The state of email encryption
Encrypting with Webmail
Some webmail systems are behind the times in providing comprehensive encryption. The Mailvelope browser plugin [7], which is available for Chrome, Edge, and Firefox, adds secure OpenPGP communication to webmail. It runs locally in the user's web browser and detects when the provider's webmailer contains a PGP-encrypted email. It then decodes the contained email, exchanges the contents of the web page for the unencrypted message, and displays the message.
Mailvelope can also send encrypted email. Before a message written in plaintext is sent on its way, Mailvelope encrypts it locally and only then transmits it to the provider's webmail system. The process seems good at first glance, because decoding occurs locally on the user's computer. However, security experts have complained about the implementation of Mailvelope as a browser plugin: it leads to the sensitive PGP key material being stored in the browser's plugin area, which cannot be 100 percent protected. In addition, JavaScript is not considered suitable for implementing secure cryptography.
Implementations such as the Guard system of the Open-Xchange groupware solution [8] take a somewhat different approach. These solutions store the key securely on the provider's server, and a password entered by the user protects it against unauthorized access. The server takes care of encryption and decryption, removing the need for a browser plugin. This means that users can access their own mailboxes from other computers at any time, even when if they are on the road.
Conclusion
Cyber snoopers are more sophisticated than ever, which means there has never been a better time to get familiar with email encryption. However, as this article has shown, you can't just install SSL/TLS or PGP and expect a safety guarantee. It pays to consider the details and look closely at what you need to ensure your messages remain private.
Whether trusting your email provider offers you more security, or whether you are better off keeping your own key on your private PC, is a matter for every user to determine. But either way, in view of the recent gamut of virus and ransomware attacks, it pays to be cautious.
Infos
- DANE: https://datatracker.ietf.org/doc/html/rfc6698
- TLSA generator: https://ssl-tools.net/tlsa-generator
- WKS/WKD: https://wiki.gnupg.org/WKD
- S/MIME: https://en.wikipedia.org/wiki/S/MIME
- Volksverschl¸sselung: https://volksverschluesselung.de [In German]
- Fraunhofer Institute: https://www.fraunhofer.de/en.html
- Mailvelope: https://mailvelope.com/
- Open-Xchange: https://www.open-xchange.com/
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)