It’s December 25th, which means most of you are probably at home visiting with family. I asked a few of the security engineers here at CloudFlare how they explain their jobs when they’re home for the holidays, and most of them responded with something along the lines of, "Oh, I stopped trying to do that a long time ago." Apparently, working in the cryptography field doesn’t exactly make it easy to talk about work with your parents.
After chatting with our crypto experts some more, we figured out a decent way to explain the general idea of encryption and why it’s a critical part of the Internet. While this post may not explain exactly what security engineers do on a day-to-day basis, hopefully it will help you at least tell your parents why you have a job in the first place.
Banks and Their Big Fancy Buildings
To explain encryption to your parents, I’d start by asking them why they trust their bank. Let’s say they have some cash to deposit. They drive to their bank’s local branch, walk through a big fancy lobby, wait in line for a teller, and hand them their money. It may seem like a silly question, but how do they know they’re actually giving that cash to their bank and not some stranger off the street (or a very sophisticated con artist)?
Put another way, how would they feel if they walked into their bank and it looked like a run-down bail bonds office? Even if they saw their bank’s logo hanging on the wall, they’d still probably be a little hesitant about handing over their money.
Traditional banks are in big fancy buildings for a reason. Big fancy buildings convey an innate sense of trust. You might think that it’s to invoke a reaction like, "Oh my gosh, this bank has so much money they wouldn’t ever need to steal mine," but that’s not quite it. Big fancy buildings are trustworthy because they took a lot of time, money, and effort to construct, which means it would also take a lot of time, money, and effort for a con artist to build their own big fancy building and masquerade as your bank.
Encryption Is the Internet’s Big Fancy Building
I use an online bank with no physical branches, so instead of walking into a lobby, I visit a website. The problem with (and beauty of) the Internet is that anybody can publish a website that looks just like my bank’s site for only a few bucks a month. How do I know that the website I’m visiting isn’t the digital equivalent of a run-down bail bonds office? Where’s my big fancy building?
Instead of gaining trust with a big fancy building, my online bank adds a TLS certificate to their website. TLS certificates use encryption to ensure that I’m actually visiting the domain name I see in my browser and not a phishing website trying to steal my credentials.
That TLS certificate has the same key property as my parent’s physical bank building: it would take a lot of time and money for somebody to forge a certificate and impersonate my online bank. Even if a bad guy put up a website that looked exactly like my bank’s, they wouldn’t have a TLS certificate that matched, and my browser would warn me that something very bad is happening as soon as I visit the forged website.
The Internet Is More Complicated
Of course, online financial transactions are a little different than at your local branch. When I make a deposit with my online bank, I don’t just hand some cash to a teller, I ask my neighbor to drop it off at the post office for me, where it gets picked up by a mailman, who’s kind of busy that day, so he asks his wife to swing by the bank, but all the bank tellers are out to lunch, so she leaves it with the doorman, who says he’ll pass it along when they get back. Oh, and my cash isn’t even in an envelope; it’s just a naked $100 bill.
That’s what happens every time you do anything on the Internet. That should scare your parents.
Encryption for Privacy
Encryption serves a dual purpose on the web. It not only ensures I’m talking to my actual online bank, it also protects my information from all those third-party intermediaries. Visiting my online bank’s website with an encrypted connection is like sticking my $100 bill in a lock box before dropping it off at my neighbor’s place. Neither he, his mailman, his wife, nor the doorman can steal it because they don’t even know what’s inside. My bank’s TLS certificate is the key to that lock box, which makes sure that only the bank tellers are allowed to access my funds.
Best Practices for Internet Security
At this point, your parents think that working in the crypto field is the coolest, and, let’s face it, mission accomplished. Now that they’re hooked, here are some tips you can feed them about how to stay safe online:
Look for a lock icon in your browser and/or a URL that starts with https to ensure an encrypted connection before entering sensitive information like credit cards or passwords.
Double-check the domain name of the website before entering sensitive information to make sure you’re not on a phishing website like paypa1.com or g00gle.com.
Don’t text or email your credit cards, bank account numbers, or passwords, no matter how much you trust the person on the other end.
To share this kind of information, use an encrypted file-sharing service like Dropbox or Box and password-protect any documents you share.
Use different, randomly generated passwords for each of your online accounts.
If your Facebook password is stolen, at least they won’t be able to get into your Twitter or email account.
This makes a password manager like LastPass or 1Password a must for keeping track of all your credentials.
Use two-factor authentication anywhere that supports it, even if it’s slightly annoying.
Two-factor authentication doesn’t let you login without access to your mobile phone, which makes it much harder for an attacker to hijack your account.
Don’t ignore your browser or operating system when it asks if you want to upgrade.
It gets cheaper and cheaper to break older encryption protocols, and having an outdated system puts you at risk for attacks against outdated security protocols.
The underlying theme behind all these best practices is the same. At some point along the way, there’s no encryption protecting your sensitive information, which means there’s a risk of a bad guy intercepting it.