Menu Sign In Contact FAQ
Banner
Welcome to our forums

What's happened to secure email?

This is definitely not aviation related

Almost 30 years ago, when email (such as it was) was passing through a load of university computers and anybody could read it, myself and others were using the then new PGP to encrypt emails.

Today, I am still forced to go through the complicated process of logging onto a website of a financial institution, just to retrieve some letter they say they have written to me…

Over the years, there were some isolated attempts to make email work. About 20 years ago I knew a German guy who was able to email with his bank using PGP. His bank manager was clearly clued-up…

One can get encryption plug-ins for M$ Orifice (for Outlook, mainly) but nobody I have ever come across uses them. Also a lot of people don’t use Outlook, not least because it has become a virus magnet.

Why has the world gone backwards?

Is it because outfits like Verisign have been charging too much for certificates, and you do have to be sure the public key really belongs to the purported owner.

We have just lost £2k to a scammer, via the old “our bank details have changed” scam, and all that stuff would be avoided if emails were authenticated, regardless of encryption. But perhaps 99% of email senders can’t be bothered to use even DKIM which does certify an email as genuine from the domain which it purports to come from.

Administrator
Shoreham EGKA, United Kingdom

Gmail is normally very good at flagging emails sent in “fishy” ways. I know of several organisations fairly paranoid on cybersecurity and are using it

Last Edited by Noe at 10 Aug 21:30

Gmail loses a lot of genuine emails however (some previous threads on this). But what I was getting at more is why email security (both authentication and encryption) has not really happened on a broad scale.

Administrator
Shoreham EGKA, United Kingdom

I think the genuine emails from EuroGA were lost because of a bad config on the senders side (posted by someone here and since then it has never happened). It use it both at work and personally (both google apps) and have never got a genuine email in the span (except the euroGA pre config change I believe) – I never had a euroga e-mail badly flagged since either.

Last Edited by Noe at 10 Aug 22:26

When sending info, drawings etc that are not supposed to be read by other people we use 7-zip to “zip” the attachments with a password, then send the password in an SMS. 7-zip because it has better (or good enough) password protection (as opposed to ordinary “zip”). An SMS is a fundamentally different technology than mail. According to those who know, this is good enough and practical enough, for sensitive material not to end up in the hands of for instance terrorists.

The elephant is the circulation
ENVA ENOP ENMO, Norway

Indeed; that approach has always been available (I have used AESCrypt mainly, after zipping up the file) but it will never get broad acceptance because it is not transparent to the user. It also assumes some level of IT competence at both ends, and very often this doesn’t exist e.g. we often struggle communicating with people who can only just barely use email.

I don’t have any immediate use for this myself, but in an effort to get an answer to my original Q I did a little dig-around and was amazed to find there doesn’t appear to be anything obvious out there. There are many services such as ProtonMail which are just really email versions of what Telegram or Whatsapp does with instant messages i.e. end to end encryption without explicitly publishing a public key (de facto the PK is tied to your GSM phone number) and you can get a plug-in for some email program such as Outlook. They are easy to use but you have to get everybody you communicate with to set it up at their end. This will never go anywhere far because there is no supporting infrastructure for public key certification and management. Without PK certification, you are still open to receiving a fake email purporting to be from your expected contact, although that trick will work only at the right time, usually at the beginning of the “relationship” because any change in the PK will (hopefully) be viewed with suspicion. The need for proper key certification and management is because the suspicion cannot be relied on.

For comparison, and speaking of authentication only (not encryption), to set up DKIM (a method of cryptographically proving that an email really did originate from the domain in the From: header) on an outgoing email account you have to go through a validation process which includes proving that you have access to the DNS config for the domain in question. This doesn’t involve the recipient in any extra effort (other than to perhaps use an email provider who makes correct use of DKIM; most don’t ) and one interesting solution to certifying your PK would be to store it in the domain config also… Any better PK certification has to involve getting passport scans etc and that means it is going to cost money. I don’t recall Verisign doing anything like that but they still cost money! I use DKIM on outgoing emails but for it to work as intended the receiver would need to have a means of whitelisting my domain, and most email providers don’t have such a facility (it would also be obviously mostly worthless unless DKIM was used).

