On this episode of the DevelopSec podcast, James talks about the difference between end. To end encryption and encryption in transit. Tackling the challenge to integrate security into the development process. Looking for insights, answers and practical solutions to avoid getting overwhelmed. Welcome to the DevelopSec podcast where our focus is your success in securing and improving development processes. And here is your host, James Jardine. Hey everyone, and welcome to this episode of the DevelopSec podcast. Today I wanted to talk a little bit about how important using the right terminology is. And an interesting story that came up that kind of sparked this conversation or thought to have for this is a story I saw in the news not too long ago. Been a little bit now, but I'll put a link to the article in the show notes. But it has to do with encryption and the way that an organization was advertising their encryption. You probably all remember years back it used to be very common. You'd see products out there and they'd say military grade as this special selling point. It's military grade encryption. This is going to solve all your problems. It must be better than just standard encryption. And so we see that terminology does exist and it does matter because people make decisions based on that. So in this case, what we found or what this researcher found, as they were going through looking at this company's product and their website and their privacy agreement, different things like that, as they were looking through. So there's this product that Kohler makes, apparently that some sort of camera that goes on your toilet to be able to look to see what's in the bowl and be able to help, analyze, to look for help, health concerns, maybe dehydration, maybe gut issues, I don't know, something I'm not going to get super deep into, but it's kind of an interesting idea. I think we could probably do a whole podcast on the idea of a camera in the toilet. But what they really found out and what they came across was that the company was indicating that their communication between the camera, the device at your house and, and the servers that run all of this was using end to end encryption. Now at first thought you might think, okay, well, I mean that makes sense. I mean it's, they're using standard encryption that every website should be using or mobile app. We spent years trying to make that happen. But they're using the HTTPs TLS 1.2+ encryption between the device and the service that supports that device. So you might be thinking, well, that is end to end and I guess technically that is end to end encryption. But you don't typically Hear end to end encryption being marketed like that. Otherwise every site, every mobile application would start indicating that they're using end to end encryption. But in reality they're just using I guess the standard encryption that everything should have, right? The HTTPs. That's what is being used for most sites. That's what's being used for this application as a standard application would do. So the concern was really more about the use of the term end to end. And we've started seeing this more. It's more prevalent around messaging apps. That's what I typically equate it to are these apps where it's not a business to consumer type of application, it's not your Gmail, it's not, you know, any of these other like Google searches or you know, just working with any website honestly that's out there. This is, that's more like the business consumer going in and checking your health insurance, checking your banking, all that stuff. End to end is really more for, I would say consumer to consumer, although there are some outlying cases to that. But more of like your messaging apps, the applications like Signal or Imessage, maybe Telegram, you know, anything that's got like messaging capability where I can send a message from me to my friend John and maybe it processes through some sort of app service to get there, they handle the routing and maybe the storage of that data. But the only two people that can actually read those messages are me the sender and John the receiver. The middleman. The service provider has no access to that data. It's all encrypted in a fashion that they cannot decrypt that data. And that's where we're really getting into the idea of this end to end. And it becomes important from privacy protections all that, that if I want to be able to have a secure private connection between me and another person, yes, I have to go through a service provider, but I don't want them being able to look at the data. If you hear people talk about government overreach and they don't want the government to be able to serve a search warrant to be able to access that data, you don't want something in the middle spying on that data or using that data to be able to either sell it, perform other actions, use it in a way that you're not approving, basically that's where we get into this really idea of that end to end encryption. Now I say consumer to consumer. There are some other use cases that are kind of more just one person, an individual. Maybe it's my data, but I'M storing it in the cloud, but I want to make sure that only I can get that data. So examples of that might be a password manager where I can sync it across multiple devices. There's a service provider in the middle. My data can go there, can be backed up, but it can only be decrypted by me either on one of my devices through a special password that only I know. There's something there that says, look, you can hold the