cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Contributor II

Securing your own email

Since my Gmail account isn't secure, and my employer doesn't have a legitimate necessity for doing server level mail encryption, if I wanted to create my own secure email system, what all is required?

 

With PGP, it's fairly easy -- as long as the other party you're communicating with uses PGP.

 

But I understand that with PKI, anyone can exchange messages with you -- provided they know the protocol.

 

If I go the PKI route, I would probably use a domain I own.  That way I can look at the whole thing in-house, except for the CA/RA part.

 

What experiences do y'all have with personal or "roll-your-own professional" secure email?

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
1 Solution

Accepted Solutions
Highlighted
Contributor II

Re: Securing your own email

I wouldn't do it. The question is would there be enough use for it to be worth the time? If you only have a few people that would sent you encrypted messages then it would not pay to setup a whole infrastructure to support it. What about a simple plug in on the mail client? It would shift things from server to client side but still allow for messages to be encrypted and decrypted.

 

Just my .02

 

John- 

View solution in original post

8 Replies
Highlighted
Contributor II

Re: Securing your own email

I wouldn't do it. The question is would there be enough use for it to be worth the time? If you only have a few people that would sent you encrypted messages then it would not pay to setup a whole infrastructure to support it. What about a simple plug in on the mail client? It would shift things from server to client side but still allow for messages to be encrypted and decrypted.

 

Just my .02

 

John- 

View solution in original post

Highlighted
Community Champion

Re: Securing your own email

> ericgeater (Contributor I) posted a new topic in Tech Talk on 02-24-2020 08:37

>   But I understand
> that with PKI, anyone can exchange messages with you -- provided they know the
> protocol.   If I go the PKI route, I would probably use a domain I own.  That
> way I can look at the whole thing in-house, except for the CA/RA part.   What
> experiences do y'all have with personal or "roll-your-own professional" secure
> email?

Ah, yes. I remember the days when people would say "I want five pounds of
PKI." PKI is not a "thing." It's a whole bunch of things, and you need to get each
and every one of them right. It's no harder than trying to creeate your own
crypto algorithm. (In other words, it's really, really hard.)

As it happens, I'm (sort of) working with a guy who is trying this "universal secure
email the easy way" right now, and he's got a system that is both secure and easy
to use. It's a bit clunky, and relies on the sending party having a smartphone
(which I also think is the main weakness of the system), but it's quite clever.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
A ship in port is safe, but that is not what ships are built for.
- (John A.?/William?) Shedd
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Contributor II

Re: Securing your own email

Glad you pointed out the difficulty attached to the payoff.  In my personal case, there's not enough requirement for it yet.  I suppose the message could be encrypted in a file, then attached to a message.  Poor man's secrecy good in a pinch.

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Highlighted
Community Champion

Re: Securing your own email


@ericgeater wrote:

Since my Gmail account isn't secure, and my employer doesn't have a legitimate necessity for doing server level mail encryption, if I wanted to create my own secure email system, what all is required?

 

With PGP, it's fairly easy -- as long as the other party you're communicating with uses PGP.

 

But I understand that with PKI, anyone can exchange messages with you -- provided they know the protocol.

 

If I go the PKI route, I would probably use a domain I own.  That way I can look at the whole thing in-house, except for the CA/RA part.

 

What experiences do y'all have with personal or "roll-your-own professional" secure email?


Eric,

I have not used it, but ProtonMail looks interesting. Have you investigated it?

 

Craig

 

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Contributor II

Re: Securing your own email

I have not!  It does look like a useful solution, however!  Thanks for the link!

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Highlighted
Contributor II

Re: Securing your own email

I realize that a claim is only as good as its veracity, but I did notice this on the ProtonMail website:

 

"Revenue from paid accounts is used to further develop ProtonMail and support free users such as democracy activists and dissidents who need privacy but can't necessarily afford it."

 

I am aware that some ransomware thugs use ProtonMail too... but it's nice to see this type of declaration.  Pretty awesome.

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Highlighted
Community Champion

Re: Securing your own email

@ericgeater   What concerns you?  Your privacy in terms of exchanging messages between trusted parties or reducing the opportunity for Federal Authorities accessing the contents of your messages?

 

We all know G-mail is insecure and probably the contents end up in one of Google Datasets by default.

 

Has I have stated previously to @CraginS various countries around the world, have the authority by law to intercept all and any traffic passing through ISPs.  

 

You effectively make yourself a target, because if the authorities cannot immediately decrypt on mass and look for key words, or defined parameters makes you a target of interest.  Especially if you use a cryptographic algorithm, which is not fully defined or customised to meet a particular need.   In fact encryption in the USA is seen as a Munition:  https://law.stackexchange.com/questions/3705/what-exactly-makes-encryption-a-weapon.

 

Other countries have similar definitions and export rules.   I should know I have to go through such a process every time I define a solution, service for a client etc.

 

Regards

 

Caute_cautim

 

 

Highlighted
Contributor II

Re: Securing your own email

My inquiry was based on the usefulness of having a secure solution available for message exchange.  But it definitely sounds like there's a whole lot of trouble to go through, for a very limiting payoff.

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."