Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

QA Fest 2017. Per Thorsheim. Secure messaging - how to protect yourself & your company

172 views

Published on

Our online communications with family, friends & business are increasing both in volume and number of applications we use. While a majority still don't know 2-factor authentication or end-to-end encryption, more and more people are using secure messengers like Signal, Whatsapp and Wire. However unecrypted email is still the most common way of transferring information and files over the Internet. This talk will give you an overview of key technologies & their implementations in various messengers. Last but not least I will show you how email can be made more secure in the future, based on existing standards that may become mandatory in all of EU within a few years.

Published in: Education
  • Be the first to comment

  • Be the first to like this

QA Fest 2017. Per Thorsheim. Secure messaging - how to protect yourself & your company

  1. 1. Secure Messaging How to protect yourself & your company Per Thorsheim @thorsheim +47 90 99 92 59 (Signal|Wire|Whatsapp)
  2. 2. PasswordsCon.org Youtube.com/user/thorsheim
  3. 3. Article 12: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” The Universal Declaration of Human Rights, United Nations
  4. 4. Signal Signal.org
  5. 5. Whatsapp www.whatsapp.com
  6. 6. Wire WIRE.COM
  7. 7. Secure Email DNSSEC DANE TLSA CAA SPF DKIM DMARC
  8. 8. Regular email I have email for you Ok, I am ready Here you go…. Thank you, I’ve got it. Thank you, that was all. The problem: It is all unencrypted
  9. 9. Email with STARTTLS Hi, I have email for you. Ok, I am ready, and I have STARTTLS Good! Let’s use TLS-RSA-RC4-128-SHA Oh, I can only do RC4-MD5… Ok, let’s use it then. Send your public key. 234lkj235dfwdknj523dlkjsdrkj seljw5kjwouijsdlfjk235346lkj3w ….. Initial communication is Unencrypted. STARTTLS is opportunistic. Sender, recipient & all contents are encrypted.
  10. 10. Status for universiteter og høyskoler, oktober 2014. Status for universiteter og høyskoler, mars 2015
  11. 11. In the second instance, Golden Frog shows that a wireless broadband Internet access provider is interfering with its users’ ability to encrypt their SMTP email traffic. This broadband provider is overwriting the content of users’ communications and actively blocking STARTTLS encryption. This is a man-in-the-middle attack that prevents customers from using the applications of their choosing and directly prevents users from protecting their privacy. https://www.techdirt.com/blog/netneutrality/articles/20141012/063 44928801/revealed-isps-already-violating-net-neutrality-to-block- encryption-make-everyone-less-safe-online.shtml
  12. 12. The «maslow hiearchy» of email security DNS DNSSEC DANE TLSA HTTP HTTPS HSTS SMTP SPF DKIM DNScrypt HPKP DMARC DANE TLSA POP IMAP POPS IMAPS WWW DNS Server til server epost Klient til server epost DANE TLSADANE TLSA SMTP STS STARTTLS Unencrypted Not verified Encrypted Verified Encrypted CAA REQUIRETLS ARC
  13. 13. https://dnssec.vs.uni-due.de/
  14. 14. https://hostmaster.ua/dnssec/
  15. 15. Facebook Secret conversations - demo
  16. 16. per@thorsheim.net +47 90 99 92 59 Signal|Wire|Whatsapp @thorsheim Linkedin.com/in/thorsheim

×