No encryption algorithm is provably secure.
That’s something of a shocker to people who depend on security features built into their browsers to shop, bank, and play online. We assume that because our account balances remain untouched and because our social media accounts aren’t posting stuff we don’t want them to post, we’re safe and good to go. Nothing could be further from the truth. Let’s take a quick look at three points at which an attack is likely to occur with reference to an encryption scheme.
Cryptography experts don’t like the notion that it’s impossible to prove that an encryption scheme is secure. To get around this, they speak of things like difficulty assumptions, attack vectors, and complexity. A lot of what they say is perfectly valid. For example, assuming that factoring large (in the range of 100+ decimal digits) highly composite numbers remains a difficult task for cutting edge computer hardware, RSA encryption (the basis of most online communication at some level) will remain equally difficult to crack. The problem is that the difficulty of the factoring problem is not guaranteed to remain as it is today. In fact, it could change overnight with any number of potential discoveries in mathematics, and there is literally nothing out there that could potentially replace RSA if it gets taken down.
If you remove all assumptions from the hypothetical situations used to define the security of encryption algorithms (i.e. put them out in the real world), you quickly find that it is simply impossible to provide any assurance of security whatever. For now, we depend on encryption for virtually everything that happens online, but just because things are going okay now doesn’t mean that someone hasn’t or won’t figure out some ingenious way of cracking the strongest of encryption schemes like the shell of a hollow egg.
Recent events have brought to our attention that some implementation recommendations by government agencies like the NSA are riddled with back doors and dirty hacks. The result is that, even if we did have a perfectly secure encryption algorithm, we’re still screwed because of something in the implementation of it.
An example of this is Heartbleed, a bug that was discovered in OpenSSL that left millions of machines open to attack. An attacker could retrieve the secret keys necessary to decrypt messages sent between machines. This was a serious problem, and the reputation of OpenSSL was severely damaged for a while. It is hard to imagine that similar problems don’t exist in virtually every piece of encryption software out there.
The weakest part of every security system is the human element. There are psychological and cultural holes we all have that can easily be taken advantage of to gain access to privileged places or information. Most of the time, we never know what hit us until it is far too late.
Some common things to look out for include passwords that are too simple (like “password”, your birthday, a favorite line from a movie, or anything else that contains whole words from your native language), lack of password protection on mobile or other computing devices, and the desire to be helpful to others when we sense there is a need.
Even if you do choose good passwords, keep everything password-locked, and watch your back, chances are that eventually, someone, somewhere, is going to get the best of you. The only real advice I can give beyond the obvious is this:
Don’t be stupid.