Chris Kranky

Recent Posts

Step 1: Encrypt everything

Chris KoehnckeChris Koehncke

encryptOne of the early talks in last week’s Realtime Conf 2013 was about the need for encryption and for all of us to have a better understanding of this seeming black art. The news media blares nearly daily with some embarrassing international incident alerting us all to the very real risks with innocent data. I won’t touch, for now, the potential harm of misuse of data from people we knowingly give our data to (read Facebook/Google). The question for today is who is looking at our data as it flies across the Internet and what should you do?

There are clearly those up to no good followed by ISP’s with their DPI (data packet inspection) systems looking at all our bytes we send/receive and trying to derive some intelligence from this, these same ISP often try and “help” by caching our requests to make “better use of the bandwidth”  or silently re-routing our requests to their own servers with the vague idea of making things “happen faster.” Mobile operators are particularly guilty of blocking ports and hijacking your requests.

As both a user and developer, you want assurances that no one is playing with any aspect of your communications session between you and the other end point. Not just for security, but to ensure that the application works as you planned. How do you troubleshoot a problem that’s in the middle of the network?

Answer – encrypt everything.

Internet developers, some who actually bathe periodically, are a nasty hornet’s nest if you tap on them too much and tap it would appear the industry and government has. The tidal wave of response is heading to our shores with the encryption of virtually everything now that the power of processing now allows for it at scale. Valuable or not, encrypt it.

WebRTC is either leading the charge or caught in the slipstream of this discussion. P2P communications are somewhat harder to sniff out (since the data doesn’t flow thru a nice central server). While WebRTC demands the encryption of the media channels, developers are only now paying attention to what WebRTC does and how ‘safe’ it is.

Telephone and ISP companies, I believe, are letting a great business opportunity slip thru their fingers. As a paying customer, I expect them to be on my side. They are big enough and have brands to protect. I’d pay them more if they could provide me solid assurances that my data is safe with them. Why would I use Dropbox, Gmail, AOL IM – free services who have no vested interested in protecting my information if a trusted alternative was available?

I learned years ago that consumers are always willing to pay for security.

Unfortunately, the telco types continue to demonstration that they’re not on your side. Injecting man in the middle attack type services to hijack my communications, cooperating often all too willingly with government requests and not thinking creatively about products/services that encrypt my data such that no one, other than myself, has access to it.

While data protection has long been an industry, it’s usually expensive for those who truly have data to protect. The newer technology, including WebRTC, are lowering this barrier, cracking open a new and untapped market for those upstarts, whomever they be.