What Gmail's New TLS Icon Really Means: Email Encryption Is Still Broken

An anonymous reader writes: On Safer Internet Day Google announced that Gmail will display warning signs for missing encryption and authentication, a great initiative indeed! Now that it's live we've taken it for a spin, only to find that the warning when composing email is quite slow (for new domains), and that they fail to mention that the non-authenticated TLS encryption that the currently sad state of SMTP encryption leaves us with is really poor, and vulnerable to almost anything (except passive wiretapping). I rather wish they took a stance on how we could move on to proper email encryption.

Crypto infrastructure is too frigging hard!

The problem here is that crypto infrastructure in general is too fucking hard for anyone but dedicated security professionals to work with. Hell, even they have a shitload of trouble with it, as we've seen from the many OpenSSL bug debacles lately! This technology is way beyond what average, or even above-average, computer users are capable of dealing with. Some people will probably reply saying, "But it's not that hard! I can understand it!", yet those are the kind of people who understand this technology the least. At least average computer users know crypto technology is way beyond their capabilities. These self-proclaimed "experts", on the other hand, don't realize how much they don't know! Until crypto becomes far more simpler for average folks to use then we just won't see it used.

Re:Crypto infrastructure is too frigging hard!

[xxxJonBoyxxx]

Not quite. The core beef seems to be that the commonly used STARTTLS method of SMTP transport encryption is essentially optional, which allows hackers to use a variety of methods to force-downgrade target connections (in situations where mature implementations of HTTPS would have safely blown up). In other words, the authors are seeking a world where you install your mail server cert just like you install your web server cert, and it all works fairly securely out of the box. The reality is that it's early yet, but a lot of the work seems to be needed on the part of application developers rather than IT right now.

See https://blog.filippo.io/the-sa...

Re:Crypto infrastructure is too frigging hard!

Posting anonymously for several reasons.

I am a cryptosystems implementation expert, and I can tell you that the user interaction with cryptography is ALWAYS the reason modern cryptography fails to be adopted.

The truly frustrating thing is that it's relatively easy to abstract the user from the cryptography, but for some reason, hardly anyone does this for email, principally because it requires a great deal more work on the infrastructure side initially. A company like Google could easily develop such a system, but that would include drafting some new RFCs (and possibly even some legislation requiring email encryption by default). There simply has not been the social, legal, or technological support for it to date.

Re:Crypto infrastructure is too frigging hard!

[scdeimos]

If you're thinking STARTTLS then you're encrypted transport system is already broken. Use the proper SMTPS ports. A number of ISPs (including TPGi in Australia) use Cisco PIX appliances (and other) to intercept SMTP tcp/25 traffic from their users. And they force unencrypted connections by not reporting STARTTLS in its EHLO response. Your privacy and security, broken in the name of "SPAM control."

Re:Crypto infrastructure is too frigging hard!

[stooo]

Whoa. A TLS icon on the website. How cute is that ?
Absolutely useless, though.

Re:Crypto infrastructure is too frigging hard!

[GuB-42]

Google actually takes security very seriously.
They want to make sure no one but them can read your email.

Re:Crypto infrastructure is too frigging hard!

[KGIII]

Furthermore, even if Google *could* do so and *said* they did so, would you believe them?

I'm not actually sure what they think of one of my addresses. It has never sent, nor received, anything but encrypted emails. I don't actually use the website. I'm not sure that I've used the website at all - except for the initial setup. That email is quite private and gets very specific use. I've never even gotten any spam/UCE at that address. Hell, some folks use their email service as an online backup. They can even mount it as a disk, or so I read - I can't say that I've ever had a reason to try it. I'd like to assume that they're encrypting it before they're putting it up there.

Re:Crypto infrastructure is too frigging hard!

[ptudor]

"smtp fixup" is the worst PIX/ASA default configuration ever. So obvious what The Problem is once you see a bunch of asterisks censoring the SMTP conversation.

WTF? End-to-end encryption not even mentioned!?!?

[unrtst]

Use S/MIME, PGP, etc...
All the transport level stuff isn't going to protect your email or ensure it's not modified in transit (or at the destination or origin).

Gmail's help on their new icon:

If you see the red padlock while composing a message
Don’t send confidential material, like tax forms or contracts, to that email address.

Fuck that... if you're sending confidential email without encrypting the content, you're already screwed.
For semi-important information, one should at least digitally sign the content to prove it wasn't modified in transit (ex. this should be used for any contracts, and if it's very sensitive, it should also be encrypted, and not just on the transport layer).

what about Bill Gates/Microsoft promise?

[rubycodez]

Bill Gates said they would solve the spam problem a few years back. Yet my inbox under office365 that my employer uses is a chum bucket of spam, while good cron and batch job emails end up in "junk" half the time. wtf, Gates. billions and you couldn't at least have pushed domain a authentication/verification system?

Re:what about Bill Gates/Microsoft promise?

[rubycodez]

you're lucky, some of us got the update without even wanting or asking for it, talk about the spam dumptruck unloading in your lap....

Re:what about Bill Gates/Microsoft promise?

[Bearhouse]

Well, I'm sure than one went pretty quickly into the "too hard" round file in the corner.
Especially when they found out that it was hard to monetize...

