Hey, My mother is a non-technical person, she's a sole trader. She has been using Google services for many years and is probably used to them. A few months ago, I was able to convince her to set up an online password manager and calendar (up until now, she had been saving all her passwords in a handy paper calendar).
Should I convince her to withdraw from Google services? If so, how should I do it so as not to put too much pressure on her?
Thanks for all the answers.
part of the issue is that just because something is secure now doesn't mean it will still be in 5 years. so with quantum algorithms no doubt going to improve once the tech matures, and moreso with companies hoarding everyone's data until that time, it's only a matter of time before all that stuff is entirely breakable. so even if we keep up with the times it feels like a losing battle.
I'm not sure I'd consider it a losing battle at all. It's certainly possible for there to be weaknesses in modern day cryptography, but in general it has stood up remarkably well over quite a long period of time so far. The possibility of quantum computers makes things like RSA and ECC a little dicey in the long term, but we're already working on post-quantum cryptography and are starting to deploy it. Assuming that those algorithms hold up there's a good chance that if quantum computing is ever practical we will be ready for it. There's a good chance that you are even using post-quantum cryptography now in certain situations (e.g., recent versions of SSH uses post-quantum cryptography for key exchange).
Most people do not decide what cryptography they are using. I'm not really worried that in 50 years I'll be using something dated for most stuff as long as I'm using modern software. The most likely case where this could matter is for something like SSH or PGP where you are manually managing your own keys… When RSA and ECC keys are no longer considered secure that will be pretty big news, and you'll probably hear about it, but there's also a good chance that the software will be updated and provide warnings that you should generate new keys too?
what I mean is that, connections that are private and secure in the current day, may still be logged since everyone is so data hungry to train their AI, because even though it's not currently readable, those past messages will be tomorrow, even if the encryption of the day changes. it only protects the things under the current standard. that's sort of unsettling to me that nothing is truly guaranteed safe for even 5 years, despite how deep the key space goes.
I highly doubt that any commercial company is going out of their way to store encrypted conversations and working on quantum computing to break those conversations in order to train AI. There is no way that this is a cost effective way to train AI, and there is no way that this will be more legal or considered more ethical than scraping public facing websites (even if those websites request not to be scraped).
That said, of course "capture now, decrypt later" attacks are a concern! I would probably bet against companies planning to do that for the purpose of training AI, but I would not bet against governments doing that for other reasons :). This is why post-quantum cryptography is being rolled out now (albeit slowly, it's still rare). As an example OpenSSH defaults to using post-quantum algorithms for key exchange ever since the 9.0 release. It uses a mix of the NTRU Prime + X25519 ECC algorithm for key exchange, so it is guaranteed to not be weaker than normal ECC cryptography, even if the NTRU Prime lattice cryptography proves to be horribly broken. Once the key is exchanged the symmetric cipher used for the connection is also assumed to be quantum resistant. If quantum computing becomes a serious concern you will have to retire your old RSA / ECC SSH keys, but they are only used for authentication at the moment (so it doesn't matter if this cryptography is broken in the future), not for encrypting any of the "real" content between devices — all of that is likely quantum resistant as of more than a year ago. Most of what you do on the internet, however, is still vulnerable and could be captured to be decrypted later… But I suspect we will slowly see things move over to post quantum cryptography transparently over the years.
It is not known when or even if we will have quantum computers capable of breaking RSA at common key sizes. There are concerns about whether it will ever be viable, and if it is who knows what the cost to run it will be (it may only be viable for targeted attacks, and not decrypting all internet traffic ever… If it's expensive and takes hours or days to break a single key it might not even be super effective for decrypting old messages in protocols where keys are renegotiated frequently, like with Signal). I wouldn't be terribly surprised if we never have quantum computers effective at this (though I'd probably bet for it to happen rather than against it), and I wouldn't be terribly surprised if there already is one somewhere kept secret (though I'd probably bet against this being effective for decrypting an entire population's messages?). I don't actually have much insight over the feasibility of large scale quantum computers, though, so take that with a grain of salt. At any rate… You probably don't have to worry too much about it as a looming threat right now, there are likely far easier ways to attack you now.
The guarantees in cryptography are super weird. It's kind of odd, but in all of the cryptographic algorithms we use today… We don't actually know how hard the problems are? Symmetric ciphers are generally thought to be more secure than public key cryptography, but it's a bit easier to see how hard public key cryptography is to break (at least in my opinion). With RSA for instance you know that if you can factor large numbers efficiently you can break apart the keys, but with AES we kind of just hope we mixed things up good enough that it's hard to reverse without the key. But what's kind of funny is that we just think that factoring large numbers is hard, but we don't even know if it's an NP-complete problem — it's probably an easier problem, and even if P≠NP it could be the case that there's an efficient polynomial-time algorithm to factor large numbers. It's not entirely out of the realm of possibility that there is just some math waiting to be discovered that would break these algorithms on a classical computer, and there's a non-zero chance that it is already known and kept secret (though this is probably unlikely).