data but it's unusable. You can't enumerate it, you can't see it, you can't resell it, it's just stored in encrypted form. And I'm the only one that could actually decrypt this. And I'm sure there's plenty of services we could come up with that are doing something similar to this where I want to make sure that only I can see that data. Maybe it's some sort of note keeping application. A journaling application would be a good example. Maybe I want to keep a private journal and I don't want anybody else to be able to read what I'm writing in there. Only I can decrypt that data. So that's where we start seeing this difference between end to end encryption and just your standard encrypted in transit. I guess maybe we could say that most applications do and we come to expect that applications are encrypting data in transit. That should be the lowest bar of entry for an application. If you're not using HTTPs with a secure connection, then you shouldn't be out there. Right. Don't use sites that are doing that. The end to end now brings that to the next level. But it's important that we think about the terms that we're using because we don't want to degrade those terms or devalue those terms. If we started just referring to every mobile app talking to its backend service as being end to end encrypted, then it would really kind of take away the specialness that we might think about when we talk about these messaging apps. Because there are things being gained when we get that true end to end encryption that's not realized with just our traditional encryption in transit. With end to end, I can make a valid assumption that data is not being consumed by the service provider. It's not being sent off to their AI models, It's not being sold off to data brokers. They don't have any access to that data. They can see maybe metadata around what I'm doing, but the Actual data they don't get access to. And in the case of this example in the article with the toilet cam, it's clearly laid out that they, the service provider has access to be able to obviously analyze the images to be able to determine if there's some sort of issue. And they may make mention. I didn't read through their terms of service but you know, maybe there's mention that they're using it in other ways. Right. The data while maybe still encrypted at rest when they receive it. So if somebody were to hack into their database, the data is still encrypted, but they have the ability to decrypt that data and perform actions on it, which, let's be fair, should be the assumption in a service like that. So we would expect that to happen. But this again is why we say it's important that we use the terms in the way they should be used. Again I go back to, I mean technically it's still end to end. It's encrypted for me to the service provider that is end to end. But that's not what end to end means was meant for. And when I first saw this I actually was thinking a little bit like this is silly because it is end to end really. So it's not wrong in saying it. But as I thought more about it, I understood the implications of why it does actually matter to we want to have a set aside piece for this so we can show. If I say end to end, you know exactly what I mean, there is no ambiguity there. It's exactly this all the way through. If I say it's just, you know, encrypted in transit, I also then know what that means. But it paints that clearer picture that we want to make sure that we have. So it was just kind of an interesting story. Again, I'll put the link in the show notes, check out the story. Something I didn't think we'd ever see. But you know, it does provide and shine a little light on the importance of making sure that we're using terminology correctly so that people understand what they're getting and what they're getting themselves into. So again, thanks for listening to this quick episode. Actually shorter than normal, but I thought it was an interesting thing. Thought I'd share it out there. If you're in any part of the marketing piece and you're thinking about how you advertise your encryption or if you already have that stuff out there, maybe you're just going out looking, go look and see how your organization is marketing what you're doing. Not even just from an encryption standpoint, even from anything security related. But go look and see how they're marketing that and see if it makes sense. I can say in this case, I think there was a follow up article that shared that Kohler actually did update their stuff and changed it to no longer say end to end encryption. But you know, it starts someplace. So take that moment to think about when you're going through this stuff. Are you doing end to end? Are you doing encryption and transit? Are you doing encryption grade? Are you doing military grade, whatever that might mean. I did see something recently about corporate grade security. You know, we like to make up a bunch of different terms. Sometimes they make sense, sometimes they don't. But just keep that in mind as you're going through thinking about developing your applications, developing documentation around that stuff that when you're considering how are we doing this, you're identifying that properly and labeling it properly. So. All right, thanks for listening to this episode of the podcast and I hope to see everybody on the next episode. You have been listening to the DevelopSec podcast with James Jardine. To find out more about how we can help you with application security, follow us on Twitter velopsec or check out our website at www.developsec.