Author Topic: 4 - Email and Cryptography  (Read 6659 times)

Offline APX808

  • Administrator
  • *****
  • Posts: 1816
  • Karma: +10/-0
    • APX R4nt5
4 - Email and Cryptography
« on: February 28, 2014, 11:07:07 AM »
Email and Cryptography

For email, the old postcard rule applies. Nobody else is supposed to read your postcards,
but you'd be a fool if you wrote anything private on one.
                                                                                                                        Judith Martin



E-Mail is extremely insecure because many different servers providing Simple Mail Transfer Protocol
(SMTP) interact to deliver an email, and an eavesdropper could be in or in between those points if
the traffic isn’t encrypted.

I analyzed the headers of an email I received a few days ago, and check all the systems it traversed:

- 74.205.27.180
- 216.52.227.11
- app51.wa-webapps.iad3a (unknown ip)
- localhost 127.0.0.1
- smtp5.relay.iad3a.emailsrvr.com (unknown ip)
- smtp103.iad3a.emailsrvr.com 173.203.187.103
- mx.google.com (unknown ip)
- 10.112.47.136

Each of those 8 different SMTP relay servers connects to the following one in the chain and sends a copy
of the email. That connection could be plain text, and anyone in the network could be recording your email,
or be encrypted with TLS, we expect that nowadays all SMTP traffic should be using TLS, but sadly isn’t the
case.

Using http://www.checktls.com you can verify if all the servers used to reach an email address have TLS
working, or not.
Yahoo has a problem with their certificate, so the traffic would be using TLS but you don’t really know if
is Yahoo or there is someone in the middle.
Hotmail is even worse, they don’t have any kind of TLS in their SMTP Relays.
For TLS to work both sides of the communication should support TLS, so it doesn’t matter what your email
provider is, if you write to Hotmail, your emails can be read by anyone.

You also need to consider the how the end user connects to his email provider, that connection should be
encrypted using HTTPS otherwise people in the same local network, wireless or in the ISP could be recording
the emails.

As you can see, email communication has a lot of fail points.

What email provider should I use?

Is all the same security wise, use whichever you like.
Your emails can be eavesdropped in one of the many fail points I detailed previously or if the email provider
is from the US/Canada they can be legally obliged to provide your email contents.

The encryption solution they provide just encrypt the emails stored in their servers but when the emails are
sent the security is the one implemented by the weakest link.

The only secure alternative is end to end encryption using GPG.

Check the following articles to know more about the government pushing to get access to emails:

https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacy

http://www.forbes.com/sites/kashmirhill/2013/08/09/lavabits-ladar-levison-if-you-knew-what-i-know-about-email-you-might-not-use-it/

http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-problem-qa-with-silent-circle-co-founder-phil-zimmermann/

Enigmail

In the previous lesson we installed GPG and created our key to exchange encrypted mail using it. But as you
may have noticed is cumbersome to be encrypting a text file and copy pasting the armored text to your mail.

That’s why in this lesson we will install Enigmail, that is a plugin that integrates the Thunderbird email client
with GPG.

When you’re writing an email with Thunderbird you will have new options to encrypt and sign the email.
Enigmail will automatically select the key to use from your keyring based on the email recipient list and the
mail saved in your “sent emails folder” will be encrypted with your own key.
If your email has multiple recipients Enigmail will encrypt each email with his corresponding key.

You can also create rules to define what key would you like to use for specific email addresses etc.

Guys using GPGTools for Mac already have the “GPG for Mail” in the suite that does the same that Enigmail,
but if you don’t have it installed or aren’t using GPGTools suite, you can install Thunderbird and Enigmail too.

Visit https://www.enigmail.net/ for more information about it.

Practice

In this lesson practice we will install Thunderbird and then install Enigmail and configure it to use our previously
generated keys.

1 - Install Thunderbird and configure your email account.

http://www.mozilla.org/en-US/thunderbird/

How to install and configure Thunderbird for E-mail on Windows?


2 - Install the Enigmail plugin:
Installing EnigMail add-on in Thunderbird


3 - Restart Thunderbird and you’ll see the Enigmail setup wizard.
The wizard will guide you through the options, and then will ask about your public and private key that you
will use to encrypt/decrypt your mails.

4 - Send me an email encrypted and signed.

Remember to post your questions or go to the discussion section to talk about this week’s lesson.
« Last Edit: February 28, 2014, 12:39:36 PM by APX808 »

Offline APX808

  • Administrator
  • *****
  • Posts: 1816
  • Karma: +10/-0
    • APX R4nt5
Lesson 4 discussion
« Reply #1 on: February 28, 2014, 12:40:50 PM »
This thread is to discuss lesson 4.

brat

  • Guest
Re: Lesson 4 discussion
« Reply #2 on: February 28, 2014, 06:27:13 PM »
Downloaded and followed tutorial. Got "login to imap.xxxx.com failed". Double checked password. Checked in normally thru web and verified information. Now what  :what:

Offline APX808

  • Administrator
  • *****
  • Posts: 1816
  • Karma: +10/-0
    • APX R4nt5
Re: Lesson 4 discussion
« Reply #3 on: February 28, 2014, 06:36:02 PM »
Hey Brat, please check your configuration using this tutorial

https://help.hushmail.com/entries/20348693-Thunderbird-5-6-IMAP-

brat

  • Guest
Re: Lesson 4 discussion
« Reply #4 on: February 28, 2014, 06:42:30 PM »
OK... it looks like I won't be able to use hushmail because I have the free version and it says in the tutorial that POP and IMAP is only available for Premium and Business. pfffffttt.

You think it would do anygood to try any of the alternative ports in the config or would they still block ?

brat

  • Guest
Re: Lesson 4 discussion
« Reply #5 on: February 28, 2014, 06:52:46 PM »
Tried the alternate ports, no joy. Back to square one.  :facepalm:

brat

  • Guest
Re: Lesson 4 discussion
« Reply #6 on: February 28, 2014, 11:25:32 PM »
Had to generate new keys for a different email account that will work with Thunderbird and IMAP. The new public key is posted in the keylocker. Test message finally sent APX. Whew !

Offline NativeSon

  • Prepper Apprentice
  • *
  • Posts: 46
  • Karma: +0/-0
Re: 4 - Email and Cryptography
« Reply #7 on: August 19, 2014, 01:00:29 AM »
Test email sent.

Offline Kentactic

  • Hardcore Prepper
  • ******
  • Posts: 2942
  • Karma: +12/-0
Re: 4 - Email and Cryptography
« Reply #8 on: August 25, 2014, 09:46:39 PM »
Any ideas for encrypting emails sent and recieved from a smart phone? Samsung S3 to be specific. I don't have a computer.
Simplicity Is Ideal...

Offline APX808

  • Administrator
  • *****
  • Posts: 1816
  • Karma: +10/-0
    • APX R4nt5
Re: 4 - Email and Cryptography
« Reply #9 on: August 25, 2014, 09:53:20 PM »
Sadly there isn't a real implementation of GPG for Android yet.
There is an app called APG that aims to provide the same functionality but I never used it so I can't vouch for its reliability or easy of use.

You can take a look at:
http://www.thialfihar.org/projects/apg/
https://play.google.com/store/apps/details?id=org.thialfihar.android.apg

Offline APX808

  • Administrator
  • *****
  • Posts: 1816
  • Karma: +10/-0
    • APX R4nt5
Re: 4 - Email and Cryptography
« Reply #10 on: August 25, 2014, 09:59:45 PM »
Here I found a tutorial on how to install and use it

https://securityinabox.org/en/k9_apg_main

The guys from securityinabox are respected so you can trust in what they say.