It's amazing the crap people put up with, (spam, unsecured email)
It's probably our fault; we've done a reasonable job managing the spam, (which is visible to the user) and a crap one convincing our users and managers to demand secure, encrypted email.

Re:what about Bill Gates/Microsoft promise?

[rubycodez]

great unless device drivers don't exist or software just doesn't run on 10; some people/business were screwed

Re:what about Bill Gates/Microsoft promise?

[redmid17]

Not this particular update, but others in the past, have drilled into my head very very well that Windows might be able to check for updates but never install them. There's a reason WSUS exists nowadays.

Re:what about Bill Gates/Microsoft promise?

[rubycodez]

yes WSUS exists to allow click-and-point weenies who know nothing about security or how computers actually do things or what real operating systems do, to fuck me over for those things I have to use windows

how we could move on to proper email encryption.

[fred911]

Please, this has been available since 1991. 25 years and now there's concern?

PGP https://en.wikipedia.org/wiki/...

gmail is what has broken email.

I consider gmail to by my biggest threat to the privacy of my email.

If I want end to end security, well there is a standard for that. I use it. It works.

But gmail is close to having a monopoly on email. It isn't quite yet, but almost everyone I know uses exclusively gmail now. That means if I want to email them, Google IS the man in the middle. I can't easily email my friends without giving Google the contents of my email, which they will use to build a profile of me - and I've never signed up for any of their services or estasblished any kind of business relationship with them.

Furthermore, most small to medium businesses are using gmail.

Think about this: we used to have a decentralized, non-censorable, email standard that no one entity could control or pervert for their own ends. But the whole world said, "Fuck that, we want one advertising company to see everybody's email!.

Google is the main threat to the privacy of email today. Like Bruce Schneier observed, they want you to have email privacy from everyone except them.

Re:gmail is what has broken email.

[sims+2]

Well if anyone else had wanted to provide a reasonable amount of storage, allow attachments bigger than 4MB, provide both pop3 and imap access, not inject advertising into your outgoing mail, for "free".
They could have been the largest email provider.

But no one else wanted to do that for "free".

Re:gmail is what has broken email.

Well if anyone else had wanted to provide a reasonable amount of storage, allow attachments bigger than 4MB, provide both pop3 and imap access, not inject advertising into your outgoing mail, for "free".
They could have been the largest email provider.

But no one else wanted to do that for "free".

google won't do it for "free" either if they can't scan your email.

Re:gmail is what has broken email.

[DarkOx]

Well you have to look at the whole story though.

Consider all the vulnerabilities that have been found in MTAs, MDAs, and clients over the years. Then consider all the trojans and spam with tracking stuffs, etc. Google filters almost all of the later quite successfully, as to the former for many people and organizations it replaces all those things and so far the infrastructure has been well maintained and resistant to breaches (that we know of). Its also pretty carefully monitored. I suspect the ancient Sendmail install on that old SGI box at your ISP, could have sat compromised for weeks or months before anyone would have noticed in the years before GMAIL.

When you look at it from all sides its not so clear cut.

Re:gmail is what has broken email.

[Col.+Bloodnok]

Google is the main threat to the privacy of email today. Like Bruce Schneier observed, they want you to have email privacy from everyone except them.

I have an ancient gmail account which dates back to the early, early beta days (back when we had to swap invites on Slashdot). Somehow, every few months somebody new is able to register with the same user name, and I get all their messages delivered to my inbox. Their sent mail doesn't appear in my account, but everything else does.

Every facebook status message, itunes and amazon purchase, online dating message, and porn site registration.

Re:gmail is what has broken email.

[CronoCloud]

That means if I want to email them, Google IS the man in the middle. I can't easily email my friends without giving Google the contents of my email,

Who says you can't use PGP with gmail?

Re:gmail is what has broken email.

[GuB-42]

Are you joking? GMail is big but it if far from a monopoly. I'm not sure it is even the biggest.
In my personal contact list, about 20% have an @gmail address. At work there are almost no @gmail.
This doesn't cover gmail addresses hidden behind a domain name but most of the companies I worked with were self-hosted or worked with a related provider. For the rest, the biggest one seemed to be Microsoft, with Google as a distant second.
That's lots of anecdotal evidence but seeing this, I can't believe in a monopoly.

Re:gmail is what has broken email.

[Britz]

I disagree. Email is broken. Not Gmail. Snowden has shown that all email sent through the internet will be archived by at least two government agencies. Others, government or non government, may also save a copy. Email is inherently unsafe.

But if you use the same service on both ends, no one, except for the service itself, will ever see the mail. Or the fact that you send one at all. If you send something from one provider to the other, at least the NSA and two providers will have all the info. In Europe we also have data retention laws, which mandates that the isp will keep copy and make it available to local government agencies.

So sending from Google to Google means there is only one party in the know vs. 3-6 or even more parties. Apart from end to end, which no one uses (which means you can only communicate with yourself), the only way to better privacy and security is to use the same email service your partner is using. So you either keep a bunch of email accounts, or just use Google, since the majority of your contacts already use that.

Re:gmail is what has broken email.

[Patabugen]

Unfortunately just because all your friends use Gmail, doesn't mean that Google have a monopoly.

It's a few years old (I couldn't find anything newer), but at least among users who have signed up to mailing lists with Mailchimp Yahoo, Gmail and Hotmail were pretty much neck and neck in 2011.

http://blog.mailchimp.com/majo...

