Earlier this month, Google announced a new Chrome browser add-on dubbed End-to-End, which is designed to make email more secure. While some media reports trumpeted the move as an attempt to “fly in the face of the National Security Agency”, most reported it simply as an added layer of security for messages delivered via the Internet.
Jared Hansen, CEO and founder of Breezy, which offers a leading solution for secure printing from mobile devices, said that the End-to-End extension is a step in the right direction for web mail users. “End-to-end encryption means that data leaving the browser will be encrypted until the message’s intended recipient decrypts it,” Hansen said.
He also points out that Google’s move to expand the use of encryption validates the mobile security model that Breezy pioneered for secure mobile printing, as well as older end-to-end encryption tools like PGP and GnuPG. “What Breezy does for secure mobile printing is to make end-to-end encryption usable by the average person,” Hansen says.
“Unlike traditional encryption processes that require a lot of manual effort and technical knowledge, Breezy automates the encryption and decryption process so that it’s easy for IT to deploy and manage, and even easier for employees to use because it doesn’t change the way they are accustomed to printing documents. It’s simply more secure, with no effort on the part of the end user.”
What It Means for Mobile Security
The new Chrome browser extension is not yet available to customers, since it is still being tested. Many reporters like PC World’s Mark Hackman noted that even when it becomes available, Google’s response to reports of government data collection will probably be used only for the most sensitive email. “It’s a way for consumers to fight back,” Hackman wrote.
In terms of mobile device security, end-to-end encryption isn’t new. What is new in the media reports about Google End-to-End is that it solves the problem that has hampered adoption of other encryption solutions: both the sender and recipient of any encrypted message have to install and correctly configure an encryption implementation that can decrypt the message.
“If a compatible encryption/decryption solution wasn’t in use on both ends of the message, you were left with gibberish,” Hansen points out. “Google’s product announcement gets us closer to a world where that isn’t the case, since Google will simplify both ends of the process.”
Still, Hansen doesn’t think simply encrypting email through a browser extension is enough to deliver true mobile security. He emphasizes instead that all apps dealing with sensitive corporate information should be expected to use on-device encryption, to protect data both at rest (being stored on the mobile device) and in transit to another device (such as a
“If data isn’t encrypted on the mobile device where it is stored, it’s subject to man-in-the-middle attacks when it is in transit between the mobile device and the recipient. Transport layer encryption is the most common type of data encryption, but we simply don’t think that anything short of full encryption on the mobile device is enough to protect valuable company data,” Hansen says.
On-device encryption is one of the reasons that Breezy’s secure mobile printing solution, which supports all printers and is available for both iOS and Android, is the leading choice for companies serious about security when considering a mobile printing deployment.
Defining On-Device Encryption
The term “on-device encryption”, when used in a mobile printing context, means that the document is encrypted by the mobile device before it is transmitted to the printer.
In a cloud printing system employing on-device encryption, each printer will have an associated keypair allowing asymmetric-key encryption. In simple terms, this means that each printer will
have a private key that is kept secret, and a public key that can be advertised. The keys are linked such that when an encryption algorithm is applied to a data stream and the public key, the data stream can only be decrypted by an entity in possession of the private key.
Before a document is sent to a printer, an app using on-device encryption will obtain the public key associated with that printer, and use it to encrypt the document before transmission.
Consider the following scenario:
1) A vendor sells a cloud printing app that lacks on-device encryption but touts the app’s use of HTTPS as a security measure, possibly using terms like “bank-level encryption”. The vendor relies on the HTTPS protocol to protect the document on its journey to the vendor’s cloud, and from there to the client’s infrastructure (this is known as “transit layer” encryption).
2) A user prints a sensitive document using the app. The app dutifully sends the document to the vendor’s cloud via HTTPS.
3) Even though the app behaved appropriately, there is a surprise: unbeknownst to the vendor or the user, a man-in-the-middle attack has compromised the app’s connection to the vendor’s cloud – or, worse yet, the vendor’s cloud itself has been compromised. In either case, the attacker is able to retrieve the document – and because the document is not encrypted, the attacker has full access to its contents.
On-device encryption is the only solution that protects company data in this kind of attack, which is why Breezy built it into all of its secure mobile printing products.