

NSA-Proof Your Email Without Encryption - rxl
http://ryaneshea.com/you-dont-need-to-encrypt-your-email

======
bowmessage
What about the interception of the email as it travels through the ISPs? Won't
the NSA still grab a copy as it's sent? I thought that was the whole idea of
PRISM.

~~~
rxl
When the email is sent, there is no record of the message. There is only an
image URI that points to the image that contains the message. So, the NSA
won't be able to grab a copy as it's sent. However, if an organization has the
ability to intercept all images that are loaded in the browser (through the
ISPs, for instance), it can grab a copy of the image containing the message.
In that case, some OCR would have to be done in order to extract the message
(which, agreed, is not hard to do if you are explicitly looking for messages
contained within images).

~~~
rfugger
I'm assuming you secure the image URL with HTTPS at least to minimize the
chances that an ISP could intercept it on the wire?

~~~
lifeguard
Nope. SSL MITM via CA.

~~~
rxl
That is correct. If the NSA or any other organization really wants to read
your message, it will be able to. There are several ways to accomplish this
(including what you just mentioned as well as the image sifting and OCR method
I included above), but some of them just involve more work/modification-of-
strategy than others.

------
nicholasreed
If the recipient's email client automatically downloads the image the first
time and makes it always-available to the user, wouldn't that break
GhostMail's promise? While Gmail/Hotmail/etc. may not do this now, is there
any technical (even an extension) reason they can't? I simply don't see how,
even using a 3rd party, you can prevent somebody from holding on to the
message forever. In addition, you cannot assume the content is the most
important part of the message; all the email headers will exist in perpetuity,
and they'll always know you sent them something (if, in the future, GhostMail
wanted to do an Undo Send type feature).

~~~
rxl
Why do people opt to talk on the phone or use off-the-record gchat instead of
send something over email? In both cases, the conversation can still be
stored, but the point is to use a communication method for which there is no
automatic storage mechanism. You trust your recipient not to record all your
phone calls or copy and paste all of your off-the-record gchats, but you just
don't want a copy of your messages sitting in their inbox.

As far as your comment on the headers, you're absolutely right. There will
always be a record that you sent some message to your recipient at a
particular time with a particular subject. However, the details of the message
itself are never contained within the headers.

Also, with GhostMail, you already have the ability to "undo send". You can
just go into your "sent" folder and view your message before your recipient
views it, rendering the message unreadable.

~~~
nicholasreed
I'd agree that there are use cases where it works. For example: if I wanted to
send my roommate a password over email, this would be great because the
message content would be gone, and I don't care about headers and timestamps.
But if I'm sending some secrets, I wouldn't want any record that it was even
communicated.

------
fractalcat
This is laughable from a privacy perspective. So you delete the emails
immediately after they're viewed? We're expected to take your word for this?
Are you saying you don't back up your data at all? How do you handle secure
removal from backups? How do you perform the deletion? Do your servers use
journalling filesystems? Do you expect us to trust (say) Gmail not to prefetch
image data embedded in HTML emails? What happens if you get raided?

------
im3w1l
This will be safe until it isn't, and the user wont be able to tell when that
has happened.

The more you advertise it the faster that will happen.

------
natdempk
This doesn't prevent your server/CA being compromised like an encryption
scheme like PGP would.

~~~
rxl
Yes, if the server is compromised before a recipient reads a particular email,
that can allow the attacker to read that email. However, all emails that are
read are deleted from the server and unread emails are automatically deleted
after a certain number of days. So, if someone was to compromise the GhostMail
server, he/she would only be able to read a paltry amount of messages.

~~~
bluetooth
If GhostMail was compromised, the attacker would be able to read messages as
they are being sent. Sending messages as images does not stop them from being
copied or held for an indefinite amount of time.

~~~
rxl
In the unlikely scenario that the app was compromised and stayed compromised,
you would be correct. However, if it was compromised and the situation was
quickly rectified, only sent but unread messages would be able to be read. If
a service like WhatsApp was compromised, however, a much larger amount of
messages would be able to be read.

------
lifeguard
This is obvious security snake oil. The FAQ makers it clear it does nothing to
thwart PRISM etc.

~~~
rxl
As people have said, there is always a way from someone to intercept a
message. An organization can, at the ISP level, intercept all images that you
access in your browser and then perform OCR on the images you receive to
extract the message. So there is no foolproof solution here. However, this is
simply a service that allows you to send "read only once" emails, with no SMTP
records of the message on any servers. It has a certain level of protection
that I feel some people will find useful, in the same way that some people
really value off-the-record gchat.

~~~
lifeguard
I saw nothing to convince me this is a true statement:

'allows you to send "read only once" emails'

~~~
rxl
Well, the image containing the message is only ever served once. If the
recipient navigates away from the email and then opens the email again, the
image containing the message will be replaced with a different image (the
message will be gone). I recommend reading the full FAQ and trying it out.