Wait, what?

[s.petry]

Some of you will have a hard time with this, but... why is the problem here with SMTP? Is it really that hard to understand that MAIL TRANSPORT is not compatible with HIDE MY STUFF? Good grief people, you can't truly be that ignorant.

Do you trust that anything you mail through the Post office, FedEX, UPS, or any other mail service is "Secure"? Do you believe it's impossible for people to know what's in your boxes because you use those services? I can provide you a list of drug dealers who thought so too, but they are jailed for that thought.

Want secure, use secure. Lotus Notes was friggin awesome for securing content. Nobody wanted to pay for it though, and all the cool kids were using Outlook because you could drag-n-drop audio files right into your email (also read fart noises). Many Writing applications have encrypt/decrypt features. Zip has it too, but generic standard email? Come on now.. it's a MAIL TRANSPORT and works very well as a mail transport.

If you somehow believe "Generic Transport" can also be "Secure", I got some ocean side property you may be interested in buying.

Re:Wait, what?

[Lab+Rat+Jason]

Agreed! I'm no email expert, but I've OFTEN wondered why we can't use decent endpoint encryption rather than trying to encrypt the transport... since 99% of all emails I send and receive are to the people I already know... it wouldn't be that hard to exchange keys with them in person. For all others, I can still choose to read email that isn't encrypted, and I can choose to reply, but it would be much easier to know secure vs. insecure if my mail client simply says "you haven't exchanged keys with this recipient, therefore your communications are not secure". Sure this precludes using web based clients... but that's actually not a big deal to me since 99% of my email is read from two devices, a phone and my home computer. Key exchange between the two would be trivial.

Re:Wait, what?

[tnk1]

You used "Lotus Notes" and "friggin awesome" in the same sentence. Are you trying to cause Skynet's brain to melt down through a logic bomb?

Notes may well have been secure, but it was probably the worst mail client that I have ever used, and that includes using 'mail' from the command line. It was horrific, absolutely horrific. It is one of the few software products that I considered leaving a job for when they employed it. Their usage of that product quite literally convinced me that the company hated the people who worked for it.

If they succeeded at anything, it must have been because the million monkeys that they used to write it actually managed to compose a line or two of Shakespeare while throwing around their feces in whatever cage they were working in.

It's not that no one wanted to "pay" for Notes, it's that no one wanted to pay to use something that they wouldn't even use if they were paid to use it.

Exchange and Outlook is not exactly virtuoso software, but you can actually use it to do your work with and not want to simultaneously kill yourself and everyone else in the general vicinity while you (are trying to) use it. If that combo doesn't do security well, it's probably because no one really cares enough about it. Outlook's sin was always in trying to make your life easier on you whether you wanted it or not. That sort of modus operandi is why it has been horribly insecure at times, but people actually used it. It erred on the side of letting you do things with it. I'm just glad I've never had to be an Exchange admin. I hear that can be shitty.

Re:Wait, what?

[bytesex]

Crypto in Lotus Notes was deliberately debilitated by the US to something ridiculous like a few tens of bits. Don't say that Notes was secure. The principle? Sure. The execution? Not so much.

Re:Wait, what?

[DarkOx]

Well the thing you have to remember about Notes is mail was a bit of an after thought. Notes was really about the 'databases'. You could rather easily develop very complex multi-user applications, with offline replication. That mattered a lot in the early 90's when you did not 'VPN' but dialed into home office. Notes replication was amazing.

From a technical perspective Notes is probably one of the more interesting software systems ever developed. It was born of a time when clients were pretty limited and it had to be somewhat backward compatible. Which always limits you options going forward.

Re:Wait, what?

[s.petry]

Your personal anecdote makes me believe that you have no knowledge or experience with the product and are just ranting. Comically, by falsely claiming I said "Lotus Notes is Awesome" in a general terms instead of what I said. Which you can go back and read.

Outlook lets you "work" and "Notes" stopped you and made you angry? WTF is your job exactly where you can't type in an editor if it's not the right brand? Don't answer that, I'm not sure we want you on a homicidal rampage having to type in a web client and use hand typed tags.. shesh.

Administration of Notes was a pain, and people hated directory structure back then.. of course when MS AD came out.. all that venom changed and LDAP was what all the cool kids used too.

Re:Wait, what?

[s.petry]

I was using Notes in the Military/DOD and it was using 128bit encryption before it was available to the public, so it depends on where you were. Remember that back in those days we had strict laws prohibiting export of any product with encryption built in that the Government did not approve. I remember 128bit encryption being slow as hell, so people complained when we moved from 56bit.

Re:Wait, what?

[tnk1]

I have both knowledge and experience with the product, unfortunately.

I'm not entirely certain how you go from Point A to Point B with me having no experience with it. Why would I hate it if I had never used it?

No, my experience using it is very, very real. Which leads me to ask if *you* have ever used it, because if you have ever used Notes for mail, you know it isn't the difference between merely an editor. Everything in the mail client was a hassle from adding recipients to actually sending the mail.

It occurs to me that I should point out, if you were an administrator, you may have felt differently about it, because it may have been decent to operate the server and I heard you could do some interesting things with applications with it. In this case, I was an end user of it and didn't care about anything other than sending emails with it. And that was a complete failure.

