Email Security - Are There Other Options?

Discussion in 'privacy technology' started by tobacco, Dec 17, 2009.

Thread Status:
Not open for further replies.
  1. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Read the other day about a group of "Hackers" complaining about people encrypting all their email, most of which was useless to these hackers and they were tired of working so hard for nothing :D

    I would like to start protecting my email (privacy issues only) and it got me thinking that the worst thing one could do is secure the occassional one as that would "stand out". Better off "all" or "none".

    So after several hours of researching this area of security, it seems somewhat ignored as far as options available. Everything seems to revolve around these "Public/Private Keys". Now i don't know about you but most of my contacts are not computer/security savvy and telling them they need keys and need this software, etc - i'm gonna get a "WTF" :blink:

    What i am looking for is a program that can encrypt email (text and attachments), send it and once it is received in my contact's inbox, somehow decrypt it without the contact having to jump through any hoops.(no forwarding of keys or passwords first)

    Maybe the program could somehow be small enough to sit in the email and automatically decrypt for the contact once the contact clicked on a "decrypt email now" tab. The program would only decrypt for a certain address.

    Any help/thoughts on this matter would be welcome.

    Thanks
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Such a system exists. It is called MailVault. It internally generates the keys and manages them between users. The user when logged in gets access to his key and enters a password to decrypt the message. The message otherwise sits in plaintext. The plaintext when the user sends it is automatically encrypted to the recipient. The only issue is the sender and recipient have to be in the same system, otherwise it can't find the right key to encrypt and decrypt with. Another problem is that if you expose your key and password to the foreign system, that is enough information for the foreign system to intercept your messages. However, the threat model isn't the internal observer (mail system) who could be evil anyway, but the external observer (hacker) who is definitely evil.

    XeroBank will be releasing a similar solution where all messages a stored encrypted and transmitted encrypted, and anyone can use it for free.
     
  3. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Still haven't found what i am seeking and looks like the least intrusive on the contact's part would be a forwarded password first.

    Encrypted with a "password" of course :p

    And i'm in the 30% group here - http://press.gmx.com/2008-09-02_pressReleaseUS.html

    Unbelievable :thumbd:
     
  4. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    You might look at ZSentry products. Basic versions via the web are free.
    https://zsentry.com

    Consider attachments if it's one person you want to regularly communicate with.
    fSekrit is a TINY little .exe that you use like a text file. A typical encrypted (AES-256) email-length note takes about 50kb. Just attach it to a regular email. If you're familiar with LockNote, it's just like it, but LockNote with the exact same email length would be about 350kb.

    You can get fSekrit at http://www.donationcoder.com/Software/Other/fSekrit

    Oh, change the extension to some weird extension from .exe as some email filters won't let an .exe through. Your regular recipient would know to change it to .exe and enter password. Really, to me, this is an easy way to pass along encrypted text without all the hassles.

    Or, I've mentioned drop.io before. You can create password protected one-time (or multiple, your choice) "drops" with text, photos, videos, whatever you want. Free up to 100mb. Just give the recipient the drop URL (and give them the password in another way). This is casual security, but drop.io is just an incredible service in every way. In fact, some publication just recently named it one of the best "under the radar" (not well enough known) web applications.
    http://drop.io
     
  5. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Their website wasn't clear about this - do both parties (sender & receiver) have to use this service for it to work like they say?
     
  6. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    Whats the ETA on this ? This sounds great.

    Will it be like this?

    Sender -- encrypted email --> server --> encrypted?/unencrypted? -->Recr
     
  7. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Ok - after more reading i got the answer - NO!

    It is more secure if they do but it still works. It's still not quite what i was looking for but i don't think that's available yet. And this is definitely less intrusive on the receiving party then keys and/or software installation. Really feel this is the way to do it for everyday emailing (Receiving end has a simplified option). Tested this out on myself and i am impressed to say the least.

    This page is a good read - https://zsentry.com/how_zmail.htm

    Has many options like self destruct date / to view your sent email require "no action or registration or login / detailed receipt sent upon request.

    All in all - it's a keeper and thank you LockBox :thumb:
     
    Last edited: Dec 19, 2009
  8. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    OP, just use GPG and use it's file encryption (pre-shared key) method. Give the key to your contact through some secure medium (person to person or over a secure phone line). Then simply encrypt a text file with the message in it and attach that file to an e-mail. Your contact will already have the key and can just type it in. Decrypting should be as simple as right clicking and entering the password.

    GnuPG is the FOSS version of the proprietary PGP. There is a Windows version now, and you can get it here. Or, if you prefer, you can just use PGP.
     
