Email privacy crash course – Part 2: Encryption

Privacy crash course part-2: Encryption diagram

Summary

  • End-to-end encryption empowers users to control safe transmission of their emails over untrusted services and networks, thwarting surveillance and intrusion.
  • Do not use non-standard encryption, PGP is the gold standard
  • Look for full 4096 bit encryption strength
  • Do not use services that are not end-to-end, such as server-side encryption.
  • Do not use services that do not publish their software in open source
  • Browser-based encryption clients are less secure than native clients, but offer better usability.
  • End-to-end encryption does not secure the endpoints. However, unless you are a specifically targeted individual, end-to-end is good enough.
  • Encryption does not cover everything. Without metadata protection and anonymity there is no true “zero knowledge”.

In Part 1: Introduction we provided an overview of the tenets of email privacy, as shown in the following diagram. In this article we will focus on encryption. Rather than overwhelm you with technical details, we will attempt to provide the minimal information that you need to evaluate encryption-related aspects of email privacy services.

Picture1

Why encryption?

Encryption is our means of replacing trust by control. You need encryption when you do not trust the medium or the channel where your information is stored or transmitted, and want to take personal control of it.

We all use telephone services. Should you trust this channel? Not in your lifetime! The spooks have officially and “lawfully” bugged the entire phone network, they control it – but we all use it anyhow, because we have no reasonably usable alternative. We could use dedicated secure VoIP services, but the usability penalty and the small people network associated with them (see the diagram above) are too limiting for most of us, and the ubiquity and usability of the regular phone service are too tempting.

Fortunately, email is different from telephone in this respect. Using end-to-end encryption, you can thwart attempts of greedy email service providers, spies and hackers to intercept and read your email, even when it is transmitted over untrusted networks.

Thou shalt not use non-standard encryption

PGP email encryption system is the gold standard. It has been around for over 20 years, during which security researchers attempted (and sometimes succeeded) to find vulnerabilities in it. While nothing that involves computers and software is 100% secure, PGP is as torture-tested and ubiquitous an email encryption system as you can get. Some encrypted email providers use encryption that resembles PGP but is not PGP (for example, Tutanota, HP/Voltage). When you use such providers, you forgo decades of wisdom that went into attacking PGP and repairing its vulnerabilities by the community of security experts.

PGP is not perfect. It does not protect your message metadata. It burdens users with key management. Email clients that implement it (such as Enigmail for Thunderbird, GPG for Outlook or Mailvelope add-on for Chrome and Firefox) have serious usability issues. Significant advances in PGP’s usability were made by browser-based encrypted email providers such as Protonmail, albeit at the expense of limiting people network and ubiquity. We shall cover usability in detail in an upcoming article, for now let us focus on encryption.

End-to-end is king

Some email encryption services are end-to-end, meaning that encryption/decryption is done only on your devices, and neither emails nor decryption keys ever leave your devices unencrypted. Other services do encryption at the service provider’s servers rather than on your device. These are by definition not end-to-end, and should be avoided (more about this below).

Picture (a) shows what happens without encryption. Opportunities to eavesdrop (denoted by the red exclamation marks) are everywhere: at the servers of Internet Service Providers, network nodes, email service providers, network links. The green checkmarks denote the endpoints, which are the only places where the emails should be available in clear text, for reading by their intended recipients.

case-a

Picture (b) shows what happens when Alice uses a local PGP client on her PC while her correspondent Bob uses a server side encryption service (SSE). Emails of both Alice and Bob emerge unencrypted at the SSE provider’s servers.

case-b

The PGP server side encryption (SSE) services work as follows: Bob uses a standard email client such as Outlook, and lets the SSE service do the encryption of his emails on its servers. His email is protected using SSL/TLS as it travels between his computer and the SSE provider. However, it emerges unencrypted at the SSE provider’s servers before being PGP-encrypted and sent to Alice. Unsuspecting Alice who is using a PGP client on her computer thinks that she is safe – but she is not, and neither is Bob. The emails of both are accessible in clear text at the SSE provider’s server. The SSE provider is in this case what the spy agencies call a “high value target” as it is a point through which many privacy-sensitive users send their emails, thinking that they are protected.