It taught me the valuable lesson that just because it may be easy to make applications out of, and relatively okay to administer, a piece of software is nothing if people hate using it for their work.

Mind you, we went from the admittedly limited, but relatively effortless use of a normal IMAP server and Netscape client for email to the intolerably bad Notes client. I was not a great lover of the old Thunderbird/Netscape stuff, but it didn't get in your way at just about every step. And there was no way to reconfigure it to make it easier.

Re:Wait, what?

[s.petry]

Sounds to me like if you used Notes, you used a poorly managed (if it was managed at all) implementation of Notes. I had some admin rights, but was not a Notes admin. The To, CC, BCC were/are no different than Outlook or other Mail clients. In fact, caching names and addresses from received mail was done in Notes long before other mail clients did it. It was simple to send mail to anyone, especially people who sent you mail, unless your admins turned things off or didn't set them up correctly..

Now, how do I know that your Notes implementation was poorly managed if at all? Because I saw both worlds. If the admins didn't set up search directories (LDAP, not file system) you had to memorize addresses. Even still, you could have as many address books as you wanted. We had Corp, MIL, and Personal by default but people could add others. Admins could control nearly every aspect of Notes. We had certain people who were not allowed to have a checkbox for "encrypt" because they were a security risk and were denied access. Everyone else had "encrypt" automatically selected for them. Administration of Notes was extremely powerful, but .. power does not mean people could do, or did do, what they should do.

The "We want Outlook" crowd was anti-everything else. Thunderbird, Eudora, etc.. were no different than Notes. Outlook people wanted to automatically open attachments, which everyone else knew was "bad" files as well as good files. That was the main difference from the "user" perspective. From the company side, it cost money to run Notes where Exchange and Outlook were free (up to a point).

Re:Wait, what?

[AmiMoJo]

When I send stuff through the post I hide it in an envelope. The envelope isn't very secure, it's not hard to steam open and it leaks metadata that is sent in plaintext on the front. Despite that, it's still useful and effective. It stops the government and the Royal Mail systematically reading every single letter.

Re:Wait, what?

[KGIII]

As we started to expand, I needed something quick and easy. I was also one of only a few people at that time. So... I hunted around and I even took a peek at a few different products. Lotus it was... It was, indeed, horrible. It also managed to break in some of the most unusual ways. Thankfully, I think I've burned out the brain cells that were devoted to Lotus knowledge.

Oh, it was "okay" when it worked. We didn't need much, small attachments, and the database was handy to access. We mostly abused the hell out of the messaging system as everything from file storage to sending cryptic (probably drunken) messages after hours that we were supposed to read and interpret in the morning. I got some memories with that old girl.

But yes, she was terrible. However, it worked - it worked for a surprisingly long time. Eventually we ended up moving on but it stayed in service for a very long time. In hindsight, I probably owe some people an apology. :/ But... It worked... Sort of... Most of the time and for some definition of 'worked.'

Re:Wait, what?

[KGIII]

Above, I was talking about Lotus. I was tasked with admin duties 'cause, well, it was mine. It was not *easy* to admin? Well, it was highly configurable (for the day) and not exactly always as clear as it could be. There was quite a bit of trial and error, RingTFM, and finding new and interesting ways to break it - albeit unintentionally. It had some neat ways to approach the data, I'll give it that. But I'm not sure I'd call it easy - it might be for people more skilled than I. I did not find it all that easy. It was also fairly fragile.

SSL to the spam firewall

[omnichad]

Great, so this gets you end-to-spam filter encryption. Anyone who has their email delivered to a 3rd-party for spam filtering could appear secure but would only be secure for the first hop. False sense of security.

Re:how we could move on to proper email encryption

[93+Escort+Wagon]

Using GPG seems pretty painless, at least on OS X.

The real problem with GPG is the same one you'll run into with S/MIME... almost nobody else is using it, which means all you can really do is sign your own messages.

Re:SMTP keyword: SIMPLE

[aicrules]

At least until they use they use that email notification to lure you to your toaster and detonate a small C4 charge!

STARTTLS broken, like UUCP maps

[jaredmauch]

I had someone contact me about my server -> gmail as I host a number of mailing lists and other technical resources. After much research it seems the only way to fix it is to hard code that gmail and other locations are to be encrypted vs the default opportunistic encryption of "if they offer it, try it".

There are a lot of things that should be addressed here to ensure data is properly encrypted, this is easy and a solvable problem but at least for postfix I had to enter some custom maps which the software should have solved for itself with the 'may' setting. I'm past the UUCP days, I don't want to maintain a map of who can do things and who can't. We need to solve this software not doing the right thing problem first.

Re:STARTTLS broken, like UUCP maps

[hr+raattgift]

I'm past the UUCP days, I don't want to maintain a map of who can do things and who can't

Let me refresh your memory about some aspects of what you're "past", on the perfectly reasonable assumption that I did a lot more UUCP routing than you (and really, more than practically everyone).

UUCP maps were just an out of band and not-very-frequent node-adjacency flood, which let one construct a graph from which one could extract directed acyclic subtrees using Dijkstra's SPF. Just like OSPF. Just like ISIS. The difference was in some details. Like ISIS, communication could be completely out of band (some sites got the maps newsfroups ON TAPE). Unlike ISIS or OSPF, maps could be flooded entirely arbitrarily and signed with PGP, even by multiple parties, including but not limited to the newsfroup admin and the site admin. The leaf connection syntax "site (SCALAR METRIC)" was also highly useful.

