Abstract
End-to-end (E2E) security is commonly marketed as a panacea to all of a user’s security requirements. We contend that this optimism is misplaced, and that E2E security, as offered by services such as WhatsApp, Telegram, Mega, and Skype, is not sufficient in itself to protect users. In this paper, we discuss various means by which these systems may be compromised in spite of their security guarantees. These include exploitation of flaws in the implementation or even deliberate backdoors in the system. In some cases it may be easier for attackers to bypass the E2E secure channel in the system and attack the communication endpoints instead. Furthermore, the lay user generally has no convenient and convincing mechanism to verify that the system is indeed fulfilling its E2E security properties. We illustrate each scenario with prominent examples of actual real-world security failures and we discuss potential mitigation strategies that users may employ.
Cite
CITATION STYLE
Clarke, D., & Ali, S. T. (2017). End to end security is not enough. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 10476 LNCS, pp. 260–267). Springer Verlag. https://doi.org/10.1007/978-3-319-71075-4_29
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
