Friday, 9 August 2013

Added Security 6 : Secure mail services

src: lavabit.com

Over the last 24 hours two email services, that has advertised their services as secure, has shut down. Lavabit was the first one to close, then came Silent Cirlcle's Silent Mail.

"Silent Mail has thus always been something of a quandary for us. Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure." src: silentcircle.

Security expert Steve Gibson has a good explanation on why Lavabit did close. The reason being, as Silent Circle writes as well, that the email protocol is not safe. There is always some leakage of information. Yes, you can encrypt emails, which will make it pretty hard for the NSA guys to read the content of your emails, however NSA can still see whom you are contacting. If you do not implement security the right TNO (Trust No One) way, as Lavabit had failed to do, the NSA can visit a company and ask for the data to be handed over, along with decrypting keys. With PGP though you should be the only one having the key to decrypt your data.

The best way of staying secure from Big Brother's is still to encrypt your emails. You can do that using a client as I did describe in my previous Added Security post, or you can use the browser plugin Mailvelope. I might write a separate post on the latter one.

You have a service called CounterMail as well. Just by having checked that briefly it seems to do the exact same thing as if you encrypt all your emails yourself. With CounterMail though you need to have Java running in your browser, as it uses Java for encryption and decryption. And having Java running in the browser is madness, as it is the number one reason why people are hacked (as mentioned here). Hence I would not recommend CounterMail.

Encrypting emails is unfortunately slightly too technical for the average computer user. Security has to be easy for everyone starting using it. What I believe we will see in the near future is more new services for communication, not using the standard email protocol we are using today. Services where messages might never leave the server they are stored on, or where all information sent is an unreadable blob of data, unable for Big Brother to eavesdrop on. There is a huge marked for this, as people in general do not like to share everything with someone they do not trust.



Links
| g+ : shutdown of lavabit | g+ : shutdown of silent mail |



No comments:

Post a Comment

Allowed HTML tags:
<b>bold</b>
<strong>strong</strong>
<i>italics</i>
<em>emphasis</em>
<a href="">hyperlink</a>


Please, show the courtesy of identifying yourself when adding a comment. Anonymous comments will, most likely, be removed.