Later developments included the ".dom.ain" wildcarding system which allowed for abstraction across large numbers of sites (whole countries were in the later maps; for example, the Canadian maps aggressively sought to have sane gatewaying information for things under .ca, in NetNorth (part of BITNET) and in their ean X.400 research system)), although this was hardly a unique practice.

Finally, the maps were for routing hop-by-hop UUXQT messages, which were in actuality RPCs. Mail transport happened to invoke rmail as the remote procedure. News transport happened to invoke rnews as the remote procedure. Both were typically single-hop, but were not restricted to be (multihop uux/uuxqts was sometimes actually even used, rather than pulling things up a layer). There were experimental uses of arbitrary RPCs; at least one site sent DECNET mailer data via uux/uuxqt, and I know of one that sent SLIP via uux/uuxqt as well (SLIP over uux over uucp 'x' protocol over X.25, in fact. Gross things happened in the late 80s!).

The major deficiencies in UUCP maps are shared in the Internet's routing system: an advertised adjacency is not authority to use the adjacency in arbitrary ways; and scalar metrics are not especially informative (even with the macro system that let one specify HOURLY instead of an integer value).

However, the UUCP map update-and-distribute system were made more dynamic, it would be superior to what we have in the Internet today in just about every conceivable way. The only piece missing is a canonical representation of networks, and there is no need for that on day one. (On day one you could:

#... metadata with authority, validity, canonical location, etc.
AS65535 10.0.1.0/24(1), 10.0.2.0/24(2)
# ... metadata with authority, validity etc
AS65534 10.0.3.0/24(1)
#
AS65535 AS65534(10)
#Comment: no routing to ASes beyond AS65535 via AS65534
AS65534 <AS65535>(10)

This would be pretty trivial to automate, and it's easy to translate this sort of thing in and out of BGP4. Policy (preferred exit seleciton etc) is inevitably easier to encode in maps (or a database that is a map in all but name, e.g. the PRDB) than in a protocol like eBGP, which has been known since, well, since forever.

Re:STARTTLS broken, like UUCP maps

[jaredmauch]

My comment re: UUCP is having to manually configure for each site I want to distribute mail to. I'm not worried about STARTTLS stripping, I want to avoid building a full list I have to maintain manually. This is mostly a postfix issue (for me) that it's not aggressive enough in using the STARTTLS offered by the far-side.

ive got to agree.

[nimbius]

Ive run my own mailserver for quite some time as both a mark of hacker pride and a means of circumventing what has historically (until google started giving a shit because snowden made them) been a very lax SMTP ecosystem. I use the DJB curve primes, i use 256 bit tls 1.2, i use multifactor, but as for other mailservers? crypto doesnt seem to be even a slight consideration. ive had to leave it enabled opportunistically on my mailserver, however most of the time I fallback and dont use it.

Re:WTF? End-to-end encryption not even mentioned!?

[DarkOx]

How are you going to implement that for web mail exactly? Will you let the sever do it? That means Google gets to assert your identity, and if they ever get compromised we have a whole mess of people sending signed mail with signatures that may or may not be valid and we are back to a more or less unauthenticated situation.

You could have the client do with JavaScript but that still leaves the door open, if the server is compromised and sends an altered script how can you know?

You go the traditional install plugin route, but then web mail is no more portable than a fat client.

There just isn't actually a good answer for this. You can have secure E-mail or portable E-mail but not both.

This is going to be bad.

[PAjamian]

Google is trying to force servers to use STARTTLS encryption for port 25 MX traffic, this is all commendable, but they are giving their users a false sense of security. When gmail does not display the broken padlock it simply means that the first hop to the recipient's MX server supports STARTTLS, but mail is routinely stored in plain text queues on multiple servers, transmitted on in additional hops that are not necessarily encrypted, and even the first hop encryption often times uses self-signed certs or certs signed by non-authoritative CAs, so the message being sent, while being encrypted is still vulnerable to man in the middle attacks.

But Google is giving the impression that if that first hop offers STARTTLS, then the message will be sent securely and encrypted. This will result in people putting all sorts of credit card details and other information in their emails thinking (because Google said so) that the message is secure, when nothing could be farther from the truth.

Google needs to stop this right away, it's going to do way more damage than good. There is only one way to hide the content of an email from prying eyes and that is with properly implemented PGP encryption. There is no way to hide the meta (envelope) data from prying eyes. It is really important that people not be misled on this account.

Re:WTF? End-to-end encryption not even mentioned!?

[izat]

Second, Google is unwilling to provide such a plugin because it would interfere with the company's ability to scan e-mail and build advertising profiles.

Actually they were working on a PGP plugin for Chrome, though it's moving very slowly, possibly dead.

Re:WTF? End-to-end encryption not even mentioned!?

[buchner.johannes]

Use S/MIME, PGP, etc...
All the transport level stuff isn't going to protect your email or ensure it's not modified in transit (or at the destination or origin).

Gmail's help on their new icon:

If you see the red padlock while composing a message
Don’t send confidential material, like tax forms or contracts, to that email address.