  9. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    If you really want to be sure about the encryption and you don't trust a third party (generally, you shouldn't trust a third party when it comes to encryption :) ), I'd suggest teaching your contacts how to use PGP/GPG and public keys. It is not that hard, and they might actually learn something useful (just a thought...)
     
  10. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    Will it be soon? <img>
     
  11. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    I understand and agree with what your saying but my goal was to create/increase email security/privacy without asking more from the receiver. Some of my contacts are set in their ways, others like my stepbrother just started with computers and i don't want to overwhelm him anymore at this point.

    I'm not sending secret/important documents which is why i'm not pushing for the "public/private keys" method. I just want a more secure way of sending 100% of my email that doesn't require receiver interaction beyond a click.
     
  12. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Steve

    Could you provide any more info/update us on this upcoming email security solution.

    Thanks
     
  13. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Anyone using Comodo Secure Email - http://www.comodo.com/home/internet-security/secure-email.php


    Installed it and am trying with my hotmail account through Thunderbird 3 but doesn't connect and server times out o_O

    It has a web reader service for those receipitants that don't want to install the software and aquire certificates.
     
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    This is done by default on HOTMAIL SSL POP accounts or Gmail (and it is free). If the person that communicate with you use the same service or a service provider that support SSL SMTP. All traffic travels encrypted from you to the recipient of the e-mail.

    Fax
     
  15. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Here is an email client that encrypts email. very secure and there is a free version. worth a look, I use it.
    bigc

    https://www.hushmail.com

    What is Hushmail?

    Hushmail is the most secure web-based free email service in the world. Since 1999, millions of people and thousands of businesses have trusted Hushmail to safeguard their secrets.

    Hushmail looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes.
    Key features see more features…
    Easy-to-use web-based email
    Standards-compliant encryption
    Works on iPhone and BlackBerry
    Optional Outlook integration
     
  16. mrm3601

    mrm3601 Registered Member

    Joined:
    Oct 23, 2007
    Posts:
    66
    SteveTX:

    I've gone to MailVault's site but there's I don't see a registration process nor any information about the program. Is the site, http://mailvault.com/?

    Thanks.
     
  17. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Thanks bigc

    Hushmail was the first one i looked at but after searching more about it, decided to steer clear of it.
     
  18. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Hushmail also does not support Outlook unless you pay :)
    While for hotmail or gmail its fully free
     
  19. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Fax, With Hotmail/Gmail all you're doing is protecting the emails from public view via SSL. The emails themselves are not encrypted on the server. In other words, they can be read, retrieved by LEA, etc. It's my impression the OP wants a solution that provides full email encryption.
     
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    uuuhm, I thought the issue was ensuring no one can read the message between the two (sender and the receiver). Lock out law enforcement officials to your e-mails its another story indeed :D Not sure you can prevent access to data anyway ;)

    Fax
     
  21. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    FYI -- If you haven’t tried it yet, the use of a Class 1 Digital ID (see here) with Outlook is nearly transparent for encrypting emails and attachments. Many people have and know Outlook; and acquiring, installing and exchanging Digital IDs with Outlook doesn't require much effort.

    On a general note, if you wish to ensure that the transmission of the contents of your email are encrypted entirely from the sender to the receiver, a password or a Digital ID must be exchanged between the parties, to the best of my knowledge. Logically, I don’t see how it could be otherwise.
     
  22. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia

    Yes that is correct but as expected, i am receiving resistance from my contacts (all so far) to go the extra steps for ultimate email protection. Which is why i am trying to do the best i can from my end with hopefully a non-bothersome interaction at their end.

    So without the most secure option (full exchange of keys public/private), i have found 2 - "Zmail" & "Comodo Secure Email" that give the receiving end a choice of reading the email without installing the software and applying for keys. But this is not as secure as the install option. Just hope they are not as deceptive as Hushmail has been.
     
  23. duk

    duk Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    28
    The way you want, you only need encrypt the e-mail over TLS/SSL, using a secure connection to read or write. In this case, only the recipient can read your messages, the problem however is that the server can also access your messages. So you need to keep a watch their data privacy policy (of the provider). About unpaid services that provide SSL connection (POP3 using 995 port), I like Gmail, Lavabit and MyMail.

    Now, if your concern is encryption end-to-end (so the server can not read) there is no other way than the recipient to decrypt the message. In this case, I recommend GnuPG and nothing else.
     
  24. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
  25. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Could you share your thoughts on "MyMail"? Just tried to create a free account but the homepage just reloads. Not for the paid accounts - page loads fine :cautious:
     
Loading...
Thread Status:
Not open for further replies.