Wed 04 June 2014
Now lets consider emails. If you want to add confidentiality to your mail exchanges, you migth consider end-to-end ecnryption solutions such as pgp [1. it only ensure confidentiality of the content of the mail]. This solutions takes place in the end user's computers and nowhere else. If you want to ensure authentication and integrity check, pgp's signature must be done on the emmitter's computer, the differents checks can be done everywhere.
Now lets think the life of an email. It borns somewhere in an host. In many case, thanks to a MUA. It then transits toward a first MTA, usually designated by the part after the @ of the sender's email address. Then, it transits between several MTA [2. this transit does not use any web's application protocol (HTTP, HTTPS, XHTML, CSS, ...), the standard protocol is SMTP.] until it reaches the last MTA, designated by the part after the @ of the receiver's email address. Then the receiver's MUA enters into effect. During this transit, when an email can be read (in plain clear text)? if some security service is wanted, where can it be done? Depending on the solution you apply, where is your email secure (in which MTA or MUA)?
This is my point of view. That is why I consider email encryption should only be made on end user's MUA and nowhere else. Email encryption can be done offline, before sending all emails in batch.
Lets now consider the confidentiality of the parts of emails not covered by pgp-like email encryption. That is to say the metadata (email header and lower level). An email must be delivered, so it must have a valid receiver. The easiest way to bypass this limitation is by using a one-time-email-address. The algorithms to agree ont eh email address to use can be related to the one used for one time passwords. The sender can hide himself by modifying the "from" field and by sending its email from elsewhere (e.g. using TOR).
That's why I'm really puzzled about this google transparency report annonce.
- Volume of encrypted email rising amid spying fears
- More turn to encrypted email amid spying fears
- 4 Surprising Ways To Encrypt Your Data
- Study finds data moving to cloud, encrypted or not
- Transparency Report: Protecting emails as they travel across the web
Related articles (or not):
- Gmail and reply-to
- Language evolution
- Search engine: do it yourself
- GPG key renewal
- gmail out of office message