
The Sinking Ship of E-Mail Security - earthrise
https://adamcaudill.com/2014/06/27/the-sinking-ship-of-email-security/
======
tptacek
_Mobile - Using PGP on a mobile device can be risky, as it requires storing
the private key on devices that are likely to have known security issues. Many
people recommend against it, as it puts the private key at too much risk._

ARGH. The whole point of PGP keyrings --- the costliest part of the PGP UX ---
is that you don't have to have a single key. If you're terrified of exposing
your secret key on your mobile device (which is frankly the most secure device
you own), just cut a new key for it.

Any time someone suggests a new application for PGP, people come out of the
woodwork saying things like "what, you want me to put my PGP key in my
_browser_?" No. We want you to put --> _a_ <\-- PGP key there.

~~~
freshhawk
> which is frankly the most secure device you own

Really? That's not how I treat my security at all. My phone seems to clearly
be the least secure computer I own. Admittedly I run all linux on my non-phone
computers, but I'm not totally sure I'd agree with you even if I ran Windows
or OSX.

Am I that wrong?

~~~
superuser2
If it's an iPhone, then yes, it is far and away the most secure device you
own. Everything is encrypted all the time through an HSM which will perform
decryption only if given the device PIN. The key is never in memory and any
attempt to extract it from the HSM will result in its self-destruction. It is
impossible to recover data from the phone without the PIN. You can only erase
the device and restore from a backup. While the device can be lost, the only
threat is that a thief will erase and resell it. With iOS 7 and Find My iPhone
turned on, even that is not possible. An attacker would not get your data in
any case.

This is orders of magnitude safer than a full-disk-encrypted laptop because
people hardly ever shut down their laptops, so keys remain in memory. There is
also the possibility of cold-boot attacks, and of course the (retrospectively)
_insane_ design wherein any program you run can access _all_ of your data.

iOS applications are always code-signed in a way that is tied to a real person
or corporation, thoroughly sandboxed, and subject to review, making malware
essentially non-existent. If discovered, it can be yanked at any time. What
few remote exploits there have been were national news - and quickly resolved.

iMessage is end-to-end encrypted 100% of the time using a keybag - each device
on your iCloud account has its own private key that never leaves the device.
You get notified when a key is added to the keybag. This is really incredible,
because without even knowing it, huge swaths of the population are using
properly end-to-end encrypted messaging just by owning iPhones.

iOS is a tight ship and its attack surface is minuscule compared to that of a
commodity computer.

~~~
freshhawk
Ah, that makes a lot of sense. If you are discounting Apple themselves (and
people using social engineering techniques to gain access to Apples backdoors)
and the large list of States and Corporate actors who have access as potential
attackers then you are absolutely correct.

I didn't know about keybag, that's very interesting.

~~~
superuser2
Please provide evidence (other "Apple hates my freedom so they must be doing
it!") of Apple having granted access to iPhones to other corporations.

~~~
freshhawk
Ah, I was unclear. I meant the Governmental to private intelligence
contractors path, not Apple selling data to data brokers or something like
that - that seems very unlikely.

------
JadeNB
While the spirit is laudable—I'm not sure if there's an 'e-mail security'
version of
[https://craphound.com/spamsolutions.txt](https://craphound.com/spamsolutions.txt),
but, if there were, then I'm pretty sure that one of the reasons for failure
would be "You are a private individual announcing that you will be rolling out
a new standard for e-mail in a couple of weeks".

~~~
adamcaudill
Change has to start somewhere. Starting with a draft and getting feedback from
the community before pushing it ahead for more formal standardization seems
like the right place to me.

