Cryptographers devote their careers to the science of securing your communications. Twenty-four-year-old Nadim Kobeissi has devoted his to the art of making that security as easy as possible. His software creations like Cryptocat and Minilock encrypt instant messages or shared files with three-letter-agency-level protection, with user interfaces that require Lincoln-Log-level skills. Now he's combining elements of his dead-simple apps into what he's calling his biggest release yet, a single platform designed to encrypt everything you and any group of collaborators do on the desktop.
Today, Kobeissi plans to announce Peerio, an "encrypted productivity suite" meant to help individual users and businesses encrypt everything from IMs to online file storage. The software, initially launching as a Windows and Mac app as well as a Chrome plugin but coming to mobile platforms soon, resembles a simplified Gmail with IM and Google Drive features included. Unlike Gmail, all communication sent via Peerio are end-to-end encrypted and can't be decrypted by anyone but the recipient---not even someone with access to the Peerio server itself.
"With Peerio everything you share or communicate with your team is secured with state-of-the-art encryption, and it's as easy as using Gmail. You don't need to learn to use it," says Kobeissi. "Peerio brings crypto to where the people are."
Encrypted messages sent using Peerio can have a subject line and are organized in the recipient's searchable inbox. But Peerio messages just as easily can be exchanged in rapid-fire one-liners with a press of the return key---a hybrid of email and instant messaging. The app also lets you upload and share end-to-end encrypted files of up to 400 megabytes, a limit Kobeissi says will climb in future updates.
Kobeissi hopes Peerio will woo two groups of users. Those who use Gmail, Dropbox, and collaboration software like Slack and Hipchat ought to see it as a significantly more secure alternative designed to foil eavesdroppers. For security-minded people already using venerable but clunky encryption tools like the 20-plus-year-old PGP, it's a far simpler option that's not limited to communicating exclusively with fellow crypto-nerds. "We wanted to take every possible use case of PGP and put it in a single app and make it better," Kobeissi says.
One of Peerio's major conveniences compared to PGP is how it handles so-called "private keys," a user's unique decryption key. Using PGP securely requires keeping that precious file within reach to decrypt incoming files, while safeguarding it to prevent snoops from finding it. Instead of dealing with key storage, Peerio generates a user's private key from his or her passphrase every time he or she logs in. When the app is closed, the key evaporates too. That means, in theory, that a user could log into Peerio on any machine and access his or her encrypted files without worrying about moving around or protecting that private key.
The drawback of that approach is that anyone who figures out a Peerio user's password could also potentially generate his or her key and use it to decrypt private messages. But Kobeissi says he's designed Peerio to require a passphrase that's nearly impossible to crack, one as long as 30 characters or with many randomly chosen numbers and characters.
Kobeissi first used the disappearing key trick in Minilock, the dead-simple file encryption app he released in July. Peerio integrates Minilock, which Kobeissi says now has more than 10,000 users, for all its encryption and decryption functions.
Thanks to that integration, Peerio's core crypto code already has a track record of a few months. But like any new encryption app, Peerio should be approached with caution. Kobeissi's first popular app, the chat program Cryptocat was eviscerated by the security community in 2013 after cryptographers found a bug that would allow an eavesdropper to decrypt the communications of anyone who used it for group chats.
To avoid a replay of that disaster, Kobeissi had Peerio audited by the German security firm Cure53. It found only non-crypto bugs in the software's javascript code, all of which it says have been fixed. "The good thing that I've found about Nadim is that he’s taken criticism and made something out of it," says Mario Heiderich, the penetration tester who tested Peerio. "There’s a major leap from Cryptocat to what is now Peerio. We had a positive impression about the whole thing."
Peerio, unlike Kobeissi's previous creations, is meant to be a for-profit business. One of his co-founders is Vincent Drouin, a former senior executive at enterprise IT firm Citrix. He has raised $250,000 in angel funding for the startup. The company, which has 12 people working on design and development, will at some point start charging a fee for premium features like storage beyond the initial one gigabyte limit. It hasn't announced the cost of that upgrade, however, and Kobeissi says the paid option won't be available at launch. Despite its business plan, Peerio's code is nonetheless open source and available on Github.
Peerio is just one of a wave of crypto apps that have appeared in the past year that seek to make encryption easier. In June, Google announced End-to-End, a PGP-like plugin for Gmail that it plans to release in 2015. The non-profit developer group Open Whisper Systems in July released Signal, the first encrypted-calling app for the iPhone, to match its Android counterpart known as Redphone. And in November, Whatsapp integrated Open Whisper Systems' Textsecure encrypted instant messaging into its Android client, switching on encrypted messaging by default for hundreds of millions of users. All of those new apps are intended to make encrypting communication as simple as writing an email, calling someone or texting a friend.
Kobeissi's focus on ease of use in some ways presaged that usable crypto movement. And Peerio represents one of the most full-featured end-to-end encryption tools out there. "It’s basically crypto for everyone. In our experience, really anyone can use it," says Cure53's Heiderich. "And that’s something that’s been missing in the crypto universe."
