With two recent vulnerabilities making headlines this month, notably , impacting VPNs running on Linux distros and reported by concerning leak of private keys, it should be no surprise anymore as to why encryption merely breeds a feeling of security rather than guaranteeing it. CVE-2019-14899 Atlassian’s zero-day flaw SwiftOnSecurity From Hollywood flicks dropping buzzwords like encryption, VPN, private keys, along with the vendors who must now convince the public to hype up product sales, the ultimate message that gets communicated inadvertently (or deliberately) comprises half-baked distorted . For example, or something along those lines conveys the general mindset of an unsavvy user. Likewise, one popular myth is When in reality the page could very well be a phishing setup made to secure by the hacker using a free SSL (LetsEncrypt) certificate. assumptions “if I’m on a public hotspot, flicking one-switch of my VPN equates total security,” “if a webpage has a padlock icon, that implies it’s secure.” look and feel Then follows the other side of the issue: legitimate website names sounding like ‘phishing’ domains which are actually being used today by mainstream banks and companies. Just another day when rescheduling my flight, the Virgin Atlantic representative transferred me to a “secure form” to collect credit card information, hosted on the mysterious domain. If you’re a tad vigilant, this would raise multiple red flags, unless of course you are familiar with (therefore the letters, ) chat software and every single domain they own. Similarly, “phishy” sounding domains like and are valid and actively being used as of today by legitimate banks and payment providers where users are asked to make credit card and loan payments. lpsnmedia.net LivePerson lpsn myonlineaccount.net clc-consumerservices.com The point My point is that the security industry has done a poor job of communicating what is secure and what isn’t to a layperson, whereas the mainstream game-players in charge of assuring customer security i.e. banks and online businesses, continue to confuse the public with their choice of weird sounding domain names and when it comes to practicing security. inconsistencies Military-grade encryption as implemented and marketed by VPN vendors, SSL certificate issuers and ‘secure’ apps, is no exception. Assuming the technology is indeed unbreakable and secure given today’s resources, it is truly the ‘weakest link’ surrounding encryption that matters. For messaging apps like WhatsApp claiming ‘end to end security,’ the weakness lies in the phrase itself: your communications are only as secure as the . Should one of the parties inadvertently download malware and compromise the security on their device – their end, this guarantee ceases. And, really, how hard is tempting a naive user to trust a phishing website that looks like the real deal, with so many legitimate websites looking ‘phishy’? ends That is the conversation security professionals and stakeholders need to be having. Without it, we can only create a market that works for security vendors and their sales, with the general public remaining deficient and in perpetual limbo. © 2019. / . All Rights Reserved. Akshay ‘Ax’ Sharma @AkshaySharmaUS