Uncategorized

Webmail end-to-end encryption deception

In the aftermath of the Snowden Revelations, some companies are
providing end-to-end encryption for your email messages. In theory,
meaning the content of messages is only read
by its author and its recipient. Whatever- or whoever is in between
them should only see garbled text.

The companies on the Prism
list seem eager to provide it. Presumably to gain back the trust of
their users. Even if the content of the messages isn’t secret, it’s
all private nonetheless. I certainly would not like my mails being
consistently being opened. Especially not when the content is being
interpreted by software which is written by unknown people for
unknown purposes.

The latest addition comes from Yahoo:
http://www.infosecurity-magazine.com/news/yahoo-follows-google-endtoend

Alas – in my opinion – this is nonsense

. Because there is no way to make sure the unencrypted content
doesn’t leave the computers of the sender- and recipient. However
convenient web mail is, it can’t enforce end-to-end encryption.

Reasons coming to mind:

Web mail providers have no incentive.
They get revenue from scanning emails for targeted advertising.
A true end-to-end encryption would deprive them of those
revenues. By software provided by themselves no less !
If targeted advertising still takes place, it’s pretty sure the
message transited unencrypted to a third-party. Would they
really forsake their revenues just because it’s you ? Did they
really grew a spine after the revelations ? I think not.

What about trusting Prism-companies ?
Some of the companies are providers of popular browser- and
operating systems. It appears some of them weren’t exactly
forced into collaboration either. Rather the opposite. I don’t
remember them having the honesty telling their users their data
was henceforth shared with the US government. Also, what to
think about the software those people publish ? Can it be
trusted to do only what it is supposed to ?

Again, in my personal opinion, security is an all-or-nothing affair:
To trust or not to trust, THAT is the question. If you don’t trust
it, you don’t use it. However sophisticated it looks. In the case of
web mail end-to-end encryption there is no reason to assume it can
be trusted. Especially when provided by US companies which can be
forced legally into collaboration. Now or later.

Bottom line: If you want true end-to-end email
encryption, you’ll use a trusted web client desktop application
running on an operating system published by a trusted organization.
Today I see only one possible solution: Digitally signed software
from community-driven Linux distributions. Only those can be trusted
to work as advertised. Sad but true.

Leave a Reply

Your email address will not be published. Required fields are marked *