No Such Thing As Secure Email, Secure Provider Claims

[Karloff]

No Such Thing As Secure Email, Secure Provider Claims

Silent Circle shut down its secure service, and now it claims such a thing is a pipe dream.

A short while back, when the email provider used by NSA whistleblower PRISM [http://www.escapistmagazine.com/news/view/126705-Snowdens-Email-Provider-Vanishes-Vows-To-Fight-For-Constitution].

The content can be encrypted, Silent Circle admits. It might be cumbersome, and the technology needed to make it really secure could be beyond pretty much anyone except large companies, but it can be done. Trouble is, that only protects the content. If the content is the only important thing about the email, then you're fine, but what if you also wanted to make sure nobody knew who was sending it, and to whom? Or when, and in what timezone? No hope, says Silent Circle, as the email provider blurts out all that data as soon as the message is sent, in the routing information. "None of this can be encrypted if you want to be compatible with current email protocols." All that information, including the subject -stored in plain text at the beginning of the message - is in the email's metadata, which is transmitted without encryption or any kind of protection. Sometimes knowing who's talking, to whom, and when, is more important than the content of the message, Silent Circle points out.

That's why Silent Circle's no longer in the game. It knows it can't promise a service it has no hope of providing. "With the tapping of backbone internet providers, interested parties can now see all traffic on the internet," it says. "The days where it was possible for two people to have a truly private conversation over email, if they ever existed, are long over."

Source: Silent Circle [http://silentcircle.wordpress.com/2013/08/16/why-cant-email-be-secure/]


Permalink

 

[Chessrook44]

Well this only makes sense. I mean think about it.

"I have a letter I need sent."
"To who?"
"I can't tell you that."
"OK, where is it going?"
"I can't tell you that either."
".....when can I pick it up to deliv-"
"I can't tell you that either!"
"Then HOW am I supposed to deliver it?!"
"Well you're the mail service, aren't you?"

.....sounds like something that could appear on NotAlwaysRight...

 

[Alar]

Well this only makes sense. I mean think about it.

"I have a letter I need sent."
"To who?"
"I can't tell you that."
"OK, where is it going?"
"I can't tell you that either."
".....when can I pick it up to deliv-"
"I can't tell you that either!"
"Then HOW am I supposed to deliver it?!"
"Well you're the mail service, aren't you?"

.....sounds like something that could appear on NotAlwaysRight...

More like,
"I have a letter I need sent. Here's who it is and where it's going. Respect my privacy and the privacy of the recipient and do not share this information with anyone."
"Sorry, the government won't let me do that~! Wah wah wah."

Or more like they're spying regardless of what the ISP wants. It's just disgusting, in my opinion. Like most people, I don't really have anything to hide, but that doesn't mean I want everyone to know about it. If I wanted to share information with the world, I would make it easily available.

 

[rofltehcat]

So... couldn't people build a "net" of inter-connected mailboxes that automatically forward emails between each other (including to fake adresses), make several copies, push the emails to another mailbox of the same provider (one of the "safe" ones) and somewhere on the way run an additional encryption over the content, change the header etc.? Maybe even split the email up somewhere along the way so that its sum only arrives in several different mailboxes of one person who can then manually copy the fragments into a decryption tool. It wouldn't be impossible to track, either, but it would probably cause some hellish headaches.

 

[Jenny Jones]

Yes but the government NEEDS to see that information. How on earth do you expect the government to protect your civil liberties, privacy and rights if they don't read and watch everything you say or do?

Course only the terrorists would be hiding something and not want all their business viewed and stored for any and all eventualities.

And if your sarcasm meter didn't just launch itself to the moon then it was probably broken.

 

[Xeorm]

So... couldn't people build a "net" of inter-connected mailboxes that automatically forward emails between each other (including to fake adresses), make several copies, push the emails to another mailbox of the same provider (one of the "safe" ones) and somewhere on the way run an additional encryption over the content, change the header etc.? Maybe even split the email up somewhere along the way so that its sum only arrives in several different mailboxes of one person who can then manually copy the fragments into a decryption tool. It wouldn't be impossible to track, either, but it would probably cause some hellish headaches.

There's certainly plenty of ways you could communicate over the internet in a small group. But that's not really email, and it would be restricted within that group anyway.

 

[evilneko]

The closest you can ever get to secure electronic communication is an encrypted, direct point-to-point transmission. Needless to say, this isn't possible over the internet. The best we can do over the internet is establish an encrypted connection with the recipient after verifying the recipient is who he says he is (and that's another can of worms...) and trade messages through that link. Every layer 3 network device along the path will know A.B.C.D is talking to W.X.Y.Z, but that's just unavoidable.

Yes but the government NEEDS to see that information. How on earth do you expect the government to protect your civil liberties, privacy and rights if they don't read and watch everything you say or do?

Course only the terrorists would be hiding something and not want all their business viewed and stored for any and all eventualities.

And if your sarcasm meter didn't just launch itself to the moon then it was probably broken.

Sad part is, there are people who actually believe that. :/

 

[Colt47]

Honestly, the government doesn't even need to try that hard anymore with people blindly using facebook in combination with email services. =p

 

[Zombie_Moogle]

I've got to wonder if IRC isn't gonna make a big comeback, in light of recent privacy/security revelations; that is, if the masses had any idea what it was

 

[JaceArveduin]

Look, the only secure computer is one that's unplugged.
And buried.
In the middle of a remote desert.

As soon as people figure that out and stop expecting impossible, we'll all be much happier.

Still not secure, archaeologist dig around in the remote parts of the desert all the time.

 

[Atmos Duality]

Applicable (or timely) Security is real.
Absolute security isn't.

This is nothing new.

 

[lacktheknack]

Look, the only secure computer is one that's unplugged.
And buried.
In the middle of a remote desert.

