Tuesday 5 November 2013

Dark Mail to Secure Email, Evade NSA Surveillance

darkmail If you are worried about what the government spooks are saying in the way of devastating disclosures about the National Security Agency's surveillance programs, Lavabit and Silent Circle's proposed secure email platform may help ease your worries.
Lavabit and Silent Circle announced the Dark Mail Alliance earlier this week at the Inbox Love conference. As an open platform designed for secure email, Dark Mail will be immune from future surveillance efforts, the companies said.
With Dark Mail, the companies hope to develop a "private, next-generation, end-to-end encrypted alternative" to email.
Lavabit and Silent Circle
It makes sense that Lavabit and Silent Circle are taking the lead on building a new, Web-based secure email platform that users could use to evade surveillance.
Lavabit used to offer a secure email service that allowed people to send emails that could not be intercepted. It is believed that ex-NSA contractor Edward Snowden may have used the service. Lavabit shut down its services in August rather than comply with the U.S. government's request to hand over its encryption keys. Silent Circle specializes in encrypted communications and preemptively shut down its own secure email service to avoid facing a similar situation.
"Since they faced the difficult choice to shut down their email services in response to the federal investigations, it feels as a natural consequence for them to come back harder, better, stronger," said Claudio Guarnieri, a security researcher at Rapid7.
What is Wrong With Email?
Email, using SMTP (Simple Mail Transfer Protocol), has worked just fine over the years, but it was never designed with security in mind. Privacy- and security-minded users could take extra steps to encrypt their messages to protect the contents from prying eyes, but existing options did not encrypt the metadata. Bits of information such as the sender, the recipient, the time the message was sent, the size of the message, and other items, can be sensitive data in certain contexts.
For example, being able to look at the message metadata and learning that the CEOs of two companies have been communicating directly may hint at a potential partnership or merger. The subject lines could also divulge secrets.
With Dark Mail, the mail server will send recipients a short routing message to the intended recipient of the email. The routing message, which will likely be encrypted using XMPP, will contain a link to the cloud storage location where the actual encrypted message is stored. The decryption key to unlock the actual email, which will be protected using a new encryption protocol developed by Silent Circle, will also be part of the routing message. Since the encryption keys will be stored on the sender's computer, ISPs won't be able to comply with government requests.
Who Will Sign On?
Don't get too excited yet. The platform will likely not be available until some time next year. And email providers would have to get on board and implement the protocol so that users could take advantage of the platform. That means if you are a Gmail user, you can take advantage of Dark Mail's secure delivery platform only if Google adds the protocol to its service. It also means that the recipient also has to be on a service that accepts Dark Mail.
Encryption hasn't been widely adopted simply because "encryption has largely been optional," Guarnieri said. For a technology like this to be effective, it would need to be widely adopted to be effective.  "Fortunately, I think this is exactly the right time for radical changes like this to be successful," he said.

No comments:

Post a Comment