The Problem with Email Security
At BlackHat last week, Alex Stamos, the Chief Information Security Officer of Yahoo announced that end-to-end encryption for Yahoo mail will be available in 2015 for all users. Yahoo will build upon code open-sourced by Google that implements OpenPGP standard (RFC 4880).
.@alexstamos just announced plans to support end-to-end PGP encryption in Yahoo mail at Black Hat pic.twitter.com/9oCpGkzvX3
— Yan! (@bcrypt) August 7, 2014
So, what’s the problem with email security? The connection between the user devices and services like Google or Yahoo Mail is secure and encrypted. However, from there onwards to the email servers in between and the recipients, there is no assurance on security of the message. End-to-end encryption delivers that security for the whole traversal on the Internet. The code is open sourced for the developer community to review and it’s part of Google’s vulnerability rewards program. Google will deliver this functionality through an extension available in Chrome web store. So, yes, the users will have to use a Chrome browser. Interestingly, extensions are not yet supported in mobile Chrome browsers. Google’s approach for mobile is not clear for this but Alex Stamos tweeted that support for mobile will be native. That’s comforting as the mobile users may end up with a lot of indecipherable text in their emails.
@tankredhase We have a fork of Google’s plugin. Mobile app will have it native. @DrewHintz @bcrypt
— Alex Stamos (@alexstamos) August 7, 2014
The private keys used for encryption are unencrypted within memory under Chrome’s sandbox. More importantly, if within Chrome, the user enables sending statistics and crash reports, private keys may be sent to Google if the browser crashes.
Further, encryption is meaningless if the bad guy has the keys, says Adallom VP of Marketing Tal Klein.
Encryption is good, it’s just not exponentially good, he said in an online discussion this week. Encryption is like a doorlock. You should have a lock on your door. That is useful. But more locks on your door are not more useful. And a harder lock to break than the lock you have isn’t much more useful. So, encryption is a good thing. Just stop doubling down on it. As with all things, security is easy if your perspective is qualitative rather than quantitative.
Security has failed to deliver easier and transparent security for the common user by reducing complexity and limiting user touch points. There is hope that this and similar projects will change this. Of course, there are projects like keybase.io you should look at.
In June, SendGrid encrypted its email delivery service that developers use to manage the email that flows in and out of their apps.
The encryption meant the one billion emails sent per day by SendGrid get encrypted before going to the mail provider. Gmail, Yahoo and Aol are all supporting the encryption effort.
SendGrid’s Dave Campbell said in a phone interview that the service is similar to the web’s secure socket layer (SSL), which protects web sites from attacks. For email, SendGrid uses a transport socket layer which behaves much like web counterpart. It’s called opportunistic encryption and is designed to prevent passive wiretapping.
Opportunistic encryption can also be used for specific traffic like e-mail using the SMTP STARTTLS extension for relaying messages across the Internet, or the Internet Message Access Protocol (IMAP) STARTTLS extension for reading e-mail. With this implementation, it is not necessary to obtain a certificate from a certificate authority, as a self-signed certificate can be used.
Feature image via Flickr Creative Commons.
Adallom is a sponsor of The New Stack.