As soon as people figure that out and stop expecting impossible, we'll all be much happier.

I've said this a couple days ago on this site, and I got viciously attacked.

So... people don't wanna hear that, so they'll never stop expecting it.

Life goes on, I suppose.

 

[Hagi]

I am staring down the barrel of implementing an email like service, and these developments of late have raised the specter of how you'd go about it ethically.

PRISM aside. If governments can spy may as well assume that they will spy. The problem to my mind seems to be that the law deems 3rd parties to be a breach of legal privacy. Therefore it seems to me like the simplest thing to do would be for the service to be a match maker, and potential plan B, while the end users would just need a NAS drive with some kind of daemon running on it.

This way legally the communication takes place between a first party and a second party, just like private discussion, and is legally untouchable. Only illegal eaves dropping could spy on it. And the match maker deletes its metadata as soon as possible...

Which for most communications would be virtually instantaneously. No time to serve a warrant. If your NAS drive is stuck, then the service holds onto the communications until your remote storage runs out and then informs the original party unless they've opted out and dumps the body, eventually everything else.

This way if the gov't wants your mail, they have to break into your house, or have a warrant. Just take them at their word. Everyone should have a NAS drive (network connected storage) in this day and age anyway. The drive is always online if your internet is always online, so you have webmail as long as your internet services are not offline or your drives are not all in fail states.

They'd still be able to see who you're sending your mail to since anything you send over the internet goes through your service provider, which is a third party.

Of course, you can encrypt the content allowing you to hide those reasonably well, although as computers become faster and faster many older encryption methods that used to take decades to decrypt can now be cracked fairly quickly. On top of that, as noted by the article, much of the meta data would still be exposed and most likely tracked. Which you can't hide since that data is part of the protocols to which your packets must comply in order to be passed on.

Using proxies and such you'd be able to hide that to a certain degree, especially if said proxies serve as an in-between for many different senders and receivers. But even then given sufficient surveillance of all involved service providers it'd be entirely possible to piece together a decent bit by comparing all incoming and outcoming packets for exact times, sizes etc.

Not to imply what you're getting at is useless, it's certainly very useful. But more by virtue of making it extremely difficult for casual spying to track you, once some effort is put into it it's very, very difficult to really hide your tracks.

 

[Aitruis]

Or more like they're spying regardless of what the ISP wants. It's just disgusting, in my opinion. Like most people, I don't really have anything to hide, but that doesn't mean I want everyone to know about it. If I wanted to share information with the world, I would make it easily available.

This is really the crux of what people are/should be upset about in all this, and sadly many people are still just ignoring the issue. For clarity, I'm an American(just so you know where I'm coming from on a legal standpoint). Many of these programs and new laws are skirting not only current law, but the spirit of the law. Part of the problem lies in that our law is about 10-20 years behind the tech curve, so you get rationalizations like, "e-mail isn't part of the list of things counted by precedent as private personal possessions, so they're not subject to the same protections against search and seizure as say, your car or home"; even though a rational person would clearly equate email with conventional mail as to the same status it should have under privacy law.

The other major problem is we have a government that is flat out simply ignoring the law. For those outside the U.S., the fourth amendment in the Bill of Rights in our Constitution, what is supposed to be the supreme, end-all-be-all, law of the land, forbids such behavior:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Supreme law of the land. It says that if the government wants to search through your personal possessions, law enforcement must first have a good reason, then must obtain a warrant for a specific thing, time, and place they want to search. It should be noted that this applies to citizens on an individual level, every citizen has this right.

Instead, we have politicians getting secret warrants from the 'Foreign Intelligence Court' (something you'd think by rights wouldn't or shouldn't be involved in massive warrants covering U.S. citizens on U.S. soil) to blatantly violate citizen's constitutional rights by searching their personal possessions without a clear-cut reason for each individual person whose rights they violate; simply on the off-chance one of them is involved in the catch-all 'terrorist activity'. And people wonder why more and more are beginning to hate our government.

 

[Strazdas]

but if only the big companies can afford the encryption, could it not be that the encryption key is lcoated at both places and NOT sent via the message? that the key rotates identally in both places without disclosign the roration algoryth to the internet? Then you could easily encrpy the header and sender. the destination and time is harder, but if you use a close system with internet as mere highway, all you need is a way to mark "this ip" and thats it. the rest is hidden and taken care of locally. its not perfect but more than this guy claims possible.

I've got to wonder if IRC isn't gonna make a big comeback, in light of recent privacy/security revelations; that is, if the masses had any idea what it was

IRC is not secure at all. the rooms can be seen easily if they so want.

The other major problem is we have a government that is flat out simply ignoring the law. For those outside the U.S., the fourth amendment in the Bill of Rights in our Constitution, what is supposed to be the supreme, end-all-be-all, law of the land, forbids such behavior:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Supreme law of the land. It says that if the government wants to search through your personal possessions, law enforcement must first have a good reason, then must obtain a warrant for a specific thing, time, and place they want to search. It should be noted that this applies to citizens on an individual level, every citizen has this right.

Instead, we have politicians getting secret warrants from the 'Foreign Intelligence Court' (something you'd think by rights wouldn't or shouldn't be involved in massive warrants covering U.S. citizens on U.S. soil) to blatantly violate citizen's constitutional rights by searching their personal possessions without a clear-cut reason for each individual person whose rights they violate; simply on the off-chance one of them is involved in the catch-all 'terrorist activity'. And people wonder why more and more are beginning to hate our government.

Thats the thing. Your email and internet posts are not considered your personal possesion or private locations. you dont "own" your email. therefore searching email they do not break the fourth amendment. US needs to completely redefine ownership of immaterial objects, which also ties in in the whole piracy problem.