The surprising takeaway for me is that PGP is so astoundingly crappy to use that even Phil Zimmerman asks people to send him plain text mail. We've got to do something to improve the state of things here.
> The surprising takeaway for me is that PGP is so astoundingly crappy to use that even Phil Zimmerman asks people to send him plain text mail.
I agree that that was surprising, but I can't take it without a grain of salt: he is the co-founder of a company releasing alternatives to e-mail+PGP for privacy. That's more than a small conflict of interest.
I'm also not sure I understand his point regarding email privacy vs. message-app privacy. Either of them could easily be subpoenaed in the U.S., and moving either of those services off-shore should theoretically provide the same protection.
Maybe the messages will be stored on Silent Circle servers in an encrypted state...?
It seems that he refuses to acknowledge the existence of GPG, even when complaining about using PGP on the Mac. GPGTools for the mac is the best PGP email experience between Linux/Win/OSX, yet only Symantec's PGP is considered.
I just don't get it. He wanted to close the service before getting a NSL. He couldn't give it a day? He copies off the employee email but dumps his customers' email? (Even the lavabit guy kept the customer email). This crypto hero knows better than to recommend a fake-crypto solution (hushmail) instead of simply saying "don't use email for anything private".
They did server-side crypto for email, so they had the keys to decrypt. Maybe those keys were locked with users' passwords (like Lavabit), but they couldn't run a functional server without having the plaintext visible to the server at some points. Silent Circle's other services do everything on the client, so it's impossible to backdoor the server.
However, that would protect them against the demands that Levison encountered. For example, the secret court may have a broadened interpretation of CALEA [1] that would make Silent Circle's services non-compliant.
I'm not a lawyer, but if Silent Circle is classified as a telecommunications provider, then CALEA already requires them to have built it with real-time surveillance capability without tipping off either party involved in the communication. Since their system prevents this by design, I wouldn't be surprised if they get shut down entirely in the short term.
Silent Circle controls the client for Silent Text, so the messages can be encrypted end-to-end. For email, the same thing isn't true, so messages can be decrypted on the server (otherwise the mail client could never read them). Hence the discrepancy, and the deletion.
> For email, the same thing isn't true, so messages can be decrypted on the server (otherwise the mail client could never read them).
I'm not a crypto guy, so forgive my potential ignorance.
Are you saying that because the crypto is being done on a potentially untrusted client (whether a web interface or third-party email client), that the end-to-end encryption could be compromised?
I realize that e-mail (by protocol) is sent over plaintext, but if the entire content of the e-mail is PGP encrypted, how is that less secure than actual end-to-end encryption?
With email, you _can't_ encrypt the headers of message. Who the message is to, who it's from, when it was sent, what the subject line is... All those things need to be accessible to every server that touches the message from creation to delivery.
Things get worse when you have to interoperate with mail clients that don't support encryption. Now the best you can do is encrypt the body of the message at rest, but you still have to be able to decrypt it to deliver it.
You're absolutely right that _if_ both parties are using PGP in their clients, then the _body_ of the email will be secure, end to end (not the meta data mind you, just the body). However, that requires a lot of manual key management (assuming you use a client that supports it in the first place). That key management nightmare is why no one actually uses PGP...
What JshWright said is correct. Specifically for Silent Mail, the mail server is the last thing that can decrypt (because it has to work with plain clients), so it can see your plaintext. With Silent Text, the last thing that can decrypt is the client, so Silent Circle can never see your plaintext. That's what was wrong with it specifically.
Phil knew PGP was less usable than it could be because it was an add-on to SMTP. It was always hard to use. That said, I'm encouraged by some of the folks looking at building new systems for message store systems that are secure. They will need new clients of course but that seems to be reasonable.
E-Mail has a moderately crappy experience on phones even without the security issues, so there's plenty of reason to build something new (with a new client) even if you're not worried about security.
