Email Encryption has the potential to provide protection from spam and malware over email, if implemented correctly. Email encryption can protect your privacy and your security.
This raises the simple question of why email encryption hasn’t been adopted and why the majority of email communication over the internet is not encrypted?
Three Failures of email ENCRYPTION
Difficult TO Implementing
It is difficult to implement as an end user as it requires a number of confusing and complicated steps. This is only complicated further when you factor most users now use 2 or more devices to access their emails.
Many organisations are using cloud services which either don’t provide encryption options or charge extra for the privilege of being able to have encrypted emails. Furthermore it is worth noting that many cloud providers may be using the data from raw emails (not encrypted) for a range of activities from spam protection, customised Ads, market research or other activities. Hence many cloud providers are not economically motivated to provide email encryption.
Many organisations want to track all electronic communications from their employees. This means they want to control how any information is encrypted, hence prefer to encrypt traffic only exiting their email system. The common method of encrypting traffic between email nodes is called STARTTLS. This method has a number of issues including:
- The message is decrypted at each email relay (node) so there is no protection from nodes
- It is optional encryption so a man-in-the-middle could filter out the optional encryption request
- The message provides no protection from untrusted parties, spam or malware
- The message is decrypted by the email servers and not the end users so the raw message is available to the email service provider. This becomes an issue for those using cloud services for their emails.
End to End Encryption
End to end encryption allows email communications to be secured between each party. The challenge is:
- how do they securely exchange keys (including organisational/corporate keys)
- how do they encrypt and decrypt emails across multiple devices (phone, browser, tablet, desktop)
The method to exchanging keys can be done many ways, including a public key repository or DNS records. The concern with a public key repository is it could be compromised, and allow public knowledge and every attacker and spammer knowing your email or it doesn’t take advantage of the fact that by the “public key” not being public means spammers and malware can not be encrypted.
I would recommend using a web of trust mechanism by placing your public key/s at the end of each email. This method means the only people you directly communicate with have access to your public key. Hence any person sending you spam or malware will either need to manually request your key, or will not be encrypted and any non-encrypted emails can have higher security rules across them including being filtered into spam, removal of attachments and removal of links.
This is not without it’s weaknesses and requires the first message between each contact be appropriately secured so a man-in-the-middle is not able to modify the public keys for the first message. This is where securing emails across servers using STARTTLS and/or DANE in combination with end to end security can mitigate this concern. Also it also provides some protection in case of any mistakes in the end to end encryption implementation.
Theoretically this sounds great, but practically it is still too hard for many people. The current best practice is PGP or GPG. However they are still clunky. The proposal to smooth the process would be to automate as much of the process as possible. So with that said we would require tool/s that can automatically decrypt emails then extract and store other parties keys, as well as automatically encrypt each email with the appropriate keys. This would also require to work across all your devices.
So the tools that could be currently used could be:
Web Browser – Mailevlope
- Email App:
- K-9 Mail
- Squeaky Mail
- WEB.DE Mail
- Sony Email
- Key Storage App:
- OpenKeychain: Easy PGP
- Gnu Privacy Guard (GnuPG)
- APG (Android Privacy Guard)
- PGP KeyRing
There is still a manual process of transferring your keys across all the devices, but not one that is not manageable by the average user.
Current keys are quite large and cumbersome but with new ECC keys, it wont be long before seeing a small set of numbers at the end of someone’s email might become standard.
Stay tuned to find out more.