Email privacy crash course – Part 2: Encryption
- End-to-end encryption empowers users to control safe transmission of their emails over untrusted services and networks, thwarting surveillance and intrusion.
- Do not use non-standard encryption, PGP is the gold standard
- Look for full 4096 bit encryption strength
- Do not use services that are not end-to-end, such as server-side encryption.
- Do not use services that do not publish their software in open source
- Browser-based encryption clients are less secure than native clients, but offer better usability.
- End-to-end encryption does not secure the endpoints. However, unless you are a specifically targeted individual, end-to-end is good enough.
- Encryption does not cover everything. Without metadata protection and anonymity there is no true “zero knowledge”.
In Part 1: Introduction we provided an overview of the tenets of email privacy, as shown in the following diagram. In this article we will focus on encryption. Rather than overwhelm you with technical details, we will attempt to provide the minimal information that you need to evaluate encryption-related aspects of email privacy services.
Encryption is our means of replacing trust by control. You need encryption when you do not trust the medium or the channel where your information is stored or transmitted, and want to take personal control of it.
We all use telephone services. Should you trust this channel? Not in your lifetime! The spooks have officially and “lawfully” bugged the entire phone network, they control it – but we all use it anyhow, because we have no reasonably usable alternative. We could use dedicated secure VoIP services, but the usability penalty and the small people network associated with them (see the diagram above) are too limiting for most of us, and the ubiquity and usability of the regular phone service are too tempting.
Fortunately, email is different from telephone in this respect. Using end-to-end encryption, you can thwart attempts of greedy email service providers, spies and hackers to intercept and read your email, even when it is transmitted over untrusted networks.
Thou shalt not use non-standard encryption
PGP email encryption system is the gold standard. It has been around for over 20 years, during which security researchers attempted (and sometimes succeeded) to find vulnerabilities in it. While nothing that involves computers and software is 100% secure, PGP is as torture-tested and ubiquitous an email encryption system as you can get. Some encrypted email providers use encryption that resembles PGP but is not PGP (for example, Tutanota, HP/Voltage). When you use such providers, you forgo decades of wisdom that went into attacking PGP and repairing its vulnerabilities by the community of security experts.
PGP is not perfect. It does not protect your message metadata. It burdens users with key management. Email clients that implement it (such as Enigmail for Thunderbird, GPG for Outlook or Mailvelope add-on for Chrome and Firefox) have serious usability issues. Significant advances in PGP’s usability were made by browser-based encrypted email providers such as Protonmail, albeit at the expense of limiting people network and ubiquity. We shall cover usability in detail in an upcoming article, for now let us focus on encryption.
End-to-end is king
Some email encryption services are end-to-end, meaning that encryption/decryption is done only on your devices, and neither emails nor decryption keys ever leave your devices unencrypted. Other services do encryption at the service provider’s servers rather than on your device. These are by definition not end-to-end, and should be avoided (more about this below).
Picture (a) shows what happens without encryption. Opportunities to eavesdrop (denoted by the red exclamation marks) are everywhere: at the servers of Internet Service Providers, network nodes, email service providers, network links. The green checkmarks denote the endpoints, which are the only places where the emails should be available in clear text, for reading by their intended recipients.
Picture (b) shows what happens when Alice uses a local PGP client on her PC while her correspondent Bob uses a server side encryption service (SSE). Emails of both Alice and Bob emerge unencrypted at the SSE provider’s servers.
The PGP server side encryption (SSE) services work as follows: Bob uses a standard email client such as Outlook, and lets the SSE service do the encryption of his emails on its servers. His email is protected using SSL/TLS as it travels between his computer and the SSE provider. However, it emerges unencrypted at the SSE provider’s servers before being PGP-encrypted and sent to Alice. Unsuspecting Alice who is using a PGP client on her computer thinks that she is safe – but she is not, and neither is Bob. The emails of both are accessible in clear text at the SSE provider’s server. The SSE provider is in this case what the spy agencies call a “high value target” as it is a point through which many privacy-sensitive users send their emails, thinking that they are protected.
There are also some other surprisingly insecure email encryption services such as Virtru that get the encryption keys from the senders, store them and deliver them to recipients in clear text, without even troubling the users with the requirement to enter a password. We cannot cover them all here.
Amazingly, some people use SSE services such as Hushmail or Startmail and think that they are safe. Hushmail is apparently popular with medical service providers in North America who use it as a fig leaf to show that they are compliant with HIPAA regulations. Maybe some people just like the simplicity of using SSE and choose to hand the control of their data over to the SSE provider. If you are among such users, as long as you know what you are doing and take the risk willingly – fine. But when SSE providers tell you “we do not read your email” (if they were end-to-end they would say “we cannot read it”) or “we use SSL to make sure your email is secure all the way”, beware. Under a subpoena or a National Security Letter (depending on their jurisdiction) they will sell you out, whether they are located in US or in Europe. Otherwise, they are toast.
This leaves us with the only kind of encryption that we can recommend: end-to-end, which means that the emails are encrypted and decrypted only at the endpoints, as shown in picture (c) below. End-to-end leaves no opportunities to service providers, hackers and spies to read the content of your emails as they traverse the network or remain in network-based servers and mailboxes. This also means that they are immune to subpoenas.
Open source or close shop
Do not use encrypted email service providers that do not publish the source code of their software. Open source allows the community of experts to scrutinize the service provider’s code and check the veracity of its claims, especially the “zero knowledge” claims. If the service provider does not prominently announce on its website that it publishes its source code, you can be sure that it does not publish the code.
How strong and secure is the server provider’s encryption?
To evaluate this, you should check the following:
Key length: up to 4096 bit. This is the maximum key length supported by PGP. Quite a few encrypted email providers only do 2048 bit. This is significantly weaker than 4096 bit, which you should prefer, like the security expert Bruce Schneier.
Browser-based or native? Native PGP clients such as Enigmail or GPG for Outlook are inherently more secure than browser-based clients. On the other hand, some browser-based encrypted email services have better usability than native clients, as discussed in detail in Part 4.
What about the endpoint?
End-to-end encryption does not cover the endpoints – your PC, tablet or mobile phone; it only protects your email as it travels through and is stored in the network between the endpoints. Your emails are not encrypted when you are writing them or when you are viewing the received ones, and that is when they can be spied on.
The bad news is that if your endpoint is broken into, you are not protected. This may come in the form of a keylogger that collects your keystrokes as you type an email message, or other spying malware. Electromagnetic spying and recently even acoustic extraction of PGP keys from a PC were reported.
The good news is that for your endpoint to be broken into by the spy agencies (or criminals), you must be targeted by them – which is very expensive. It is also legally difficult even in America, although this is changing. Anyhow, unless you are a terrorist, child pornography ringleader or a wholesale drug dealer specifically targeted by law enforcement, with end-to-end encryption you should be fine.
Zero knowledge is good, but does “zero” mean “nothing”?
Quite a few providers claim that they are “zero knowledge”, meaning that they themselves cannot access your data. Well, it is easier to identify providers who are not zero knowledge (SSE services are a perfect example), than find those who are. The only provider that we are aware of that comes close to true zero knowledge is Bitmessage (if you use their client and not their mail gateway). However, without the email gateway Bitmessage is actually IM rather than email service.
Let us know if you are aware of zero knowledge providers that we missed.
Encrypted email service providers that use standard end-to-end PGP encryption (and publish their source code) can reasonably claim that they are zero-knowledge, but only with respect to message content. Most of the providers are not zero-knowledge as far as metadata of your messages and your identity are concerned. This is the topic of Part 3: Metadata and Anonymity.