The thing that terrifies me about trusting Silent Circle for anything real is that if you're only on mobile, there is a huge amount of evil either of two US companies (or anyone who can put pressure on them) can do to you, and it's essentially a black box. Basically every security guarantee a mobile app makes can be subverted by Apple, Google, potentially some of their suppliers, and anyone who either puts legal or technical pressure on them. It can be done to individuals, rather than some pervasive backdoor which could be uncovered. To some extent, mobile carriers, who are essentially an arm of government in many places, could also attack users.
Ubuntu Phone, Firefox mobile OS, etc. help in that they add more platforms, but don't seem to fundamentally improve security. The only thing which would really be viable, IMO, is a totally open hardware design and OS, where users get to pick their own update sources, and all the baseband crap essentially firewalled off into a little FCC-approved area which can't attack the rest of the device. And potentially with the entire baseband removable so you could have just a PDA, PDA+wifi/bt, or maybe in a future world, some novel radio protocols designed for protection from monitoring.
This was my reaction as well to Silent Circle. If the attacker can own your OS, who cares how secure the app is? Silent Circle may keep things encrypted while going over the fiber and the wires and the airwaves, but what comfort is that when the government can remotely turn on your mic or camera?
There is probably a way to use Android safely, and hopefully a way to use iOS safely -- some kind of firewalled/VPN'd network, proxying any public traffic, and periodic checks for that. You'd ideally verify each OS version before doing updates, and maybe even do some destructive teardowns. I assume NSA plans to do something similar when DOD does smartphone deployments. There's potentially the SE Android stuff, too, but that's largely orthogonal to this.
However, in the corporate BYOD world, or in the consumer world, it's probably not going to work.
Whenever I see a thread about the security of email these days, I think we're missing the point by a large margin.
Yes, email is insecure. It is not possible for a company like Silent Circle to provide perfect security for email, therefore it was a wise move to drop it. However, the average person should want to prevent large scale/dragnet surveillance of the entire population and themselves, rather than aim for perfect security.
The problem we have now is that email is very easily trackable because everyone is using the same two email providers. All the NSA has to do is get their hands on Gmail, and 50% of the people who use email will have it compromised (since they only need to get one side to read the other, too).
We have an email server monoculture. If everyone started using their own mail server (with TLS enabled), large-scale tracking people would be much, much harder. There's not much people can do if they're specifically tracked, anyway, so using your own email server gets you all the convenience with a lot more security.
I think the best thing to do now would be to create a mail server package that someone can deploy with one command. "docker run whatever/mail", for example, to get you a TLS-enabled server, configured properly to stop spam attempts, etc. We don't need to use GPG to make large-scale surveillance harder, we just need to use more email servers.
The issue goes a lot further: We have a technology monoculture.
Technology has this annoying property to trend towards a monoculture. You can also see this when you count the tech giants who hold 80% of whatever product/service market. Every tech company attempts to lock you in, sometimes using the network effect (i.e. social networks), sometimes using tech integration (i.e. Apple).
Sure, but it's clearly way too much hassle for everyone to encrypt email all the time. By moving to decentralized servers, we do a lot to mitigate the problem while preserving convenience.
Most people are stunned by the way the internet email system is set up. I probably have to explain SMTP error codes on a weekly basis to people who don't get why it doesn't "just work".
A common conception is that it works like the telephone system - you make connections all the way through, then send the message. Bounces? Delays? How could those happen?
It's stunning to talk to newcomers about how things were before the internet came to exist as we know it. Mail routing via bang path with UUCP? How many people on HN even have seen that?
The problem is that we need a forklift replacement for SMTP and mail envelopes, both of which which have crypto built into it at a fundamental level.
Switching everyone over to SSL wrapped SMTP would be a good stopgap for the transport portion of this, even if it's just self signed, with some sort of HSTS style cert persistence.
Do people create new, open protocols anymore? I feel that if someone decided to tackle the "email is insecure" problem, we'd end up watching a video on Kickstarter about how cool their new Ruby on Rails SaaS is.
HTTP is probably the most recent "internet spanning" protocol that has wide use. You could probably make an argument for XMPP (jabber) as well. The message passing libraries like 0mq and similar could probably be viewed like this.
