’t paste such information onto the back of a postcard and send them that way, would you?
When you send information by unsecured email, that’s exactly what you’re doing. You’re relying on people not to let their curiousity get the better of them.
So why don’t we all use encryption then? The answer is very simple and very complex all at once.
The simplest way to explain it is that the process of setting up trust between two computers is a little complex. It’s not beyond the ability of an intermediate-level computer user, but it might take them a little while to get used to the process.
It’s just hard enough, however, to keep the majority of people from using it easily. And encryption is one of those things that’s kind of useless unless everyone can agree to use it, and to use it in the same way as everyone else.
The biggest problem is that we can’t see, touch or hear encryption, so software applications using encryption have to get in the way a little bit. They have to intrude on what would normally be a simpler process, asking questions, wanting confirmation for this or that. For many people, it’s disconcerting, even alarming to have their computer suddenly start talking about security using jargon they don’t understand.
We find ourselves caught in a bit of a dilemma. Most of the time, we’re happy with the notion of the Internet as a wide public plaza. We stroll around, taking in the latest sights, catching up on news, what have you. But occasionally we run into someone we really want to talk to, and lo, there’s no quiet place the two of you can go. The contortions required to establish your own special language for two require time, effort and knowledge, and most often there’s not enough of any of those.
Encryption is really the only useful way to protect what you send over the Internet from prying eyes. Given the number of prying eyes on the Internet today, it’s a shame that personal encryption techniques are so hopelessly behind the needs of the average computer user.
We’ll all use personal encryption some day, but that day is yet to come.