Tips for Spotting Bogus Claims About Security and Encryption
The snake oil salesman has always been around, peddling their bogus products. In the frontier days, they sold medical panaceas promising to fix all sorts of ailments. Before you realized that cure-all you bought was nothing more than water mixed with pepper, they were already on their way to the next town.
Snake oil salesmen are still around today – and they have found a new target: cyber security products.
Just like medicine, it is hard to verify that an encrypted messenger app, a secure file sharing service, or other security software is really doing what it says. If the software is doing its job, you won’t actually see ‘security’ happening.
Messages sent through end-to-end encrypted apps like Signal or WhatsApp look like any other unless you inspect what’s ‘on the wire’ – referring to the data actually sent over the network cables.
But even an expert in the industry would have to use specialized tools and the better half of their day to verify any of these security claims – and even then it only reveals one small part of the whole story.
Unscrupulous developers and scammers are our new snake oil salesman. They enjoy the same comforts as the literal snake oil salesman of yore – claims that are difficult to verify, and the ability to make a quick buck without ever delivering on any promises. To pedal these phony soft-wares (haha, get it?) they often rely on bogus marketing claims and buzzwords – that’s our ‘security snake oil.’
So, how do you know when an app or service is truly secure, or when it’s too good to be true?
The following tips are some common claims and problems usually seen in ‘snake oil’ products – which are entirely fraudulent or over-promise their benefits.
If an app or service you are interested in is showing signs of snake oil security, proceed with caution.
- Military grade security/encryption
This is one of the most common terms thrown around.
It works because it appeals to our preconceptions of security. The military must protect its stuff really well! And, didn’t the military basically invent cryptography, or something?
Unfortunately, on its own, the term “military-grade” is meaningless – similar to expensive chocolates and other gimmick goods that are “artisanal” or “hand-made.”
Unless they tell you exactly what ‘grade’ they meet – such as a published standard, or even better, the specific encryption method they are using – you can disregard this claim altogether.
For example, AES, a widely-used encryption cipher that is considered to be secure by most industry experts, is literally military grade. The U.S. Committee on National Security Systems notes that AES-256 can be used “to protect up to TOP SECRET” information.
But Triple-DES (also writen as 3-DES) is another cipher that was once considered “military-grade” and is now totally insecure – just last month the U.S. National Institute of Standards and Technology (NIST) officially retired it.
Unless an app or service specifically tells you how it is encrypting your data, it could be either one of those algorithms (or any number of others).
“Military-grade encryption” is fine for a marketing bullet point. But if you can’t find more specific details on exactly what that encryption is, that’s a red flag.
- Unrealistic Claims: “Unbreakable,” “totally secure” or “100% secure”
Any respected security expert will tell you nothing is totally secure. Like the stock market, it just isn’t one of those things you can make a 100% guarantee about.
That means broad claims promising perfect security are almost always a sign of a snake oil peddler or an overeager marketer.
Every few months an unknown company pops up with promises to fix cybersecurity and solve everything – and they just need your hard earned money to do it. A few years ago VeilTower was a popular sham promising to provide a router that created a “hacker-proof Wi-Fi network.”
More recently we had Nomx, a device that promised “the world’s most secure communications protocol” for email. Would you be surprised to know that once British researcher Scott Helme got his hands on it, Nomx didn’t do much more than tweak a few standard settings while actually adding security vulnerabilities in the process?
These products come and go frequently and crowd-funding sites are one of the most popular places for them to appear. There is even a website dedicated to cataloging bogus security products on Kickstarter. Luckily they rarely meet their funding goals and disappear silently.
Other companies, like Cubeitz, who makes file encryption apps, like to add some technical jargon to their non-sense claims. Their software provides “1 million bits of encryption.” Bigger is better right?
1 million bits of what kind of encryption? The company has never explained how its encryption works or had its claims verified by a third-party. More bits of encryption does not guarantee more security if the protocol or algorithm is flawed.
Not wanting to stop at pointless hyperbole, Cubeitz double-dipped in the security snake oil pool:
“CubeiTz encryption is greater than that of standard military encryption.”
- No Cryptographers on Staff
Designing secure software is more difficult than just dropping in some standardized protocols and calling it a day. One of the most common security issues is implementation vulnerabilities. These are weaknesses in how a security protocol or encryption cipher is implemented in a specific piece of software, which can make even the best encryption useless.
Heartbleed, the most well-known SSL/TLS vulnerability of all time, was an implementation vulnerability in OpenSSL.
So, when you see an encrypted messaging app or other security software without anyone on staff who is a cryptographer or that has extensive experience with security engineering, be wary. Without real-world experience making secure software, there is a good chance they have made mistakes and don’t even know it.
Case in point, Confide, a Google Ventures-backed secure messenger app had developed some buzz earlier this year after getting plugged by a number of journalists and government officials. When security researchers took a look they found it was a disaster, offering no protections at all.
Confide’s team page boasts of its entrepreneurial experience – which is great for building a business, but not for making a secure app. What isn’t mentioned? Any experience with security engineering or cryptography.
- No 3rd Party or Peer Review
One of the best ways to determine if software can be trusted? Make sure someone else has verified it.
In the field of security and cryptography, a third-party review or audit is an accepted method for establishing credibility. These are conducted by an independent group – usually a security firm or academic researchers – and verify an app’s claims. For example, Signal, which is regarded as the best end-to-end encryption messenger, was audited twice (first as ‘TextSecure,’ its predecessor which used the same protocol).
Another term you may see is formal verification. This is a strict and comprehensive method of checking that a system actually provides the features it promises. It is the most thorough type of audit and it less common to find due to the cost and time it takes to perform. WireGuard, a secure VPN protocol, has been formally verified and proven to provide the specific security features it advertises.
Finally, a technical whitepaper is a document that explains how a product’s security features work and (hopefully) details the encryption protocols and algorithms that are used. These can be valuable – but know that they are not to be trusted as much as a 3rd-party audit or formal verification.
That’s because a whitepaper can easily be typed up by anyone. It isn’t fact-checked or even truthful. Interpreting a whitepaper can be difficult if you are not well-versed in security – and you should not trust it on face value. It is important to give it a read to make sure there is substance to it.
WhatsApp’s whitepaper is a good example of the detail you should expect to find. It specifically discusses the security protocols used by the app and includes an overview of how a secure connection is established.
On the topic of 3rd-party opinions, beware of recommendations coming from general media outlets or “listicle” sites. Any article that runs down the “Top 10 Most Secure <blanks>” has probably just done a Google search for the most popular options that claim to be secure.
The phony Confide app gained popularity after a New York Times reporter, who does not have a background in cybersecurity, recommended it. Without expertise in the field it is hard to make such a claim – which is exactly why you are reading this article!
If you find any good examples, or can’t decide if an app seems legit or not, share it here in the comments