Fog Creek Software
Discussion Board

Perfect e-mail encryption

The problem with e-mail encryption is that it's hard to use - you have to click encrypt / decrypt buttons, etc.

There should be an automated program which should automatically encrypt ALL the e-mail that goes to a certain contact, and also automatically decrypt ALL the e-mail that I get from that contact.

I run a company, and as long as I take care not to get infected with trojans and to patch all security issues, I consider my computer to be "the safe part".

There is no problem if the e-mail are stored in clear text in my e-mail program. In fact, it is an advantage for me to store the e-mails in clear text, because I can find them easily and quickly.

BUT the e-mail I send to my partners is no longer safe - it passes trough the network, and the network admin can look at the e-mail, and steal my precious commercial secrets. :-)

So, there should be a system that:

- when sending e-mail to certain contacts, automatically encrypt the e-mail, then send it

- when receiving e-mail from certain contacts, automatically decrypt the e-mail, then put it in Inbox

This could be achieved using a POP3 proxy and a SMTP proxy.

For every contact, the system should store a separate encryption key.

The implementation is not that hard!

And the one who implements this system will make millions selling it to companies and individuals who want their e-mails to be really private, without working to encrypt each e-mail separately!

A PGP based system, such as The Bat! ( ) usually offers "one-click encryption" - you just click a button, and the message will be encrypted when sending.

But - HUGE mistake (from my point of view), instead of saving the message in "Sent Items" in clear text form, it saves the message in encrypted form!

And there is no way to decrypt it because I don't know the private key of the contact I sent the message to!

So, a PGP system, at least how it's implemented in The Bat!, is practically useless.

An "automatic security" system, like the one I described, is MUCH better for most users!

Monday, May 26, 2003

So what you need is symmetric key-based wallet to encrypt what you store on your inbox/outbox. But at the last moment of clicking send having them sent using PGP?

Li-fan Chen
Monday, May 26, 2003

- perfect?
- makes ma laugh

Monday, May 26, 2003

> So what you need is symmetric key-based wallet
> to encrypt what you store on your inbox/outbox. But
> at the last moment of clicking send having them
> sent using PGP?

No. I need all the messages to be stored in Inbox and Outbox in CLEAR TEXT, that is, NOT ENCRYPTED.

When sending an e-mail, the mail program or proxy should think "Aha, you are sending this e-mail John, I have John's public key, so I encrypt the e-mail automatically using John's public key, and then send it".

And (very important) it should put the message, UNENCRYPTED, in the "Sent Items" folder, so I can read it, search for it later, etc.

When I receive an encrypted e-mail, the e-mail program should say "Aha! Here's an encrypted e-mail I'm receiving - so I automatically decrypt it and put it in Inbox".

This way, I work with e-mail normally, without minding the encryption - the encryption and decryption of e-mails happens automatically when I send and receive them.

The encryption is thus TRANSPARENT - I work as if there is no encryption, but the e-mail program encrypts and decrypts the messages for me.

Each contact has a separate public key, stored in my program's configuration.

There are several key advantages to this scheme:

1. I work with e-mail easily, because the encryption is transparent and doesn't get in my way at all

2. the communication is secure, so if Johny B. Admin from my ISP wants to read the e-mail, he can't

I consider that (1) is the KEY ADVANTAGE of this scheme.

The e-mail in my mail client is NOT encrypted - I can work with it, search it, etc.

Of course, if Danny B. Punk blasts trough my door at night and steals my computer, or if Michael B. Haxor hacks it, he can read my e-mails.

But I have a reasonable protection against these kinds of things: I patch my systems and keep an eye on security, and I have implemented physical security measures.

This is why I consider the ability to have transparent encryption (and not in-your-way encryption) to be a great advantage - a great asset.

Now, the only reason I haven't implemented this using a POP3 and a SMTP proxy is that I don't have the time - I'm busy with other projects.

Monday, May 26, 2003

The only reason email readers with encryption support don't always work the way you described is because it would be ignoring the threat model. But there are benefits to having plain text inbox and outbox I suppose. For example to let a 3rd party spam filter do its work. But as long as a symmetric encryption exist on the inbox and outbox.. an appropriate api provided by the cipher toolkit or the email reader itself will allow you to export / search for anything you need anyway. But anyway, good luck finding what you need :-)

Li-fan Chen
Monday, May 26, 2003

> The only reason email readers with encryption support
> don't always work the way you described is because it
> would be ignoring the threat model.

I think what I described is completely (but not very easily) achievable.

> But there are benefits to having plain text inbox and
> outbox I suppose.

I would like to detail further:

1. I am not afraid to have the e-mail unencrypted on my hard-disk, because I have strong anti-hacker security (a good firewall maintained by a competent admin) and good physical security.

I consider that having them unencrypted is a BENEFIT - I can search quickly, etc.

2. I am VERY afraid of sending the e-mails, unencrypted, over the Internet, to work partners, because the admin at the ISP can easily read my e-mail

The problem with this is that it's not an easily detectable crime.

The ISP admin can easily read the e-mails and use (to his benefit) the information in them without EVER getting caught.

So, the messages should be encrypted when they are in the Internet, but should be completely plain text when they are on my machine.

And the encryption should be completely transparent, so it doesn't get in my way.

Monday, May 26, 2003

Something like this perhaps?