As I said in the article, my goal is to get people talking about potential
solutions. I have little hope that the solution I propose will be accepted and
used as is - but if it gets more people talking, and discussions going about
something that will work, then it was worth the effort.

~~~
JadeNB
> Change has to start somewhere. Starting with a draft and getting feedback
> from the community before pushing it ahead for more formal standardization
> seems like the right place to me.

I agree that change has to start somewhere, and, to be clear, I don't mean
anything against you, but rather against the likelihood of _any_ success: I
think that we're stuck with a broken legacy system until something radical, by
which I mean "all existing infrastructure is destroyed"-type radical, forces a
ground-up re-start.

Nonetheless, there seem to be at least two competing objections to trying to
start the change here:

\- My point of view: It seems unlikely that the eventual solution (if there is
one) will come from a large group carrying a large and representative
collective weight, not an individual (or even a small, self-selecting
community like HN, or—probably, and with no offence meant—the readership of
your blog) with a necessarily specialised viewpoint; and that a large group is
more likely to buy in to "let's create a new standard!" than "let's use my /
my community's standard that I / we created without your viewpoints or input!"

\- Alternatively, if one believes (as it seems you do) that the solution will
start with an individual, then surely the thing to do is to deliver a
_product_ , not a promise. I don't know about anyone else, but my reaction
when I see assurances of delivery RSN is automatic scepticism.

------
lifeisstillgood
Ok, I'll bite. This is a good post - I am negative on your ability to pull
this off, but it's a worthwhile discussion to have IMO

* Totally anonymous (ie no metadata trail) communication seems impossible / impractical. If everywhere is the Tor then we massively increase traffic, (not to mention the trustworthiness of "everyone" is a lot lower per unit than everyone currently running a tor node)

Anyway, even if a encrypted anonymous message arrives for me, just working out
who it's from without any metadata seems complex web of double decryption

I do struggle with how anonymity is going to solve all problems with
totalitarian states. In the end we need to solve this in the real world of
politics and execution squads so we don't mortally worry about letters or
emails being read.

* there is a lot more here than my tired brain can handle - but my main concern is a simple human one

\- if secure anonymous comms is "impossible", then I could see levels of
secure encryption (sent from my iPhone, sent from my PC hardwired at home that
has a secure USB boot on my key ring). But this idea demands that as the
recipient I work hard to determine from context if the message is secure - aha
it's 11pm in the UK and Adam just mailed me a secure note saying we should
give everyone an Owl. Chances are high he is pissed and his mates sent it.

Once technology stops helping us make those decisions it's kind of pointless -
May as well just keep sending clear text is not an irrational stance.

Be interested in the discussion in the morning - cheers

* lastly - what email client do you guys use that allows gpg on mobile?!

Edit: clean up

~~~
narrowrail
K-9 mail on Android. Not sure about iOS, but I have seen an implementation
somewhere on code.google in the past (not sure of its current status).

~~~
mike-cardwell
K-9 Mail is good, but it doesn't support PGP/MIME. Only inline PGP. Doesn't
look like they will either as it's been on their todo list for several years
now with no progress.

~~~
aDevilInMe
Whilst this is true it is not really that big a problem. You can open the
attachment, copy to the clipboard and then use APG to decrypt. It could be
nicer and would be excellent if the client supported PGP/MIME, but I can live
with it.

~~~
x1798DE
I would say it's a not-insurmountable problem, but definitely a big problem.
If I have to copy-and-paste all my e-mails into APG just to read them, that's
a significant inconvenience.

------
RexRollman
The title "The Sinking Ship of E-Mail Security" implies there once was
security but there never really was. For the most part, email is more like a
postcard than a sealed letter.

~~~
adamcaudill
Good point. I should have thought of a better title.

------
e12e
From a quick look around, it looks like the best bet on asynchronous forward
secrecy that doesn't rely on a (highly) trusted server (one that eg: shares a
secret with every sender and receiver, kerberos-style) is something along the
lines of "The Text Secure Protocol"[1].

No reason why this couldn't be bolted on top of email (send the actual message
as an attachment like with pgp/mime). It would probably create a new set of
metadata (requests to the recipients "half-key" service/server (locating which
could be delegated to SRV records or something similar, with domain derived
from the email address) -- but I'm not aware of any other schemes for
generating ephemeral keys in a reasonable manner compatible with
(semi)asynchronous communications.