Fuck that... if you're sending confidential email without encrypting the content, you're already screwed.

S/MIME & PGP do not hide the sender, receiver or the subject of the email (nor where you sent it from). That information is in the header, and only TLS or STARTTLS will hide it.

By the way, the TLS-SMTP problems are related to STARTTLS and stupid client software, but not TLS (but cert verification requires DNSSEC for either).

End-to-End

[ei4anb]

I downloaded the end-to-end code https://github.com/google/end-... built it and ran some tests. I reported one bug to them (no biggie, just a mismatch with some libs they depend on). They were quick to respond, update their build and thank me. However there hasn't been any activity there for months. Yahoo had joined in and said they were putting it into production (but I don't use their mail so I have not seen it).

Has anyone any idea what's happening with Google End-to-End ?

Re:End-to-End

[jonwil]

It wouldn't surprise me if the US government or the FBI or the NSA or someone have quietly leaned on Google and said "please stop working on this plugin of yours because it will make it harder for us to catch the terrorists and pedophiles and other bad people" with an implied threat of something more serious if Google didn't just drop it.

Re:WTF? End-to-end encryption not even mentioned!?

[MightyYar]

nobody should be using web based email.

At first I thought you were being sarcastic, but then realized that sarcasm makes no sense here. So you must be serious.

It's quite simple - use email for the 99.9% of your communications that does not need to be secure. Send your tax forms through a secure web site. Problem solved. Web email is still useful.

Re:WTF? End-to-end encryption not even mentioned!?

[CronoCloud]

How are you going to implement that for web mail exactly?

End to End with something like Mailvelope?

You go the traditional install plugin route, but then web mail is no more portable than a fat client. There just isn't actually a good answer for this. You can have secure E-mail or portable E-mail but not both.

People SHOULD be using "webmail" via IMAP with proper e-mail clients Then it's portable because there are mobile mail clients that can support PGP. So yes you can have portable secure e-mail, even on a phone or tablet.

You are doing it wrong

[gweihir]

You are calling for link-encryption. That is obvious nonsense for email. Proper email encryption is end-to-end and does not trust the transport at all.

Incidentally, this problem has been solved since 1991 with PGP.

Re:WTF? End-to-end encryption not even mentioned!?

[unrtst]

Great questions, and they all have answers already.

Webmail s/mime, pgp, gpg encryption: See https://www.mailvelope.com/, or https://www.penango.com/produc..., or similar products.

Alternatively (or in addition to that), Google could provide a javascript based solution. The private key storage would be an issue, but it could be held server side via zero knowledge encryption (ie. enter password on client side, get blob from gmail, decrypt client side). JS validation is also a solved problem, though it's ugly - basically, you just sign the javascript and then validate the signatures, but there is, of course, a bit more to it than that.

For almost all users on smart phones, they use a local client, and not webmail. Google could CERTAINLY implement S/MIME and pgp support there!

As of this moment, you can already do that with products such as R2Mail2 (https://play.google.com/store/apps/details?id=at.rundquadrat.android.r2mail2&hl=en).

You go the traditional install plugin route, but then web mail is no more portable than a fat client.

For this to be even partially true, you would have to assume that all received email is encrypted (rather than just signed).
Personally, I find the need to encrypt email to be rare, but the need to verify the contents (sign) to be useful almost all the time.
If the email is only signed, then you can still read all your email via webmail without a plugin. You can even verify the signatures without a plugin (with just javascript) because signatures do not rely on the recipients private key.
You could also still send unsigned/unencrypted email, so a dumb webmail client is still useful.

All that said, the goal would be to make the feature ubiquitous. Google ships chrome, and could ship the "plugin" as part of chrome. Firefox could add a similar feature. Both could use the existing password/key storage that is already built into the browsers. For users that are taking their security VERY seriously, they'll be using a dedicated client, and probably won't be using gmail anyway.

You can have secure E-mail or portable E-mail but not both.

Sorry, but you are wrong.

All that said, it's obvious that gmail isn't the party we should look to for these features. They need to read the contents of your email in order to pay for the service (targeted ads support the service). Part of the business model is being able to read your email, so you can forget about keeping your email private from them based on any solution they provide.

I am surprised that they haven't attempted to implement s/mime or pgp with server-side private key storage. While that would significantly reduce the security of those technologies, it would also significantly increase the security and privacy for all those that currently use clear text email (and especially their webmail service), and it would provide interoperability with existing real email clients implementing the same standards (outlook, thunderbird, alpine/pine, mutt, mail.app).

There's nothing wrong with them improving the state of server-to-server and client-to-server transport layer encryption but, on its own, it does not provide sufficient protection for the examples they provided.

You expected different?

[Khyber]

This company lives off of mining your data and violating your privacy. You expect them to allow you to fully protect your communications to the point where they can't figure out how to advertise to you?

Give me a fucking break.

Re:WTF? End-to-end encryption not even mentioned!?

[DarkOx]

The two products you pointed out are essentially plugins, they won't be installed on your friends computer and they wont be on the computer in the Hotel business center. Try again. People like web mail because they don't have to carry their own laptop everywhere they go.

For this to be even partially true, you would have to assume that all received email is encrypted (rather than just signed).

