Domain: mailvelope.com
Stories and comments across the archive that link to mailvelope.com.
Comments · 15
-
Cryptography + Tor, etc.
As a side note this would not have been such a problem if the journalist Ali Watkins had actually run their own email server like ms clinton had...
Well, fundamentally : NO it won't have been *that* much different.
In theory :
- The justice could have just as well gotten a warrant to search her private sever.
- She could have argued that as a reporter, she should protect her source
- She would have been sued in turn for obstruction of justice.In practice :
- Securing a mail server is hard.
- The court could "accidentally find" the needed information in one of the inevitable hack that the server is going to sustain.
(Whether the government would have anything to do with that specific hack is left to the reader's imagination)so lesson learnt dont depend on a third party like gmail/office365 if you want privacy and certainly do not depend on something like signal not to leak your metadata
The best way would be to combine 2 things :
- use end-to-end encryption (for the specific case of e-mail: that would be using GPG or S/MIME, either as a mail client plugin, or as a browser plugin if you're using webmail. For chats that would be using something like OTR or Openwhisper protocols). That would prevent the content being visible during transit at the servers.
- use something that can hide the connection between the users.
For e-mail the point is moot, because even if you encrypt the mail body as stated before, due to the way the mailing protocol works the headers are going to be kept accessible for message routing, and any server relaying the messages along the way will know that the 2 persons have communicated(*).
Instead you should go for something that can successfully leverage onion routing (like TOR or I2P) :
- Chat system working over Tor (i think Tox can work over it ?)
- Plain simple drop boxes that are accessible through .onion addresses. (Several newspapers have setup such)
etc.---
(*)
you could rig something by using a single private server, that can be accessed over tor as a .onion addresses and have both the journalist and the source use local accounts on that server (thus never routing them outside the server).
basically, you're setting up a glorified drop box that uses SSMTP and IMAPS instead of HTTPS/FTPS/SFTP -
Re:But no S/MIME / GPG / PGP?
I understand why they don't add these, but come on. Those should be the first add-ons added. There are even browser add-ons that add S/MIME functionality to gmail and other web based clients (ie. it can and has been proven/done).
No sense in trusting google to handle that for you. Try Mailvelope or WebPG.
-
As opposed to GPG (or S/MIME)
Yup, indeed.
My reaction too was "Nope, not the most secure. Just slightly more secure than before, and never as secure as any random provider as long as you use PGP implementation such as GPG" (or eventually if you use S/MIME, as long as you trust enough the authority that certified the keys).
Again people, in terms of privacy and security, it's hard to beat full end-to-end encryption.
For the webmail-using crowd : Mailvelope is an extension that allows you to use openPGP in the "TextArea" field used by webmail client (e.g.: gmail's website)
It just sucks that unlike desktop clients (e.g.: Thunderbird), the built-in default smartphone e-mail clients very often don't PGP or S/MIME encryption.
-
PGP/GPG webmail plugin : Mailvelope
Have a look at Mailvelope.
- It's generic (not GMail specific, should work on lots of webmail website, simply by encrypting/decrypting their TextArea)
- It's multi-platform (Chrome Extension, Firefox plug-in, most OSes)
- Enables PGP signing and encryption.
- All the crypto is done locally on your computer inside the plug-in. The webmail site only sees encrypted blocks in the editor's input field.It has a few shortcomings :
- Only works on "textarea" form field, so won't work for encrypting attachments.BUT:
- You can still encrypt/decrypt files on your computer (this can be facilitated by by Mailvelope) and upload the *encrypted file* as an attachment.
(This is a work around for GMail, Outlook, etc.) You get the security of encryption, at the cost of a few extra step.
- Mailvelope provides an API and some provider (GMX.de) do integrate with the API and thus provide full support for attachment encryption (done by Mailvelope) without disturbing the end-user experienceWith the GMail Add-On program, Mailvelope developers could implement the necessary things on the GMail side of things as a Gmail Add-On, so it will correctly cooperate with the Mailvelope extension and provide seamlessly encrypted files *without* needing Google to spend time integrating vanilla Gmail with Mailvelope's API (integration done at the Gmail Add-on level isntead).
-
Easy integration
I'd like to recommend mailvelope It's a plug-in based solution that works for all popular webmail clients. It's ease of use and integration makes using encrypted mail, and key handling easy.
-
Re:Encryption for email
The problem is that end-to-end encryption is basically incompatible with webmail. You need to provide your encryption keys to the mail client and if that client is running code provided by a third party that communicates with a third party server then you've lost already.
I give you Mailvelope and FireGPG.
-
Re:WTF? End-to-end encryption not even mentioned!?