It does seem like "true" off-line message composition wouldn't be possible
(the email client (or client service) needs to go online in order to
encrypt/pack up the final message. This means that drafts/messages "in
transit" would be possible to recover from the senders device in the case of
eg: several mails being written on a flight w/o net access, and a
search/seizure before mails could be encrypted to the receiver).

All in all, this sounds like a tricky problem... Anyone know of any recent
bright ideas in the field of PFS for asynchronous messaging?

[1] [https://whispersystems.org/blog/asynchronous-
security/](https://whispersystems.org/blog/asynchronous-security/)

------
lifeisstillgood
This has really got me thinking about an architecture I had not really
considered before so forgive the obvious in this - it's partly aide memoire
and partly a contribution to OP

\- goals of the "new email" should presumably be to reduce the ability of
state actors and major comms providers to collect sufficient metadata to
conduct mass surveillance for tyranny or profit.

as such we can try either

\- Vast citizen owned mesh networks (ie every smartphone is a ISP)

\- Anonymity over traditional large ISPs / backbones

Anonymity is hard. We _could_ encrypt entire message and then round robin
decrypt each incoming message, this would cripple all metadata apart from the
TO: field and mean any listener would need to own most entry points to catch
the first uptake. It seems difficult - webs of trust, guessing the encryption
key.

Add in other constraints - all messages in transit and at rest are encrypted -
gmail becomes no more than S3 - and we see the end of free email, and weirdly
a return to POP3 as the client must store all my mail.

If this does exist however, why restrict it to emails - every message format
seems similar - MQ and Facebook can all go this way.

Mesh networks have even greater barriers to uptake ...

------
x1798DE
I've thought a lot about this and so far the solutions I've seen put forth
(e.g. Flowingmail, Bitmessage, for starters) don't seem likely to get any
widespread adoption, and that can be the death knell of anything like this
that relies on network effects. Hell, I can't even get people to send me a PGP
key _even when I refuse to send them important documents without one_ (they
just say they're going to send me one later, then forget about ever getting
the document they wanted). It's really not that hard to generate a PGP key,
but even motivated people don't do it.

My immediate intuitions are that 1.) this is a very hard problem to solve and
2.) if it's going to be solved in any reasonable amount of time, it needs to
be bootstrapped into existing, popular methods of communication (such as
e-mail). Adding some sort of PKI into the existing e-mail spec would probably
be a good start, since it's just not something that people are used to dealing
with.

------
ams6110
I think of email like a postcard. It's addressed to me, but anyone can read it
if they snoop in my mailbox. I don't expect it to be really secure, and I
don't do anything that requires real security via email. Simple enough.

~~~
leeoniya
what arrives in your inbox is often out of your control. account confirmation
and password reset emails, pictures/info others send you who are more
satisfied that you with the level of privacy normal email provides, etc.

~~~
raving-richard
Yes, to extend the postcard metaphor, it's like the bank sending a bank card
PIN on a postcard. Not secure at all.

------
0xeeeeeeee
Email security is really bad. We have a lot of companies trying to roll out
"secure email" every week.

There are a ton of problems to solve before one of these actually works,
javascript crypto being the least (since HN likes to discuss it...). Backwards
compatibility with old email protocols and insecure service is clearly a weak-
link in any hypothetically secure service.

It would be nice to see a more distributed protocol...where the bulk of the
world's email is holed up in a few company's data centers.

------
rakoo
Pond ([https://pond.imperialviolet.org/](https://pond.imperialviolet.org/))
seems to hit some keywords you mention.

------
donniezazen
I am always scared that if I start signing my emails (the least I can do) they
might start looking weird to my friends, family, and colleagues. They may even
think that the block of gibberish may be spam. I do like my KDE KMail client
which masks the signing information and presents signed and unsigned messages
in a sane way.

------
htns
I would suggest taking a look at I2P-Bote. Although I haven't had it installed
for a year at least, I2P-bote seems to be a slow-moving project, with lots of
features TBD, but it does hit all the keywords.