No, if you are not in a position to verify the signatures, and sign your replies we are back to essentially have no identity or integrity assurance at all. Only now the non technical person has to remember different rules are in effect when using the web interface than when using their client at home. That isn't a win, its a recipe for tears.

As to mobile devices you have a point, but who wants to compose a long form message on their cell phone, table maybe but not phone.

I still see it as either portable or secure, not both.

Re:how we could move on to proper email encryption

[CronoCloud]

While usage of gpg is low, signing does show people that you use it and can help them find your pubkey if it's on a keyserver.

Blog slashvertising ...

[BitZtream]

The story is from an author of utterly unknown email server software ranting about something he thinks he understands but doesn't, and the proceeds to tell us that the method he supports is the right one and all others suck ... If he weren't biased I might have ... Oh who am I kidding, dude doesn't know what he's talking about and utterly fails to understand how and why email is in the star it's in: hint ... Your shiny new feature breaks compatibility with far too many PAYING CUSTOMERS, so some random no name vendor like yourself doesn't mean jack shit.

No one who matters is going to go hard TLS until everyone of their CUSTOMERS supports it. Your new shiny tech that you think will solve the problem will do the opposite, and just make it take longer.

Re:WTF? End-to-end encryption not even mentioned!?

[Threni]

You're telling me that PGP is a serious contender for non-technical people to secure their communications? Seriously?

cert fumbling

[bfc0713]

Given they can't even maintain a steady pop.gmail cert I'm not expecting too much.

Re:You are naming it wrong (PGP)

The reason people don't use PGP is because of the name Pretty Good Privacy makes it sound amateurish (that and the initialism PGP is too similar to PHP). Maybe they could get more users if they called it Good Privacy or Very Good Privacy, but I know there's a local-maximum trust in there somewhere because I think trust would go down if they called it Excellent Privacy or Perfect Privacy.

IMO, more people would consider using it if it used an animal name or some name from mythology.

Re:WTF? End-to-end encryption not even mentioned!?

[jonwil]

You dont need a plugin, just implement encryption via JavaScript where the private key pairs are stored on the server but encrypted with a secret key derived from a password the server never sees. Server sends an encrypted blob to the client, client inputs a special password which then decrypts their keys.

All of the communication happens over HTTPS so man-in-the-middle replacement of the JavaScript cant easily be done.

Is it as secure as having a dedicated setup with keys stored in the client and a plugin on the local system? (or using a dedicated client with proper encryption support) No. But its much more secure than doing nothing.

Of course this leads to 2 problems for Google. First is that Google looses the ability to scan everyone's email and use that to feed people targeted advertising. And the second and more serious is that Google is now unable to provide emails when sent a warrant or a secret letter or whatever and then has to compromise the system for everyone so it can obtain the private keys of the user(s) the government is interested in (or do what Lavabit did and shut it down but I dont think Google can do that)

Re:WTF? End-to-end encryption not even mentioned!?

[unrtst]

I still see it as either portable or secure, not both.

There are a million shades of grey between the absolutes.
Phones are portable, and can be secure, as you noted (and in so far as a phone can be secure).
Moving yourself between random 3rd party computers with who knows what running on them and checking your webmail from them... yeah, that's never going to be very secure.
Moving between multiple devices you own... you can certainly use a local mail client, or a plugin, or a javascript implementation with zero knowledge encryption holding the private bits.
Moving between devices you do not own, but aren't entirely untrustworthy (ex. a friends computer), it'll depend on the situation (maybe he has the plugin installed already and you're carrying your usb key with your private bits? maybe he creates a guest account on his computer for you? maybe you use the 100% javascript solution and the zero knowledge encryption to pull your key from an encrypted blob stored online somewhere?). There are option.
And, maybe you consider the server-side s/mime implementation as another possibility. While partially compromising the security of your private key, it's still adding a significant amount of security and verification.

Your duality statement could easily be exaggerated to, "something is either online or secure, not both". You've gotta draw your lines somewhere, but there are multiple end-to-end email encryption solutions that will greatly improve the privacy and verification of email through webmail far more than the TLS work that the article mentions.

Re:easy encryption

Imagine if you could actually write good clean documented code!

Good example of how not to code.
- no useful comments
- the only two comments conflict with each other
- no line breaks before "if" constructs or after "else" constructs
- assumes existence of files for which it doesn't check existence
- doesn't check status for execution of openssl commands

Not bad for a six-year old.
M

Re:WTF? End-to-end encryption not even mentioned!?

[Bert64]

They could at the very least provide signing, and verification of externally signed messages... If people started getting used to all messages being signed then phishing scams would become a lot less effective, and the presence of a signature doesn't have any negative side effects on anything else.

Re:WTF? End-to-end encryption not even mentioned!?

[Bert64]

The point is not to encrypt email during transit. The point is to encrypt e-mail at all points between the correspondents. The mail should be encrypted clientside and remain encrypted while at rest on the servers as well as during transit. S/MIME and PGP/GPG do that. Encrypting only during transit means that plaintext is sitting around waiting to be hoovered up by Google (for ad profile building) and whatever other parties (NSA, hackers, etc) have access to Google's servers.

In an ideal world yes, but for now having mail thats encrypted whenever it traverses the internet and is cryptographically signed so you can verify the recipient is an improvement. Yes this requires trusting google (which users already have to do anyway), or not - you're free to use a different email provider and/or do all the crypto client side if you want.

