02 Jun 2020 • Alex Harley
Some minor preamble
At Portabella, we believe in a secure by default future. In our opinion, 90% of businesses don’t actually need access to customer data. As we’ve seen in recent years, customer data is often:
- mined - Customer Data Mining in the 21st Century
- leaked - Wikipedia: List of data breaches
- used for analysis - Customer data analysis
As customers of many tools and services ourselves, we don’t want any of that being done. Even if we are OK with companies tracking our movements, clicks and patterns for analysis, it should be explicitly opt-in.
By offering an end-to-end encrypted solution that is just as seamless to use as our competitors, we hope to spur a kind of revolution where the public demands better of the tools they use.
In many regards, privacy can be looked at as a sliding scale. In todays day and age we expect an absolute bare minimum in that our connections are encrypted via transport layer security (TLS). When using an up to date and non compromised browser, we can be confident that when we view google.com, our requests are being served by Google.
However data leaks still happen, so just because a website is being served over TLS doesn’t mean it is secure. To stick with the Google example for a moment, if you want to share a private photo, a publically viewable URL will be generated that you can share. This reddit post highlighted the concern many users had about their private photos being publicly accessible, albeit with a very hard to guess URL. Adobe Reader also does the same thing, so we can see that while served over TLS, these measures are not very privacy preserving.
The next layer of security comes in the form of authentication and authorization, words I’m sure many of you are very familiar with. In essence, authentication is requiring you to be logged in or have a valid session (whether this is via a email/username/password combination, single sign on [signing in with Facebook/Twitter/etc] or another scheme, it doesn’t matter) to view something, and authorization is having permissions to view it. This is analogous to you not being able to read others private messages on Facebook, because you’re not authenticated to do so. Not being able to edit the name of a group you’re in is the authorization aspect, you don’t have permissions to do that.
This is where most services stop when it comes to privacy. You create some private content on a platform, save it and it ends up in the company’s database in plaintext (meaning readable by anyone with access to the database). This is a problem, you now have to trust:
- employees of said company, so that they don’t view your data
- potential hackers of the company, once they have access they can view all your data
- government interventions, while unlikely, a company could be forced to give up your data to a government agency
End-to-end encryption solves these issues. Anyone viewing the database is unable to view your data without your private key. Even if there was pressure from a government agency to hand your data over, it would take an impossibly long amount of time for them to decrypt it with current technology.
So what do we encrypt
Core data, such as the names and descriptions of your boards and lists, card content and files shared. We do not encrypt things such as relationships between users and cards, assignees or mentions. As we stated at the beginning of this blog post, privacy is a sliding scale. The first iteration of Portabella had everything encrypted, your boards were one encrypted blob stored in our database, and we couldn’t see anything about them.
While this is the most secure way of storing your data, it doesn’t scale and makes it difficult to create a nice experience for the end user. Realtime updates with diffs become harder, notifications of changed content is flaky and most importantly, a single blob of encrypted text can only get so big before browsers hit their limits - chunking the data just further increases complexity.
If an attacker or adversarial employee was to gain access to our production database, all they’d be able to see is who of your employees or team members are assigned to each card, and how many projects/cards you have, nothing more. To us, the added benefit of notifications, realtime updates, mentions, deadlines and assignees offer a much better user experience than the fully encrypted blob we started with.
Is this system 100% secure?
No system is 100% secure unfortunately, the number one attack vector for end-to-end encrypted applications is social engineering. If a colleague or team member of one of your boards has their account compromised, all the projects they are apart of will be compromised too. Because of this we recommend using the mnemonic method to sign up or if you must keep a password, a strong one managed by a password manager.
Thanks for reading!
That’ll conclude todays blog post, hopefully it answers any questions you may have around privacy at Portabella. If you have any more questions please reach out to me at [email protected]