Monday, May 26, 2003

This sounds like a reasonable program, but we've all had that OOPS where we accidentally send something we weren't intending on sending.

I'd prefer it if I was responsible for that oops and not my server. "Oops, you sent it to and not so I'm not going to encrypt it." or "Oops, you sent it to I'm not going to encrypt it."
Monday, May 26, 2003

Having unencrypted email's sitting in your inbox/sent items on an Exchange Connected Outlook client is no good either.

It is trivial for the Exchange Administrator to snoop your mailstore if you are infact using MAPI (ie Exchange connected Outlook)

It would seem to be a benefit to have your "stored" mail encrypted, else, archive it off to a local PST file and access it only when you need it, and delete it from the Exchange mail store

AC for Now
Monday, May 26, 2003

> Having unencrypted email's sitting in your inbox/sent
> items on an Exchange Connected Outlook client is no
> good either.

I understand that most people in enterprises use Outlook, but I use another e-mail client (which I consider much better than Outlook), and I use only POP3 and SMTP.

So, a POP3 and SMTP encrypted proxy would be fine!

Tuesday, May 27, 2003

I see where Cayce is coming from and AC makes a good point.  Perhaps, the solution is that while the mail is encrypted in my folders, opening it does decrypt it automagically.  Search tools would then be able to engage the same functions to decrypt while searching.

It would seem in this day and age, encryption and compression should be automatic in email and it should require an effort to deactivate it. 

Mike Gamerland
Tuesday, May 27, 2003

Archiving to a local PST is a good idea.... Just a couple of points.

You can set up archive folder son the local drive. You can also password protect said local archives. That way, whenever you start up outlook/open archive, you are prompted for a password.

Outlook protection is PATHETIC though!! I discovered this not too long ago when I was spring cleaning my machine. All you need to do is change the filename of the .PST file, and you LOSE the PROTECTION. That's it. No fancy cracks. Just change the filename.

Whichever moron designed that protection scheme should be shot, and fed to the pigs. Shoot the pigs, and chop them up, just for good measure!!!

Tuesday, May 27, 2003

You can read encrypted messages in "Sent Items" if you have turned on the "encrypt-to-self" option.

Tuesday, May 27, 2003

But when you transfer the messages from the SMTP or POP3 server to/from your client wouldn't a "bad guy" potentially be able to read your message in clear text? If so that kind of defeats the purpose of encryption. I know you probably have internal SMTP/POP3 servers BUT this still is a risk. Security experts will quickly point out the fact that most known hack attacks have came from within an organization (that includes rooted boxes within your organization comprimised by outside attackers). When you build a secure system it should not rely on outside assumptions of security.

Ian Stallings
Tuesday, May 27, 2003

This sounds like a cool idea, but many of you are shooting it down because it's not a 'perfect encryption' scheme, but rather a 'highly usable' scheme with some known holes.

If you trust your local network and local machine, it's fine to have everything decrypted there. Or you could have everything 'decrypted' but stored on an encrypted filesystem to protect against physical theft.

Again, if you trust your local network, you can run a mail proxy on the local network. It's the 'outside world' (ISP, not local mail admin) who's not being trusted here.

The problem with the invisibility and usability is that you never know when things are encrypted or not, so when you send to John vs. john, you accidentally send plaintext.

Thus I'll claim email client integration is the right place for it, not a proxy. It could do something like change the color of resolved names to indicate 'resolved with public key', then encrypt on send. This should be quite easy for a client, though I don't know how easy it would be to extend any particular mail client.

Receipt decryption could be done transparently, however you again would want some indication that the message indeed came from who it claims, but I'm not sure the original poster is afraid of remote mail authentication issues.

The many holes are probably why you're going to have a hard time finding the product: obessesed people will look down on those who want to trade holes for usablility, and corporate lawyers will be afraid for the same reason (that's why you end up with worse-than-useful 'all attachments are viruses' dialogs).

Tuesday, May 27, 2003

(btw receipt above means 'on arrival', not a token acknowledging the receipt of something)

Tuesday, May 27, 2003

Very interesting comment and information!

Answers to some of the issues described above:

1. My machine and my network are 100% trusted (by me).

2. The outside world (that is, the Internet and the ISP I use to connected to the Internet) are NOT trusted.

Why the ISP and the Internet is not trusted:

The admin of the ISP can very easily read the e-mails passing trough the ISP, and even search for keywords.

What's worse, is that this is an "EASY CRIME" - you can do it easily, and the chance of getting caught and being punished is close to 0% (if you are at least a half-competent admin).

A thief coming to my company, breaking it and stealing my computer has maybe a 50% chance of being caught and serving a LONG time in prison.

An "information thief" hired as an admin at the ISP we use can read all the information I send in e-mail, and has a maybe 0.1% chance of getting caught and being punished.

This is why I am not so afraid of the "break down the door" attack (in fact, as an honest citizen, I have the Police on my side), but I am very afraid of a "sneaky admin-at-ISP" attack.

Tuesday, May 27, 2003

"as an honest citizen, I have the Police on my side"
Jails are full of honest people.

Simply run a local mailserver and have that encrypt your mail. IMO that is something that should be a standard feature. You may have to write code for it.

Wednesday, May 28, 2003

*  Recent Topics

*  Fog Creek Home