There are also some other surprisingly insecure email encryption services such as Virtru that get the encryption keys from the senders, store them and deliver them to recipients in clear text, without even troubling the users with the requirement to enter a password. We cannot cover them all here.

Amazingly, some people use SSE services such as Hushmail or Startmail and think that they are safe. Hushmail is apparently popular with medical service providers in North America who use it as a fig leaf to show that they are compliant with HIPAA regulations. Maybe some people just like the simplicity of using SSE and choose to hand the control of their data over to the SSE provider. If you are among such users, as long as you know what you are doing and take the risk willingly – fine. But when SSE providers tell you “we do not read your email” (if they were end-to-end they would say “we cannot read it”) or “we use SSL to make sure your email is secure all the way”, beware. Under a subpoena or a National Security Letter (depending on their jurisdiction) they will sell you out, whether they are located in US or in Europe. Otherwise, they are toast.

This leaves us with the only kind of encryption that we can recommend: end-to-end, which means that the emails are encrypted and decrypted only at the endpoints, as shown in picture (c) below. End-to-end leaves no opportunities to service providers, hackers and spies to read the content of your emails as they traverse the network or remain in network-based servers and mailboxes. This also means that they are immune to subpoenas.

case-c

Open source or close shop

Do not use encrypted email service providers that do not publish the source code of their software. Open source allows the community of experts to scrutinize the service provider’s code and check the veracity of its claims, especially the “zero knowledge” claims. If the service provider does not prominently announce on its website that it publishes its source code, you can be sure that it does not publish the code.

How strong and secure is the server provider’s encryption?

To evaluate this, you should check the following:

Key length: up to 4096 bit. This is the maximum key length supported by PGP. Quite a few encrypted email providers only do 2048 bit. This is significantly weaker than 4096 bit, which you should prefer, like the security expert Bruce Schneier.

Browser-based or native?  Native PGP clients such as Enigmail or GPG for Outlook are inherently more secure than browser-based clients. On the other hand, some browser-based encrypted email services have better usability than native clients, as discussed in detail in Part 4.

What about the endpoint?

End-to-end encryption does not cover the endpoints – your PC, tablet or mobile phone; it only protects your email as it travels through and is stored in the network between the endpoints. Your emails are not encrypted when you are writing them or when you are viewing the received ones, and that is when they can be spied on.

The bad news is that if your endpoint is broken into, you are not protected. This may come in the form of a keylogger that collects your keystrokes as you type an email message, or other spying malware. Electromagnetic spying and recently even acoustic extraction of PGP keys from a PC were reported.

The good news is that for your endpoint to be broken into by the spy agencies (or criminals), you must be targeted by them – which is very expensive. It is also legally difficult even in America, although this is changing. Anyhow, unless you are a terrorist, child pornography ringleader or a wholesale drug dealer specifically targeted by law enforcement, with end-to-end encryption you should be fine.

Zero knowledge is good, but does “zero” mean “nothing”?

Quite a few providers claim that they are “zero knowledge”, meaning that they themselves cannot access your data. Well, it is easier to identify providers who are not zero knowledge (SSE services are a perfect example), than find those who are. The only provider that we are aware of that comes close to true zero knowledge is Bitmessage (if you use their client and not their mail gateway). However, without the email gateway Bitmessage is actually IM rather than email service.

Let us know if you are aware of zero knowledge providers that we missed.

Encrypted email service providers that use standard end-to-end PGP encryption (and publish their source code) can reasonably claim that they are zero-knowledge, but only with respect to message content. Most of the providers are not zero-knowledge as far as metadata of your messages and your identity are concerned. This is the topic of Part 3: Metadata and Anonymity.