More important than protocols are the data interchange formats that they leave behind. SMTP envelopes are particularly horrible to parse. I'd like something newer, but I think it would lead to feature-itis that has given us abominations like base64 encoded MIME attachments (seriously, what system isn't 8-bit clean in 2013?) , HTML mail (used mainly for spam), return receipts (aka "automated privacy violation"), etc.
Zimmermann advocating Hushmail. That's curious. Also imho deleting user data without warning is kinda non-pleasant even in todays climate. Of course you should have had everything backed up, but I'd guess many people didn't.
PRZ has advocated hushmail for a long time (at least 2002 or so), which is nuts.
I believe they intended for people to use Silent Mail as POP3-style "download all messages locally", although people may not have done that. I set up silentmail on my devices in the "leave on server" form and lost both of the test messages I ever used it for; will probably survive.
I really don't think it had much user takeup, which they'd know since it was opt-in. It wasn't part of their original suite of tools, but got added after a few users requested it. It wasn't even the best secure mail tool one could have built, just the easiest for them to deploy with minimal effort.
I use Hushmail, not for security, but because I wanted to use a provider that doesn't use my email to build an advertising profile. Fastmail was also an option.
Personally speak, because it can transverse a number of insecure systems, I treat email like a postcard.
I think it's one of these situations in which perfect/optimal are the enemy of good: Hushmail is a major improvement, privacy-wise, over, say, Gmail or Hotmail, especially for people communicating from one Hushmail account to another.
Hushmail may have its own issues but using it is still a net gain for most people.
Hushmail took a different path from Lavabit: Hushmail openly announced that they will comply with court orders, and that their applet interface WILL be compromised under court order. They also point out that client-based encryption is outside their control.
That leaves open whether Lavabit was going to be compelled to send malware to their customers, and whether Hushmail might face the same problem.
All that means email probably is a poor choice for secure communication - the conclusion Silent Circle came to. If you want to communicate, use something that doesn't offer a target for the TLAs to lean on.
It will be interesting to see if webrtc gets compromised.
Problem is the mobile end device is incredibly insecure. You'd have to custom build an o/s to NSA fishbowl specs and then drop in Silent Circe, but even that wouldn't guarantee privacy since all of us have SIM cards with unknown carrier installed apps on them, and unknown software running on the baseband (which is typically in ARM supervisor mode w/no NX bit)
Also interesting the inventor of PGP and guy who once went against the gov tells people to mail him in clear text and uses a closed source OSX blackbox.
Hint: look at what NSA is advising other government agencies to use for classified systems.
They published a white paper spec of what a mobile phone system would have to do in order to be accepted as a potential solution.
Hint: Hardware would have to be certified together with firmware and software. It would contain some kind of a locked down VPN connection so no network packets ever get sent or received unless it goes through that one VPNed connection. This way metadata doesn't leak. From what everyone can observe you only connect to one VPN server. Inside the VPN connection you'd have multiple encapsulated sRTP based voice channel to whoever you are calling. BUT this VPN server would be running in a centralized government owned facility. So they would know all the metadata. Now how would that work in real life to hide from their surveillance? I don't know. If there ever appears a trusted VPN provider, you bet it will be a single point of compromised and a single pointer of failure.
> have SIM cards with unknown carrier installed apps on them
SIM cards don't have apps on them! They just have the IMSI, a key, some prior data about which tower it last connected to, and some miscellaneous data (such as a PIN number, etc), together with a data area that's used exclusively to store a limited number of contacts and SMS messages. This was useful when phones (think Nokia bricks) didn't have much (or any) storage capacity.
Carriers can, however, create their own firmware images that contain their crapware apps, which is why they're uninstallable.
The general consensus seems to be that if you are specifically targeted, there is very little in your power you can do. Few people are going to throw away any electronic device they own when they have the slightest suspicion about it.
My opinion is that specific goals should be acknowledged and agreed upon. These are things that will do little or nothing to protect dangerous criminals but will prevent dragnet surveillance, political blackmail, and what essentially amounts to a consolidation of power by kleptocrats (which is either the state the US is in now, or will soon be.)
