Presentation: How to Use Encryption for Defense in Depth in Native and Browser Apps

I work at the company I founded, Tozny. We are an encryption and cybersecurity company primarily focused on application layer and end-to-end encryption. The idea is how do we use these types of tools to build more security and privacy directly in the applications.

I gave a talk a few years ago at QCon about why encryption is hard and what people get wrong about it as well as a call for improvement in the area. This is still our work and loving it every day.

I want to educate the audience about this model of where and how you can use encryption. I think people think of encryption as primarily things like HTTPS, TLS, SSH and things like that. Or you toggle a flag in your database and say, I want this data encrypted, and we don't think as much about what's happening at the application layer. And you can, it's harder, but you can do that. And there are really big advantages to doing encryption at the application layer. You really get to have your encryption follow your application logic. So if that means you're application logic is these two people talking to each other, you can have the encryption say, why don't we encrypt at one side and decrypt at the other side. So the two people are the only two people that can read their messages. If your access control model is something different, than your encryption can follow that model. That's the distinction I make with application layer and infrastructure layer encryption, and I think certainly infrastructure layer encryption is basic, you need it. But I want more and more people to learn about how to do this kind of application layer encryption.

There's an interesting debate around whether it's worthwhile to do encryption in JavaScript or in the application layer in the browser. I think there is no debate around saying, we want to do encryption on smart clients like mobile phones and laptops and servers. But when you start talking about the browser it gets a little bit muddled because, for instance, when you're delivering the encryption code to the browser and then you're having the browser do encryption, that delivery process relies on TLS/HTTPS. If you break that then you then you can just deliver code that changes the keys or doesn't do encryption properly or exfiltrates the data off somewhere else. Having WebAssembly and web crypto in the browser is helpful. These primitives are being made available in the browser to make encryption more performant and also more reliable from browser to browser, so that maybe there are ways of doing some aspects of that without delivering all the encryption via the JavaScript interface. This doesn’t solve the challenges of doing encryption in the browser, but it does help. That's a little bit in the weeds but the kind of higher level view is we think it really is actually pretty interesting to be able to do encryption in the browser in the application layer even though the security model of it is actually very different than if you were doing it on a mobile app for instance.

My favorite thing with the talk is if I can deliver any surprising insight and see light bulbs go off in the audience. I want people to have that kind of aha moment. In a way that takes where they're at today and it bumps it up a level. I don't want to talk about something that people don't understand at all, and is just a very basic introduction. I want to be able to give them a tool that they can start thinking about, in this case encryption, a little bit of a different way and go home and start using that right away.