- Jul 27, 2015
- 5,458
Quote : " Avoid encrypted email.
Technologists hate this argument. Few of them specialize in cryptography or privacy, but all of them are interested in it, and many of them tinker with encrypted email tools.
Most email encryption on the Internet is performative, done as a status signal or show of solidarity. Ordinary people don’t exchange email messages that any powerful adversary would bother to read, and for those people, encrypted email is LARP security. It doesn’t matter whether or not these emails are safe, which is why they’re encrypted so shoddily. But we have to consider more than the LARP cases. In providing encryption, we have to assume security does matter. Messages can be material to a civil case and subject to discovery. They can be subpoenaed in a law enforcement action. They safeguard life-altering financial transactions. They protect confidential sources. They coordinate resistance to oppressive regimes. It’s not enough, in these cases, to be “better than no encryption”. Without serious security, many of these messages should not be sent at all.
The least interesting problems with encrypted email have to do with PGP. PGP is a deeply broken system. It was designed in the 1990s, and in the 20 years since it became popular, cryptography has advanced in ways that PGP has not kept up with. So, for example, it recently turned out to be possible for eavesdroppers to decrypt messages without a key, simply by tampering with encrypted messages. Most technologists who work with PGP don’t understand it at a low enough level to see what’s wrong with it. But that’s a whole other argument. Even after we replace PGP, encrypted email will remain unsafe. Here’s why.
If messages can be sent in plaintext, they will be sent in plaintext.
Email is end-to-end unencrypted by default. The foundations of electronic mail are plaintext. All mainstream email software expects plaintext. In meaningful ways, the Internet email system is simply designed not to be encrypted. The clearest example of this problem is something every user of encrypted email has seen: the inevitable unencrypted reply. In any group of people exchanging encrypted emails, someone will eventually manage to reply in plaintext, usually with a quoted copy of the entire chain of email attached. This is tolerated, because most people who encrypt emails are LARPing. But in the real world, it’s an irrevocable disaster. Even if modern email tools didn’t make it difficult to encrypt messages, the Internet email system would still be designed to expect plaintext. It cannot enforce encryption. Unencrypted email replies will remain an ever-present threat.
Serious secure messengers foreclose on this possibility. Secure messengers are encrypted by default; in many of the good ones, there’s no straightforward mechanism to send an unsafe message at all. This is table stakes.
.
Metadata is as important as content, and email leaks it.
Leave aside the fact that the most popular email encryption tool doesn’t even encrypt subject lines, which are message content, not metadata. The email “envelope” that includes the sender, the recipient, and timestamps – is unencrypted and always will be. Court cases (and lists of arrest targets) have been won or lost on little more than this. Internet email creates a durable log of metadata, one that every serious adversary is already skilled at accessing.
The most popular modern secure messaging tool is Signal, which won the Levchin Prize at Real World Cryptography for its cryptographic privacy design. Signal currently requires phone numbers for all its users. It does this not because Signal wants to collect contact information for its users, but rather because Signal is allergic to it: using phone numbers means Signal can piggyback on the contact lists users already have, rather than storing those lists on its servers. A core design goal of the most important secure messenger is to avoid keeping a record of who’s talking to whom. Not every modern secure messenger is as conscientious as Signal. But they’re all better than Internet email, which doesn’t just collect metadata, but actively broadcasts it. Email on the Internet is a collaboration between many different providers; and each hop on its store-and-forward is another point at which metadata is logged.
.
Every archived message will eventually leak.
Most people email using services like Google Mail. One of the fundamental features of modern email is search, which is implemented by having the service provider keep a plaintext archive of email messages. Of the people who don’t use services like Google Mail, the majority use email client software that itself keeps a searchable archive. Ordinary people have email archives spanning years. Searchable archives are too useful to sacrifice, but for secure messaging, archival is an unreasonable default. Secure messaging systems make arrangements for “disappearing messages”. They operate from the premise that their users will eventually lose custody of their devices. Ask Ross Ulbricht why this matters. "
Quote : " For encryption to protect users, it must be delivered “end to end”, with encryption established directly between users, not between users and their mail server. There are, of course, web email services that purport to encrypt messages. But they store encryption keys (or code and data sufficient to derive them). These systems obviously don’t work, as anyone with an account on Ladar Levison’s Lavabit mail service hopefully learned. The popularity of “encrypted” web mail services is further evidence of encrypted email’s real role as a LARPing tool. "
Quote : " Every long term secret will eventually leak.
Forward secrecy is the property that a cryptographic key that is compromised in the future can’t easily be used to retroactively decrypt all previous messages. To accomplish this, we want two kinds of keys: an “identity” key that lives for weeks or months and “ephemeral” keys that change with each message. The long-lived identity key isn’t used to encrypt messages, but rather to establish the ephemeral keys. Compromise my identity key and you might read messages I send in the future, but not the ones I’ve sent in the past.
Different tools do better and worse jobs of forward secrecy, but nothing does worse than encrypted Internet email, which not only demands of users that they keep a single long-term key, but begs them to publish those keys in public ledgers. Every new device a user of these systems buys and every backup they take is another opportunity for total compromise. Users are encouraged to rotate their PGP keys in the same way that LARPers are encouraged to sharpen their play swords: not only does nobody do it, but the whole system would probably fall apart if everyone did.
.
Technologists are clever problem solvers and these arguments are catnip to software developers. Would it be possible to develop a version of Internet email that didn’t have some of these problems? One that supported some kind of back-and-forth messaging scheme that worked in the background to establish message keys? Sure. But that system wouldn’t be Internet email. It would, at best, be a new secure messaging system, tunneled through and incompatible with all mainstream uses of email, only asymptotically approaching the security of the serious secure messengers we have now. "
Full source :
Technologists hate this argument. Few of them specialize in cryptography or privacy, but all of them are interested in it, and many of them tinker with encrypted email tools.
