The state of email encryption

Encrypting with Webmail

Some webmail systems are behind the times in providing comprehensive encryption. The Mailvelope browser plugin [7], which is available for Chrome, Edge, and Firefox, adds secure OpenPGP communication to webmail. It runs locally in the user's web browser and detects when the provider's webmailer contains a PGP-encrypted email. It then decodes the contained email, exchanges the contents of the web page for the unencrypted message, and displays the message.

Mailvelope can also send encrypted email. Before a message written in plaintext is sent on its way, Mailvelope encrypts it locally and only then transmits it to the provider's webmail system. The process seems good at first glance, because decoding occurs locally on the user's computer. However, security experts have complained about the implementation of Mailvelope as a browser plugin: it leads to the sensitive PGP key material being stored in the browser's plugin area, which cannot be 100 percent protected. In addition, JavaScript is not considered suitable for implementing secure cryptography.

Implementations such as the Guard system of the Open-Xchange groupware solution [8] take a somewhat different approach. These solutions store the key securely on the provider's server, and a password entered by the user protects it against unauthorized access. The server takes care of encryption and decryption, removing the need for a browser plugin. This means that users can access their own mailboxes from other computers at any time, even when if they are on the road.

Conclusion

Cyber snoopers are more sophisticated than ever, which means there has never been a better time to get familiar with email encryption. However, as this article has shown, you can't just install SSL/TLS or PGP and expect a safety guarantee. It pays to consider the details and look closely at what you need to ensure your messages remain private.

Whether trusting your email provider offers you more security, or whether you are better off keeping your own key on your private PC, is a matter for every user to determine. But either way, in view of the recent gamut of virus and ransomware attacks, it pays to be cautious.

The Author

Peer Heinlein is responsible for running business-critical Linux infrastructures with his company Heinlein Support. Specializing in mail services since 1992, he wrote the Postfix book and is responsible for the mail servers of many ISPs, data centers, and enterprises. His own mail provider, Mailbox.org, specializes in data security and privacy.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Ask Klaus!

    SSL Encryption and Signature Compilation

  • Ask Klaus!

     

  • Safe Messaging with TLSA

    Decoupled application design gets in the way of secure communication, but a little known feature of DNS can provide message security.

  • Encrypting Email

    The leading email applications include new features for helping users secure and authenticate their mail messages, but each tool has a different approach to handling tasks such as signing and encryption. This article describes how to add encryption and digital signatures to the Thunderbird, Kmail, and Evolution mail clients.

  • Thunderbird Security

    Thunderbird offers several options for secure email, and the GnuPG-based Enigmail encryption add-on provides an additional layer of protection.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News