You are viewing content from a past/completed QCon -

Presentation: How to Use Encryption for Defense in Depth in Native and Browser Apps

Track: Trust, Safety & Security

Location: Pacific DEKJ

Duration: 11:50am - 12:40pm

Day of week:

Slides: Download Slides

This presentation is now available to view on

Watch video

What You’ll Learn

  1. Hear about using encryption at the application level.
  2. Learn about doing encryption in the browser with WebAssembly.


Encryption is one of the most effective technical security measures. It massively reduces the impact and cost of a data breach. But encryption is typically focused on “infrastructure-level” elements like TLS and full-disk encryption. These are important tools, but they rely on assumptions about the infrastructure instead of the application code.    

As developers, infrastructure isn’t our strength, and sometimes it’s not even our job, so encryption takes a back seat to application-level features. But adding encryption to the application itself can insulate our systems from infrastructure-level failures, adding an important element of defense in depth.  

In this talk, we will discuss the pros and cons of application-level and end-to-end encryption. Since browsers are a nearly unavoidable element of modern application development, we will also cover the attack surface of application-level encryption in the browser, how it is very different from native clients, and how WebAssembly and WebCrypto help.


What is the work you're doing today?


I work at the company I founded, Tozny. We are an encryption and cybersecurity company primarily focused on application layer and end-to-end encryption. The idea is how do we use these types of tools to build more security and privacy directly in the applications.

I gave a talk a few years ago at QCon about why encryption is hard and what people get wrong about it as well as a call for improvement in the area. This is still our work and loving it every day.


What are the goals for the talk?


I want to educate the audience about this model of where and how you can use encryption. I think people think of encryption as primarily things like HTTPS, TLS, SSH and things like that. Or you toggle a flag in your database and say, I want this data encrypted, and we don't think as much about what's happening at the application layer. And you can, it's harder, but you can do that. And there are really big advantages to doing encryption at the application layer. You really get to have your encryption follow your application logic. So if that means you're application logic is these two people talking to each other, you can have the encryption say, why don't we encrypt at one side and decrypt at the other side. So the two people are the only two people that can read their messages. If your access control model is something different, than your encryption can follow that model. That's the distinction I make with application layer and infrastructure layer encryption, and I think certainly infrastructure layer encryption is basic, you need it. But I want more and more people to learn about how to do this kind of application layer encryption.


In the abstract you mention WebAssembly as a compilation target. Can you elaborate on the security benefits of that?


There's an interesting debate around whether it's worthwhile to do encryption in JavaScript or in the application layer in the browser. I think there is no debate around saying, we want to do encryption on smart clients like mobile phones and laptops and servers. But when you start talking about the browser it gets a little bit muddled because, for instance, when you're delivering the encryption code to the browser and then you're having the browser do encryption, that delivery process relies on TLS/HTTPS. If you break that then you then you can just deliver code that changes the keys or doesn't do encryption properly or exfiltrates the data off somewhere else. Having WebAssembly and web crypto in the browser is helpful. These primitives are being made available in the browser to make encryption more performant and also more reliable from browser to browser, so that maybe there are ways of doing some aspects of that without delivering all the encryption via the JavaScript interface. This doesn’t solve the challenges of doing encryption in the browser, but it does help. That's a little bit in the weeds but the kind of higher level view is we think it really is actually pretty interesting to be able to do encryption in the browser in the application layer even though the security model of it is actually very different than if you were doing it on a mobile app for instance.


What do you want people to leave the talk with?


My favorite thing with the talk is if I can deliver any surprising insight and see light bulbs go off in the audience. I want people to have that kind of aha moment. In a way that takes where they're at today and it bumps it up a level. I don't want to talk about something that people don't understand at all, and is just a very basic introduction. I want to be able to give them a tool that they can start thinking about, in this case encryption, a little bit of a different way and go home and start using that right away.

Speaker: Isaac Potoczny-Jones

Founder @Tozny & Authentication and Privacy Specialist

Isaac is the founder and CEO of Tozny, LLC, a privacy and security company specializing in easy to use cryptographic toolkits for developers. Isaac’s work in cybersecurity spans open source, the public sector, and commercial companies. His projects have included end-to-end encryption for privacy in human subject research, secure cross-domain collaboration, identity management, anonymous authorization, mobile password-free authentication, anti-forgery in hardware devices, and privacy-preserving authentication. He has worked with agencies including DARPA, the Navy, Air Force Research Laboratory, the Department of Homeland Security, the National Institute of Standards and Technologies, and other elements of the DoD and intelligence communities.  Isaac is an active open source developer in the areas of cryptography and programming languages. Education: B.S. in computer science, M.S. in Cybersecurity.

Find Isaac Potoczny-Jones at

Last Year's Tracks

  • Monday, 16 November

  • Distributed Systems for Developers

    Computer science in practice. An applied track that fuses together the human side of computer science with the technical choices that are made along the way

  • The Future of APIs

    Web-based API continue to evolve. The track provides the what, how, and why of future APIs, including GraphQL, Backend for Frontend, gRPC, & ReST

  • Resurgence of Functional Programming

    What was once a paradigm shift in how we thought of programming languages is now main stream in nearly all modern languages. Hear how software shops are infusing concepts like pure functions and immutablity into their architectures and design choices.

  • Social Responsibility: Implications of Building Modern Software

    Software has an ever increasing impact on individuals and society. Understanding these implications helps build software that works for all users

  • Non-Technical Skills for Technical Folks

    To be an effective engineer, requires more than great coding skills. Learn the subtle arts of the tech lead, including empathy, communication, and organization.

  • Clientside: From WASM to Browser Applications

    Dive into some of the technologies that can be leveraged to ultimately deliver a more impactful interaction between the user and client.

  • Tuesday, 17 November

  • Languages of Infra

    More than just Infrastructure as a Service, today we have libraries, languages, and platforms that help us define our infra. Languages of Infra explore languages and libraries being used today to build modern cloud native architectures.

  • Mechanical Sympathy: The Software/Hardware Divide

    Understanding the Hardware Makes You a Better Developer

  • Paths to Production: Deployment Pipelines as a Competitive Advantage

    Deployment pipelines allow us to push to production at ever increasing volume. Paths to production looks at how some of software's most well known shops continuous deliver code.

  • Java, The Platform

    Mobile, Micro, Modular: The platform continues to evolve and change. Discover how the platform continues to drive us forward.

  • Security for Engineers

    How to build secure, yet usable, systems from the engineer's perspective.

  • Modern Data Engineering

    The innovations necessary to build towards a fully automated decentralized data warehouse.

  • Wednesday, 18 November

  • Machine Learning for the Software Engineer

    AI and machine learning are more approachable than ever. Discover how ML, deep learning, and other modern approaches are being used in practice by Software Engineers.

  • Inclusion & Diversity in Tech

    The road map to an inclusive and diverse tech organization. *Diversity & Inclusion defined as the inclusion of all individuals in an within tech, regardless of gender, religion, ethnicity, race, age, sexual orientation, and physical or mental fitness.

  • Architectures You've Always Wondered About

    How do they do it? In QCon's marquee Architectures track, we learn what it takes to operate at large scale from well-known names in our industry. You will take away hard-earned architectural lessons on scalability, reliability, throughput, and performance.

  • Architecting for Confidence: Building Resilient Systems

    Your system will fail. Build systems with the confidence to know when they do and you won’t.

  • Remotely Productive: Remote Teams & Software

    More and more companies are moving to remote work. How do you build, work on, and lead teams remotely?

  • Operating Microservices

    Building and operating distributed systems is hard, and microservices are no different. Learn strategies for not just building a service but operating them at scale.