 

5 comments

  1. Anon

    Great article, very understandable even for someone inexperienced with digital encryption (like me).

    Question: In the article it is mentioned that even though I use PGP and send an e-mail to someone who does not use PGP, the message is still not encrypted. I conclude from this that if I want to encrypt every e-mail I send, I have to first ask the party I send it to (aka the other end-point) to use PGP as well. Practically speaking, this is close to impossible.

    Are there ways to encrypt my e-mails in some way or make them harder to read for parties in between end-points without having both end-points using e-mail encryption software?

    • EasyCrypt

      The short answer is: no. The long answer is: yes, if you want to make your life difficult and send a one-time password through a secure channel other than email. This is probably not what you mean so we will not elaborate here.

       

      Based on how you describe yourself, the best option for you, among the solutions available today, would probably be to use one of the browser-based encryption services such as Protonmail or Tutanota. You and the people you communicate with would need to register for the service and each open a dedicated email account there. You would not be able to send encrypted messages at your existing email address, only at your Protonmail or Tutanota address – but at least you would not have to do key management. The latter is what makes the use of PGP clients difficult for non-geeks.

  2. anonionman

    First of all I would like to point out that I like this series of articles a lot. I am not some crypto expert but security/privacy/anonymity is my hobby for few years now trough writing for Libre! magazine about open-source encryption and occasionally organising cryptoparties.

    And to try to answer question asked above:
    It will be for the best if majority of people who do want both security and privacy for their emails to use open-source email clients (on open-source Operating Systems a.k.a Gnu/Linux). And that email clients do opt-it encryption when setting up you email configuration in them offering encryption, or even doing it for you.
    For example: when you install Thunderbird of ClawsMail it comes with PGP/GPG support already built in (Enigmail add-on) and it starts to generate your GPG key (first it checks Keyserver for existence of one).
    And when you are sending emails it queries Keyserver for recipient’s public key (in case on more than one match prompts window to choose one, or alerts you if key does not exist).
    This is just an automation or improvement for encryption on current email clients (MacOSX, Windows, Gnu/Linux, Android), not complete solution to problem in above asked question.

    I would like to point out to another new and emerging ways messaging trough cryptocurrency(Digitalnote, NXT, Dmail, …), darknet anonymous email (I2P bote, freemail, …), and new systems like Onionmail, Pond, Zeromail.

    Mentioned bitmessage is as sad very good alternative, client do exists on all platforms (Mac, Windows, Linux, Android), but people are generally not familiar with it, and it is hard to find it unless you are looking online for open-source secure email alternatives.

    I am not saying they are necessarily better or both “Zero knowledge” and “E2EE”, but are clear signals that problems with emails are understood by innovative programmers and solutions being sought.

  3. EasyCrypt

    We do not agree with your recommendation to ordinary users to use libre software PGP clients. We believe that ordinary email users should not even try to use them. Secure or not, these solutions exist for many years but failed to reach significant following outside the cryptonerd and privacy hobbyist communities. The reason for this is that their usability is way below the level that can be tolerated by normal email users.

     

    The biggest enemies of privacy are not, as is customary to assume, spy agencies, hackers and greedy service providers. These simply take advantage of the almost total absence of use of the existing PGP clients. The biggest enemies of email privacy are poor usability and almost non-existent people networks of the existing solutions. Browser-based solutions took the right step in the direction of usability, but stopped short of creating a global people network.

    We will cover usability and people networks in Part 4 and Part 5 of this series, respectively.

  4. anonionman

    I do mostly agree, but if users always choose usability over true privacy, and programs/apps with cool features, then they should not expect to get privacy along with it. I am not much concerned with usability of programs that implement crypto, because they exist and work. Setting up email client or installing OTR for pidgin is easy for those who seek better privacy. I mean if you use some encryption program on Windows than about what security are we talking about when you do not own you very OS?

Send this to a friend