Email and CryptographyFor email, the old postcard rule applies. Nobody else is supposed to read your postcards,
but you'd be a fool if you wrote anything private on one.
Judith MartinE-Mail is extremely insecure because many different servers providing Simple Mail Transfer Protocol
(SMTP) interact to deliver an email, and an eavesdropper could be in or in between those points if
the traffic isn’t encrypted.
I analyzed the headers of an email I received a few days ago, and check all the systems it traversed:
- 74.205.27.180
- 216.52.227.11
- app51.wa-webapps.iad3a (unknown ip)
- localhost 127.0.0.1
- smtp5.relay.iad3a.emailsrvr.com (unknown ip)
- smtp103.iad3a.emailsrvr.com 173.203.187.103
- mx.google.com (unknown ip)
- 10.112.47.136
Each of those 8 different SMTP relay servers connects to the following one in the chain and sends a copy
of the email. That connection could be plain text, and anyone in the network could be recording your email,
or be encrypted with TLS, we expect that nowadays all SMTP traffic should be using TLS, but sadly isn’t the
case.
Using
http://www.checktls.com you can verify if all the servers used to reach an email address have TLS
working, or not.
Yahoo has a problem with their certificate, so the traffic would be using TLS but you don’t really know if
is Yahoo or there is someone in the middle.
Hotmail is even worse, they don’t have any kind of TLS in their SMTP Relays.
For TLS to work both sides of the communication should support TLS, so it doesn’t matter what your email
provider is, if you write to Hotmail, your emails can be read by anyone.
You also need to consider the how the end user connects to his email provider, that connection should be
encrypted using HTTPS otherwise people in the same local network, wireless or in the ISP could be recording
the emails.
As you can see, email communication has a lot of fail points.
What email provider should I use?Is all the same security wise, use whichever you like.
Your emails can be eavesdropped in one of the many fail points I detailed previously or if the email provider
is from the US/Canada they can be legally obliged to provide your email contents.
The encryption solution they provide just encrypt the emails stored in their servers but when the emails are
sent the security is the one implemented by the weakest link.
The only secure alternative is end to end encryption using GPG.
Check the following articles to know more about the government pushing to get access to emails:
https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacyhttp://www.forbes.com/sites/kashmirhill/2013/08/09/lavabits-ladar-levison-if-you-knew-what-i-know-about-email-you-might-not-use-it/http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-problem-qa-with-silent-circle-co-founder-phil-zimmermann/EnigmailIn the previous lesson we installed GPG and created our key to exchange encrypted mail using it. But as you
may have noticed is cumbersome to be encrypting a text file and copy pasting the armored text to your mail.
That’s why in this lesson we will install Enigmail, that is a plugin that integrates the Thunderbird email client
with GPG.
When you’re writing an email with Thunderbird you will have new options to encrypt and sign the email.
Enigmail will automatically select the key to use from your keyring based on the email recipient list and the
mail saved in your “sent emails folder” will be encrypted with your own key.
If your email has multiple recipients Enigmail will encrypt each email with his corresponding key.
You can also create rules to define what key would you like to use for specific email addresses etc.
Guys using GPGTools for Mac already have the “GPG for Mail” in the suite that does the same that Enigmail,
but if you don’t have it installed or aren’t using GPGTools suite, you can install Thunderbird and Enigmail too.
Visit
https://www.enigmail.net/ for more information about it.
PracticeIn this lesson practice we will install Thunderbird and then install Enigmail and configure it to use our previously
generated keys.
1 -
Install Thunderbird and configure your email account.http://www.mozilla.org/en-US/thunderbird/
2 -
Install the Enigmail plugin:
3 -
Restart Thunderbird and you’ll see the Enigmail setup wizard.The wizard will guide you through the options, and then will ask about your public and private key that you
will use to encrypt/decrypt your mails.
4 -
Send me an email encrypted and signed.Remember to post your questions or go to the discussion section to talk about this week’s lesson.
