Solved: Re: Securing your own email

ericgeater · ‎02-24-2020

Since my Gmail account isn't secure, and my employer doesn't have a legitimate necessity for doing server level mail encryption, if I wanted to create my own secure email system, what all is required?

With PGP, it's fairly easy -- as long as the other party you're communicating with uses PGP.

But I understand that with PKI, anyone can exchange messages with you -- provided they know the protocol.

If I go the PKI route, I would probably use a domain I own. That way I can look at the whole thing in-house, except for the CA/RA part.

What experiences do y'all have with personal or "roll-your-own professional" secure email?

-----------
A claim is as good as its veracity.

JKWiniger · ‎02-25-2020

I wouldn't do it. The question is would there be enough use for it to be worth the time? If you only have a few people that would sent you encrypted messages then it would not pay to setup a whole infrastructure to support it. What about a simple plug in on the mail client? It would shift things from server to client side but still allow for messages to be encrypted and decrypted.

Just my .02

John-

rslade · ‎02-25-2020

> ericgeater (Contributor I) posted a new topic in Tech Talk on 02-24-2020 08:37

> But I understand
> that with PKI, anyone can exchange messages with you -- provided they know the
> protocol. If I go the PKI route, I would probably use a domain I own. That
> way I can look at the whole thing in-house, except for the CA/RA part. What
> experiences do y'all have with personal or "roll-your-own professional" secure
> email?

Ah, yes. I remember the days when people would say "I want five pounds of
PKI." PKI is not a "thing." It's a whole bunch of things, and you need to get each
and every one of them right. It's no harder than trying to creeate your own
crypto algorithm. (In other words, it's really, really hard.)

As it happens, I'm (sort of) working with a guy who is trying this "universal secure
email the easy way" right now, and he's got a system that is both secure and easy
to use. It's a bit clunky, and relies on the sending party having a smartphone
(which I also think is the main weakness of the system), but it's quite clever.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
A ship in port is safe, but that is not what ships are built for.
- (John A.?/William?) Shedd
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

ericgeater · ‎02-25-2020

Glad you pointed out the difficulty attached to the payoff. In my personal case, there's not enough requirement for it yet. I suppose the message could be encrypted in a file, then attached to a message. Poor man's secrecy good in a pinch.

-----------
A claim is as good as its veracity.

CraginS · ‎02-25-2020

@ericgeater wrote:
Since my Gmail account isn't secure, and my employer doesn't have a legitimate necessity for doing server level mail encryption, if I wanted to create my own secure email system, what all is required?

With PGP, it's fairly easy -- as long as the other party you're communicating with uses PGP.

But I understand that with PKI, anyone can exchange messages with you -- provided they know the protocol.

If I go the PKI route, I would probably use a domain I own. That way I can look at the whole thing in-house, except for the CA/RA part.

What experiences do y'all have with personal or "roll-your-own professional" secure email?

Eric,

I have not used it, but ProtonMail looks interesting. Have you investigated it?

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

ericgeater · ‎03-01-2020

I have not! It does look like a useful solution, however! Thanks for the link!

-----------
A claim is as good as its veracity.

ericgeater · ‎03-01-2020

I realize that a claim is only as good as its veracity, but I did notice this on the ProtonMail website:

"Revenue from paid accounts is used to further develop ProtonMail and support free users such as democracy activists and dissidents who need privacy but can't necessarily afford it."

I am aware that some ransomware thugs use ProtonMail too... but it's nice to see this type of declaration. Pretty awesome.

-----------
A claim is as good as its veracity.

Caute_cautim · ‎03-01-2020

@ericgeater What concerns you? Your privacy in terms of exchanging messages between trusted parties or reducing the opportunity for Federal Authorities accessing the contents of your messages?

We all know G-mail is insecure and probably the contents end up in one of Google Datasets by default.

Has I have stated previously to @CraginS various countries around the world, have the authority by law to intercept all and any traffic passing through ISPs.

You effectively make yourself a target, because if the authorities cannot immediately decrypt on mass and look for key words, or defined parameters makes you a target of interest. Especially if you use a cryptographic algorithm, which is not fully defined or customised to meet a particular need. In fact encryption in the USA is seen as a Munition: https://law.stackexchange.com/questions/3705/what-exactly-makes-encryption-a-weapon.

Other countries have similar definitions and export rules. I should know I have to go through such a process every time I define a solution, service for a client etc.

Regards

Caute_cautim

ericgeater · ‎03-07-2020

My inquiry was based on the usefulness of having a secure solution available for message exchange. But it definitely sounds like there's a whole lot of trouble to go through, for a very limiting payoff.

-----------
A claim is as good as its veracity.