Secure messaging
A common question I get asked is “what secure messaging app do you use?” and the answer of “none” gets some surprised looks; how can I be in cyber security if I don’t use secure messaging?
The answer is “convenience”, with a side of “risk analysis”.
Back when Signal (on Android) did both secure messaging and SMS in the same app then I used this. When they removed this (because people might send insecure messages by mistake) I stopped using it. It’s inconvenient to have to wonder “Does Fred have Signal? Or WhatsApp? Or is it just SMS?”. I’ll just use the lowest common denominator.
Could my messages be intercepted? Sure! Am I worried? Not really. If the Chinese (or the US!) want to know that I’m planning a pub trip then good for them.
Same for email; I’m not using encrypted/signed email (PGP, S/MIME, whatever). Yes, my mail servers can do TLS but that’s “opportunistic” and they’ll happily fall back to plain text.
But.
I’m not a high value target; no one is going to go to the effort of grabbing my stuff. If it gets caught up in a high volume data theft (e.g. theft from a telco) then shrug nothing of value will have been taken.
There’s a slight caveat here; Google’s “Messages” app can do end-to-end encryption! When using RCS and configured and if the other party is also using “Messages” and is properly configured then the conversation is encrypted. At the moment it’s limited to Android users using Messages, but since Apple is now embracing RCS maybe we’ll also see some cross-platform support in the future?
VPN on my phone
Nope, don’t use that either. If I’m in Starbucks my phone is using mobile data directly with no VPN to protect me. But I’m not concerned because pretty much every site my phone talks to is TLS protected. This gives encryption and a level of identify verification (“yes, this is sweharris.com; the certificate says so!“).
I don’t normally have WiFi turned on when I’m out of my house (automated based on location) but even if I did and connected to a rogue hotspot then I’m not too concerned; the traffic is still protected through TLS. Sure the bad guy might see my phone make a connection to my bank, or to my home network; they might be able to see my DNS queries. So from this meta data they might be able to work up some sort of profile on me to use in social engineering, but my data is secure.
Again a minor caveat; I do have a VPN I run myself, but that’s normally off; it’s to let me access my own IMAP server if I’m out of home and need access to my email urgently. Mostly I don’t need it. And I don’t default-route via the VPN, just my home subnet, so everything else would still go out the normal way.
VPN at home
Why would I? Again, most things are TLS protected. I run my own DNS servers (ISC Bind) so I don’t hit my ISPs servers for that. Sure they could sniff my DNS traffic or they could see the TLS headers and so learn that I spend far too much time looking at pr0n. But so what?
Yes, Verizon would release my details to the government on request, but then so would most VPN providers. I’m not gaining any security, just moving the risk around.
And getting worse network performance as a result.
There are use cases for VPNs (especially if hoisting the Jolly Roger) but security isn’t one of them. So, no, I don’t use a public VPN.
(As above, I do have a private VPN I run myself that I use to allow services out of my home to reach into my private network)
Anti Virus
I do now have a Windows machine; I use it for gaming. But the only protection on it is the built in Microsoft Defender product. I’m not hitting warez sites, downloading dodgy software; I don’t even have Office products installed so no Word Macro viruses here! I don’t read email on this machine (I do that on Linux using a terminal client, “mutt”). Basically the risk vectors for attacking and infecting this machine are very very small. So Defender is good enough for me. Honestly, it’s probably good enough for most individuals.
Alexa and smart home stuff
Yes, I’ve got spy bots in pretty much every room in my house, even in my main bathroom (I use it for morning news from NPR and BBC, and to play music while I’m showering).
No, I’m not concerned about Bezos listening in on me.
I have a lot of home automation and having voice control over them is nice. My MQTT server is not password protected, but you have to be on my LAN or IoT networks to see it (guestnet can’t).
A rant
And here is where I’m gonna rant about mobile email; because of the form
factor it’s very hard to get some of the information needed to determine
if an email is legitimate; it may not be easy to tell Fred Bloggs <myfriend@their.email> from Fred Bloggs <badguy@evil.badguy> on a mobile email app;
they both show as “Fred Bloggs”. Grump! And a similar rant for embedded
browsers in chat apps; they may not show URLs!
So we need to be very aware of attacks on the human aspect; don’t open random attachments, even from friends. Don’t enter your password into a site you’ve reached from a link in a chat message. And so on. Technology like secure messaging or VPNs won’t protect you from that sort of stuff, anyway!
Summary
Most of the things I don’t do are because of risk evaluation and what I consider valuable. Of course if I was negotiating a multi-billion dollar deal then I’d want to do it securely, but “wanna go down the pub tonight?”… not so much. If I was accessing corporate resources then a VPN or Zero Trust tunnel or similar would be necessary. But to access my bank account? TLS is good enough.
Everyone needs to look at their personal circumstances and decide what level of protection they need.
I honestly think that, for most individuals, the out-of-the-box technology protections are now pretty good. The bigger risks are “human factor” related, such as phishing or scams.