Easy Email Encryption

First, the good news. There's been a lot of progress toward letting people talk to each other securely. Signal is amazing, and it showed the world that strong cryptography can be clean and easy to use even for our smart but nontechnical friends. It proved that end-to-end encryption is not just for nerds who use PGP and Linux and go to "keysigning parties".

WhatsApp is rolling out end-to-end encryption to 800 million people, most of whom have never heard the word "cryptography" and have no idea what a "key" is. It's incomplete and imperfect, but still a huge step forward.


Unfortunately, while been lots of progress for messaging apps, email is still insecure. This sucks because email is the system of record. Messaging apps come and go. The messages themselves are often ephemeral as well. If you lose your phone, all your SMS and all your Signal messages are gone. Messengers deal in plain text... sometimes you can add pictures or emoji


Email is more real. It's an open standard. It lasts forever. It's global. It supports rich text and attachments and everything. It's the modern replacement for mail, for quills and parchment and envelopes. Here in America, the Fourth Amendment guarantees people

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures

That there could be a big building where bureaucrats rip open every letter, read it, reseal it, and send it on to its destination, like in East Germany, sounds ridiculous. We're a free country, that's not how we roll. And yet that extra letter, the e in email, the implementation detail where mail is sent digitally rather than on literal paper, seems to void those protections. In countries like China and Kazakhstan, people are even more vulnerable. It's a chilling thought: a democracy movement, like the one that liberated Chile 25 years ago, might be impossible today because we've accidentally made it easy for states to read all mail.

 

To fix this, end to end encryption must be the default--not just for WhatsApp, but for email. We also need metadata security. To protect freedom of association, an observer shouldn't be able to tell who's talking to whom.


An idea...

1. You install a new mail app on your laptop. It's open source and well vetted.

2. You log into Gmail, your university mail, all the accounts you have. The app syncs your mail. You have a modern mail client with a nice UI and fast search, even when you don't have internet.

3. Bob installs the app as well. The next time you send him an email, it's automatically encrypted, signed, decrypted, & verified.

I want to do for email what Signal did for texts: I want to make end-to-end encryption easy.


Under the hood

Key exchange is automatic and centralized, like Signal. Encryption using Axlotl provides forward secrecy.

Finally, we want metadata security. We don't want to leak who's talking to whom, so we'll send all encrypted mail with a hardcoded From and Subject.

Of course, Bob's app will show him the real, decrypted From and Subject.

The last piece of the puzzle: we can’t just connect to our outgoing mail server directly. That would let it see your IP address and your recipient’s email address, again revealing both sides of the conversation.

Instead, we'll send all outgoing encrypted mail thru Tor.

Easy to use encrypted email, with modern crypto, providing both content and metadata security.


Could this work? Would you use it?

Let me know your thoughts!

3 responses
Hi there! I've spent a bunch of time thinking about this problem as well. I really liked your write-up, so I decided to try and put down my thoughts on the E2E problem on your ideas. It ended up being a bit long for a comment, so I posted it to my blog: http://blog.eight45.net/2016/01/08/e2e-email.html Happy to continue discussing here or where ever! I'm on github, twitter, and IRC with the same username.
Wow, that's quite a writeup! I think you make some good points. I especially like the "No Catastrophic Key Loss" one. Storing decrypted email (in plaintext) on your laptop doesn't help much though, since that's also where your private keys are stored. If your laptop hard drive dies, now you've lost both, irrecoverably. My plan for now is to ask the user to back up their secrets on a thumb drive right after generating keys, and to keep the thumb drive in a safe place. It's better than nothing, but not ideal: would be happy to hear if there's a better way. I also agree with you that decentralized key exchange would be preferable. I'll think about that for V2. I first want to make the user experience seamless. My goal is that someone who has no idea what a key is can still use this program effectively. Like Signal.
I checked out some of your previous work on the subject (Scramble, Scramble 2) -- cool! Did you ever do a write-up on your conclusions with your Keybase-centric approach to Scramble 2 and how it led to this new iteration? (Also, it sounds like we'll be able to discuss further @ ArcticJS!)