Secure Messaging in an Offline Network
Wire has built a world-class secure messenger on edge-based encryption technology that helps your business communication & collaboration be secure. Your business is constantly under attack from various malicious parties and the layers of security deployed in your IT infrastructure are both complex and costly. Imagine a world where you spend less on your infrastructure and your workers have the same flexibility as their day-to-day personal messenger. On top of all messaging capabilities in a cloud environment, let us see how Wire differentiates itself to aid a privacy-focused organization.
Client and Backend Deployment
Information-sensitive organizations maintain their own offline networks. These private networks could be offline in their entirety or authorized to only access a few endpoints from the cloud. What customization do they have to enable modern applications to be available seamlessly to private network users?
Wire can deploy various types of deployment based on the preferences of privacy/security of the prospective clients. We see two types of installations:
- Wire’s client is downloadable from the cloud, and Wire’s backend gets installed on the private/offline network. Private network users using the public client on registration can be linked to the backend and use the Wire functionality on their devices.
- A custom Wire client and backend deployed on the private/offline network. Users can register quickly and utilize the Wire functionality on their devices.
Compliance and Governance – Legal Hold
Sensitive information often gets shared in susceptible environments, which is why it is essential to govern the data transmitted in any text, file, or conversation with a growing number of employees, guests, or vendors. How do organizations train them to ensure the highest security level and protect themselves from voluntary information shared by one of their users?
With Wire, all messages and files are encrypted; we do not store any information on Wire. However, Wire enables you to deploy a service that can listen to all users within your organization and will allow administrators to track and record messages for certain users that require surveillance. Wire helps your organization protect itself against legal proceedings such as litigation, government investigations, or Freedom of Information Act requests with this service.
Today, organizations use email as the primary method for external communications. Many security functions make email secure, but there is no guarantee that the email sender and recipient have the same security levels. How do these organizations share information seamlessly and stay safe?
If Wire gets deployed in two separate, private environments, Wire client users of those two environments can talk to each other based on the administrator’s security policy. Each message or file shared has the highest security level, like that of a text shared internally, so your users do not need to switch between tools and will experience the most secure conversations without borders. However, if you want to talk to an external user, you need to invite them from your Wire private network account to speak to them.
Security Risks in Packet Analysis
What about the risk of information leakage through packet size analysis when using Opus with variable bitrate encoding during an audio call?
Opus’ default mode uses variable bit rate (VBR) encoding to achieve better call success in limited bandwidth environments such as 2G networks on mobile phones. Variable bit rate encoding provides an observer of an encrypted audio stream with “metadata.” Since different sounds are encoded differently, tinier variations are detected. Academic research has shown pre-recorded sentences get recognized under specific circumstances despite the encryption, but not individual words. It is important to note that these papers analyze the use of a different code called Speex, where differences between CBR and VBR encoding become more prominent. To counter any threats associated with the exploitation of VBR calling metadata, Wire supports CBR encoding on all desktop and mobile applications.
Encryption of Device Data
Most devices use device-level encryption for data storage, which leads to an increased surface area of attack.
Wire supports encrypting message content at rest. Wire encryption means that message contents will be encrypted on the disk while the app is not running in the foreground. This mechanism goes beyond the system level sandbox encryption, which encrypts the app data until the user unlocks the phone for the first time after restarting the phone.
Avoiding Impersonation Attacks
In an extensive organization, users can change their usernames and display names, and this change can lead to impersonation attacks.
Using an identity provider and connecting to the Wire backend through SAML/SCIM users no longer need to create a password but can SSO (Single Sign-On) into their Wire accounts. All the SCIM metadata is then imported into Wire’s user profile, making the user’s identity better known and drastically reducing the impersonation attacks. For users trying to contact a user with names that look similar, the message sender can review the user profile before hitting ‘send’.