Great questions, and they all have answers already.
Webmail s/mime, pgp, gpg encryption: See https://www.mailvelope.com/, or https://www.penango.com/produc..., or similar products.
Alternatively (or in addition to that), Google could provide a javascript based solution. The private key storage would be an issue, but it could be held server side via zero knowledge encryption (ie. enter password on client side, get blob from gmail, decrypt client side). JS validation is also a solved problem, though it's ugly - basically, you just sign the javascript and then validate the signatures, but there is, of course, a bit more to it than that.
For almost all users on smart phones, they use a local client, and not webmail. Google could CERTAINLY implement S/MIME and pgp support there!
As of this moment, you can already do that with products such as R2Mail2 (https://play.google.com/store/apps/details?id=at.rundquadrat.android.r2mail2&hl=en).
You go the traditional install plugin route, but then web mail is no more portable than a fat client.
For this to be even partially true, you would have to assume that all received email is encrypted (rather than just signed).
Personally, I find the need to encrypt email to be rare, but the need to verify the contents (sign) to be useful almost all the time.
If the email is only signed, then you can still read all your email via webmail without a plugin. You can even verify the signatures without a plugin (with just javascript) because signatures do not rely on the recipients private key.
You could also still send unsigned/unencrypted email, so a dumb webmail client is still useful.All that said, the goal would be to make the feature ubiquitous. Google ships chrome, and could ship the "plugin" as part of chrome. Firefox could add a similar feature. Both could use the existing password/key storage that is already built into the browsers. For users that are taking their security VERY seriously, they'll be using a dedicated client, and probably won't be using gmail anyway.
You can have secure E-mail or portable E-mail but not both.
Sorry, but you are wrong.
All that said, it's obvious that gmail isn't the party we should look to for these features. They need to read the contents of your email in order to pay for the service (targeted ads support the service). Part of the business model is being able to read your email, so you can forget about keeping your email private from them based on any solution they provide.
I am surprised that they haven't attempted to implement s/mime or pgp with server-side private key storage. While that would significantly reduce the security of those technologies, it would also significantly increase the security and privacy for all those that currently use clear text email (and especially their webmail service), and it would provide interoperability with existing real email clients implementing the same standards (outlook, thunderbird, alpine/pine, mutt, mail.app).
There's nothing wrong with them improving the state of server-to-server and client-to-server transport layer encryption but, on its own, it does not provide sufficient protection for the examples they provided.
-
Mailvelop does this
I've had great success with mailvelope plug-in https://www.mailvelope.com/hel... it has support for firefox and chrome. It makes PGP encrypting mail secure and integrates well with existing mail accounts rather seamlessly. I'm a longtime user of PGP and mail encryption and this was one of the first times I've seen it done correctly and easy to use.
-
We need Mailvelope as an HTML standard.
The Mailvelope Plugin - https://www.mailvelope.com/ - already does that: encrypt webmails a la Gmail, Yahoo, Hotmail or your own Roundcube etc.. It does so in-browser, obviously.
The best would be it for such thing to be an actually HTML5 extension.
Gmail, Yahoo, Hotmail, etc. just flag which "TEXTAREA" tag contains the message body (or a greasemonkey script does it for them it they don't support it yet) and then the in-browser functionnality handles the encryption/decryption, completely outside of the reach of the webpage and its javascripts.
-
Re:Freenet, I2P, Tor - darknets
It sounds like you want FireGPG or Mailvelope. Too bad the first one is discontinued and the second one is not ready for Firefox yet, just Chrome. Is there a widely used browser plugin I missed?
-
Re:Extensions needed!
-
Re:Extensions needed!
Here it is: http://mailvelope.com/
- works with Chrome, Firefox in development
- provides end-to-end encryption
- reduced the complexity of creating/setting up new keys etc. to a bare minimum. I've sent instructions to non-tech friends who set it up in a few minutes with some very basic handholding.
- is not mail client specific - all it does is encrypt a textarea, so you can get it to work, for instance, on google calendar in addition to yahoo mail or gmail or whatever
- uses its own editor so you can avoid using the web gmail provider's textarea (gmail, for instance, autosaves drafts)
Disclaimer: I am in absolutely no way connected with mailvelope. I'm just a very happy user. -
Re:Extensions needed!
You mean like http://www.mailvelope.com/ ? Found it in a comment on a similar article this week, have been using it since.
-
Re:A possible, bold, new direction
In response to my own comment, this already (kind of) exists.
Mailvelope addon for Firefox and Chrome -
Re:land of the free...
http://mailvelope.com/ does that (EASY TO USE, MULTIPLATFORM browser add on), and does that well.