The following are goals, each representing its own layer. A) would be a very good start. Each additional layer is helpful, but the first priority is A.
A) The end of plain text communication. There is no reason two parties communicating digitally should have their communication readable by anyone with access to the data stream. Ignore the NSA for a moment, any nation your data passes through you should assume is being spied on -- very serious espionage concerns for any business public or private.
B) Client side end to end encryption when two parties are communicating with each other. Currently this would put an end to contextual email advertising, stifle history, search indexing, and usage metrics collecting. However, there are potential options here such as Crypton.io.
C) Open source software as a service. Lavabit, Silent Circle, and others have a big dilemma -- they can not prove they are not spying on their users. If a software-as-a-service provider is the one doing the encryption, even "client side", there is the possibility of a security compromise, through a court order or otherwise, by modifying how the software executes. Most certainly an astute security researcher would discover something was amiss. The average user may not. The more serious issue is rather the destruction of that business's credibility when a problem is discovered (this is hacker news after all, presumably you are here because you run a start up or internet business.)
The best solution -- separate the encryption layer from the service provider. Dropbox (allegedly soon to be complicit with PRISM) can't provide a lot when a user syncs a TrueCrypt volume. What about Silent Circle? Is it really secure? Or Spideroak? We don't know. While their work is admirable, forced automatic updates could break the security. Lack of source code means lack of public auditing.
Both Silent Circle and Spideroak could alter their business models to become substantially more secure. For example, if a particular country has a draconian data retention law and you operate in that country, then your business should not store data nor have any business interest in storing data.
There are numerous trends that have made security slide out of fashion. We want metrics on everything to optimize our UX. We want deep demographic, behavioral, and contextual data to maximize the amount of money advertisers can spend. Users want plug and play software that just works with the press of a button. View all of these as both obstacles and opportunities to build better versions of what exists today. Software development is getting cheaper, easier, and faster by the day, unlike, say, drilling for oil.
You can use EncFS [1] (Linux, FreeBSD, OSX) instead. This is far more efficient. I'm using it with Dropbox and it was fairly easy to set up and works well.
You can make things even easier by using Gnome EncFS Manager [2] (Ubuntu, Debian, Fedora, OpenSUSE, Arch) to automate mounting encrypted drives or folders. The GUI is simple and intuitive.
Basically, any directory or drive you can write to can be mounted as an encrypted container of individual files.
> Open source software as a service. Lavabit, Silent Circle, and others have a big dilemma -- they can not prove they are not spying on their users.
Lavabit can't, but Silent Circle can; it's possible to prove that communication apps are secure (just show the source), it's impossible to make a mail server secure without the client knowing anything about encryption.
Of course. That doesn't mean a service can't prove it's secure. The service can be as secure as it wants, if you're talking within earshot of your adversary, you're screwed.
Email should have end to end encryption via a peer to peer system.
* Problem with message encryption solved, as long as the OS is not compromised. I currently use GnuPG but very few of my friends do.
* Header information
The "topic" of an email can be encrypted without problems. We still have the problem that a sniffer knows WHEN, HOW MUCH and with WHOM you communicate. Encrypting this information just for the next knot will make it harder for a sniffer. Also such a P2P email client could randomly send out stuff and connect with random other clients. Basically a special form of spam that gets ignored by the receiving client. The idea behind this "spam" would be to lower the singal/noise level.
Plus random messages send to different users. Something like enforced SPAM that is marked as SPAM inside the encrypted message. Your Client can decrypt the messages and discard the SPAM automatically. Sometimes the client can even reply to such a SPAM message automatically.
THis makes it easier to hide with WHO, HOW OFTEN and HOW MUCH you are communicating.
I'm not sure that the SPAM messages are necessary. I don't think that you can do traffic analysis of this sort on Tor without compromising the local machine (you want to monitor) or something like >15% of the Tor routing network.
Interesting that Forbes interview him and the Lavabit founder. Honestly I expected far less from this rag regarding computer and privacy issues given other links here and elsewhere, but there is always time to be surprised.