Re:WTF? End-to-end encryption not even mentioned!?

[jonwil]

Not if the passphrase is manipulated using something like argon2 or scrypt that are specifically designed to make brute-forcing the password/key difficult and computationally expensive.

I doubt even the NSA has the computational horsepower to crack the best of these schemes in a reasonable space of time (if you have the parameters set really high that is)

Re:WTF? End-to-end encryption not even mentioned!?

[Bert64]

So you're saying that...

1, users would need to trust google (but clearly they already do or they wouldn't be using their mail service)
2, the worst case (google getting hacked) would be no worse than the current status quo.

So basically email signed/encrypted by google would be better than what we currently have, but not ideal. And users are free to pick a different provider and/or do proper client side crypto but most simply don't bother. If gmail started implementing pgp or s/mime even server side and started prominently showing when mails are signed or encrypted then it would massively increase usage and awareness which could only be a good thing.

Re:WTF? End-to-end encryption not even mentioned!?

[Bert64]

Well by portable i guess they mean that it can be accessed from any device without needing to install a client (ie from your work desktop)... From a mobile device that you control is entirely different as you can install whatever encryption tools you want on there.

While webmail can be convenient, it's also dangerous not only because of the lack of end to end encryption but also because its primary utility (ie logging in from a random place) is its biggest danger - how do you know who's monitoring any given random box you might use?

Re:WTF? End-to-end encryption not even mentioned!?

[Bert64]

When it comes to mobile, apple already implement s/mime on ios although configuring it is not as simple as it could be (ie even if you have mail accounts synced from a mac it can't automatically transfer your keys).

Re:WTF? End-to-end encryption not even mentioned!?

[Bert64]

You can as a minimum implement verification of signatures into a webmail client, as that can all be done server side...

Users already have to (or should) remember that there's different rules when accessing webmail, in fact you shouldn't be accessing the webui from random machines if you value security at all. You should always carry your own portable device, and access your mail from there.

Re:WTF? End-to-end encryption not even mentioned!?

[Bert64]

If you're concerned about google reading your mail then such a system wouldn't work, while in theory the javascript performs all its work client side there is nothing stopping them changing the javascript to submit your passphrase to the server. Unless you're going to thoroughly inspect the javascript every time?

Re:WTF? End-to-end encryption not even mentioned!?

[Bert64]

Because the key is a private key with a public key counterpart, while the passphrase is a symmetric key for decrypting (in this case the main private key)... If you have the public key its easier to attack the private key, so the private key generally needs a much larger keyspace to provide an equivalent level of assurance to a symmetric key.

Re:WTF? End-to-end encryption not even mentioned!?

[jeremyp]

In an ideal world yes, but for now having mail thats encrypted whenever it traverses the internet and is cryptographically signed so you can verify the recipient is an improvement.

Not really. With SMTP you have no control over which MTAs the email gets queued on before it gets to the recipient. If the content is not encrypted, it will be on those untrusted servers in plain text for some (hopefully very short) period of time before it gets routed to the next server.

Re:WTF? End-to-end encryption not even mentioned!?

[houghi]

PGP is great. It has one slight issue: you do not see it anywhere. The reason? It is not pre-installed.

It would be trivial to add it to Outlook, Gmail, Hormail and any other mail service or program by default. Now it needs action on the users side.

I would like Email to have PGP by default. Not to hide any content from others (because two people is one to many to keep a secret) but sender verification. Is it my bank that send me the email, or SpammerJohnny who found out you can make your own From in Outlook?

If it would be included by default in email programs, it would be uses. Not by 100% and some would turn it off, but by enough to get others to use it.

It could solve a LOT of the spam email issues, especially phishing mails. No, it will not solve everything; it will be better then what we have now: nothing.

I am not going to hold my breath. It will never happen. At most, each will try to push their own system that willl not work, leaving us worse with what we have now: nothing and no way to improve it.

Re:easy encryption

[chihowa]

As someone who just inherited a huge repo full of uncommented code with nondescript variable names (A, B, C...) and no error handling, I have to say that the parent comment isn't scored high enough. Posting crap like that on the internet does nobody any good. Even if it is short enough to understand, poorly written code is especially intolerable if the subject is cryptography.

(Anyone who says that their code documents itself hasn't tried waiting a year and then trying to figure out why their undocumented code doesn't handle some edge case.)

Re:But what problem does this solve?

[fuckface]

FUCKING PIECE OF SHIT SLASHDOT LOGGED ME OUT. THIS IS MY COMMENT. FUCK YOU SLASHDOT. I'M SICK OF YOUR SHIT.
And fuck you for saying I'm yelling! And fuck you for saying I'm yelling! And fuck you for saying I'm yelling! And fuck you for saying I'm yelling!

A really really bad idea

[allo]

Yeah, start teaching the users, that something is secure, if a lock appears INSIDE the website (or insecure, if its a broken lock). Because err nobody would ever use this to tell the user the fake banking website is as secure as the email on gmail.

Re:You are naming it wrong (PGP)

[allo]

People use computers, which are named like fruit. And operation systems from companies, which are named like some detergent. Their text processor's name implies you may only write one word and so on.

Nope, names aren't important. Ask the novice users, if they even know, what PGP means.