The downside of having a public key management system like the original PGP had (publicly accessible keyrings, allowing anyone knowing your email address to get your public key) is that anyone can still send you spam. It will be encrypted but it will still be spam Clearly you can’t have it both ways.

A few years ago we got an enquiry from an American company and they said that to do business with them we had to use some secure email service which appeared to be used by US defence contractors. I don’t remember the details or whether they bought anything but we have a disti in the US and perhaps they dealt with it. It sounded like the US Govt was doing the certificate management for that.

Administrator
Shoreham EGKA, United Kingdom

Wickr is used by a lot of people needing secure interactions, I don’t know / understand the tech behind it though.

Now retired from forums best wishes

Yah I wondered about secure email a year or so ago, and lost interest very quickly … my interest was piqued by people still putting a PGP key on their profile on a website, but it all got too nerdy very quickly.

Is email basically sent around the internet as plain text?

These days, the sending around is typically done over encrypted links, but the content of the email is going though every server in plain text, and how it is processed and stored there depends on the server.

The reason for this is quite simple: Many tech giants who provide the infrastructure have a strong interest in NOT having encrypted e-mail. Fore example, Google is reading all e-mail going through gmail and uses the data gathered for advertising and in other ways to make money. So do other providers. End-to-end encryption would scupper this, so while they can’t prevent it, they certainly have no interest in providing it.

Combine that with this being a “hard” problem due to the need for standardisation, and the result is that only those both in need of security AND savvy enough to do it are protected.

Biggin Hill

The problem is that email is a massively, decentralised federated system that is accepted everywhere. To change it, you have to get pretty much everyone to change at once – some things can be changed easily (like mail servers these days typically using TLS rather than sending stuff unencrypted), but even things like using PGP to sign emails is hard.

The problem is until enough people are doing it, 99.9% of people/orgs will not do it because not enough people are doing it (so you get the feedback loop of nothing being done).

It would require “force” to get people to use even the easy stuff. Broken SSL/TLS was in use for years and no one cared about improving the situation until the PCI (payment card industry) DSS (data security standards) forced the issue (meaning you would not be able to take credit cards online unless you fixed your broken HTTPS configuration) but even the PCI had to delay two years things like getting rid of broken TLS 1.0 due to industry lethargy (even relatively recent versions of MSIE didn’t have TLS 1.2 enabled by default until reasonably recently, meaning if you shut off TLS 1.0 on the original deadline of June 2016, about 2/3rds of your users would no longer be able to connect).

We do business with a Very Large Media Company (who outsource some of their IT to a Very Large IT Supplier) and we had a big problem with them due to this cutoff date (it didn’t just affect TLS, but anywhere where CBC modes were being used). They tried to do everything to avoid having to make the required change (only starting work 3 weeks before the deadline – which they’ve now missed so we’ve had to implement a workaround for them). Ironically this same Very Large Media Company required us to do a security audit questionnaire which required us to certify we don’t use the same deprecated CBC modes that their IT supplier was insisting that we had to support! (The weaknesses in CBC modes have now been known for ten years). Their IT supplier tried to get us to support an alternative configuration which relied on MD5 checksums, which have been known to be weak since the 1990s. Incidentally, the software we use to provide SFTP has supported aes-ctr since 2003 and deprecated HMAC-MD5 about 5 years ago. None of these things should have been hard for them to support but they suffer enormous organisational inertia (they are for example using a version of Solaris that was superceded in the early 2000s). I suspect this kind of thing is hardly unique, and not only that, anyone who deals with this stuff could have seen as long ago as 10 years back that this change was going to end up being required by security standards like PCI-DSS. Yet this extremely large and profitable IT company still managed to miss this very visible deadline that people have been talking about for years.

Last Edited by alioth at 11 Aug 15:08
Andreas IOM
16 Posts
Sign in to add your message

Back to Top