Most email encryption on the Internet is performative, done as a status signal or show of solidarity. Ordinary people don’t exchange email messages that any powerful adversary would bother to read, and for those people, encrypted email is LARP security. It doesn’t matter whether or not these emails are safe, which is why they’re encrypted so shoddily. But we have to consider more than the LARP cases. In providing encryption, we have to assume security does matter. Messages can be material to a civil case and subject to discovery. They can be subpoenaed in a law enforcement action. They safeguard life-altering financial transactions. They protect confidential sources. They coordinate resistance to oppressive regimes. It’s not enough, in these cases, to be “better than no encryption”. Without serious security, many of these messages should not be sent at all.
The least interesting problems with encrypted email have to do with PGP. PGP is a deeply broken system. It was designed in the 1990s, and in the 20 years since it became popular, cryptography has advanced in ways that PGP has not kept up with. So, for example, it recently turned out to be possible for eavesdroppers to decrypt messages without a key, simply by tampering with encrypted messages. Most technologists who work with PGP don’t understand it at a low enough level to see what’s wrong with it. But that’s a whole other argument. Even after we replace PGP, encrypted email will remain unsafe. Here’s why.
If messages can be sent in plaintext, they will be sent in plaintext.
Email is end-to-end unencrypted by default. The foundations of electronic mail are plaintext. All mainstream email software expects plaintext. In meaningful ways, the Internet email system is simply designed not to be encrypted. The clearest example of this problem is something every user of encrypted email has seen: the inevitable unencrypted reply. In any group of people exchanging encrypted emails, someone will eventually manage to reply in plaintext, usually with a quoted copy of the entire chain of email attached. This is tolerated, because most people who encrypt emails are LARPing. But in the real world, it’s an irrevocable disaster. Even if modern email tools didn’t make it difficult to encrypt messages, the Internet email system would still be designed to expect plaintext. It cannot enforce encryption. Unencrypted email replies will remain an ever-present threat.
Serious secure messengers foreclose on this possibility. Secure messengers are encrypted by default; in many of the good ones, there’s no straightforward mechanism to send an unsafe message at all. This is table stakes.
.
Metadata is as important as content, and email leaks it.
Leave aside the fact that the most popular email encryption tool doesn’t even encrypt subject lines, which are message content, not metadata. The email “envelope” that includes the sender, the recipient, and timestamps – is unencrypted and always will be. Court cases (and lists of arrest targets) have been won or lost on little more than this. Internet email creates a durable log of metadata, one that every serious adversary is already skilled at accessing.
The most popular modern secure messaging tool is Signal, which won the Levchin Prize at Real World Cryptography for its cryptographic privacy design. Signal currently requires phone numbers for all its users. It does this not because Signal wants to collect contact information for its users, but rather because Signal is allergic to it: using phone numbers means Signal can piggyback on the contact lists users already have, rather than storing those lists on its servers. A core design goal of the most important secure messenger is to avoid keeping a record of who’s talking to whom. Not every modern secure messenger is as conscientious as Signal. But they’re all better than Internet email, which doesn’t just collect metadata, but actively broadcasts it. Email on the Internet is a collaboration between many different providers; and each hop on its store-and-forward is another point at which metadata is logged.
.
Every archived message will eventually leak.
Most people email using services like Google Mail. One of the fundamental features of modern email is search, which is implemented by having the service provider keep a plaintext archive of email messages. Of the people who don’t use services like Google Mail, the majority use email client software that itself keeps a searchable archive. Ordinary people have email archives spanning years. Searchable archives are too useful to sacrifice, but for secure messaging, archival is an unreasonable default. Secure messaging systems make arrangements for “disappearing messages”. They operate from the premise that their users will eventually lose custody of their devices. Ask Ross Ulbricht why this matters. "
Quote : " For encryption to protect users, it must be delivered “end to end”, with encryption established directly between users, not between users and their mail server. There are, of course, web email services that purport to encrypt messages. But they store encryption keys (or code and data sufficient to derive them). These systems obviously don’t work, as anyone with an account on Ladar Levison’s Lavabit mail service hopefully learned. The popularity of “encrypted” web mail services is further evidence of encrypted email’s real role as a LARPing tool. "
Quote : " Every long term secret will eventually leak.
Forward secrecy is the property that a cryptographic key that is compromised in the future can’t easily be used to retroactively decrypt all previous messages. To accomplish this, we want two kinds of keys: an “identity” key that lives for weeks or months and “ephemeral” keys that change with each message. The long-lived identity key isn’t used to encrypt messages, but rather to establish the ephemeral keys. Compromise my identity key and you might read messages I send in the future, but not the ones I’ve sent in the past.
Different tools do better and worse jobs of forward secrecy, but nothing does worse than encrypted Internet email, which not only demands of users that they keep a single long-term key, but begs them to publish those keys in public ledgers. Every new device a user of these systems buys and every backup they take is another opportunity for total compromise. Users are encouraged to rotate their PGP keys in the same way that LARPers are encouraged to sharpen their play swords: not only does nobody do it, but the whole system would probably fall apart if everyone did.
.
Technologists are clever problem solvers and these arguments are catnip to software developers. Would it be possible to develop a version of Internet email that didn’t have some of these problems? One that supported some kind of back-and-forth messaging scheme that worked in the background to establish message keys? Sure. But that system wouldn’t be Internet email. It would, at best, be a new secure messaging system, tunneled through and incompatible with all mainstream uses of email, only asymptotically approaching the security of the serious secure messengers we have now. "
Full source :
