cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

Securing your own email

Since my Gmail account isn't secure, and my employer doesn't have a legitimate necessity for doing server level mail encryption, if I wanted to create my own secure email system, what all is required?

 

With PGP, it's fairly easy -- as long as the other party you're communicating with uses PGP.

 

But I understand that with PKI, anyone can exchange messages with you -- provided they know the protocol.

 

If I go the PKI route, I would probably use a domain I own.  That way I can look at the whole thing in-house, except for the CA/RA part.

 

What experiences do y'all have with personal or "roll-your-own professional" secure email?

-----------
A claim is as good as its veracity.
8 Replies
JKWiniger
Community Champion

I wouldn't do it. The question is would there be enough use for it to be worth the time? If you only have a few people that would sent you encrypted messages then it would not pay to setup a whole infrastructure to support it. What about a simple plug in on the mail client? It would shift things from server to client side but still allow for messages to be encrypted and decrypted.

 

Just my .02

 

John- 

rslade
Influencer II

> ericgeater (Contributor I) posted a new topic in Tech Talk on 02-24-2020 08:37

>   But I understand
> that with PKI, anyone can exchange messages with you -- provided they know the
> protocol.   If I go the PKI route, I would probably use a domain I own.  That
> way I can look at the whole thing in-house, except for the CA/RA part.   What
> experiences do y'all have with personal or "roll-your-own professional" secure
> email?

Ah, yes. I remember the days when people would say "I want five pounds of
PKI." PKI is not a "thing." It's a whole bunch of things, and you need to get each
and every one of them right. It's no harder than trying to creeate your own
crypto algorithm. (In other words, it's really, really hard.)

As it happens, I'm (sort of) working with a guy who is trying this "universal secure
email the easy way" right now, and he's got a system that is both secure and easy
to use. It's a bit clunky, and relies on the sending party having a smartphone
(which I also think is the main weakness of the system), but it's quite clever.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
A ship in port is safe, but that is not what ships are built for.
- (John A.?/William?) Shedd
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
ericgeater
Community Champion

Glad you pointed out the difficulty attached to the payoff.  In my personal case, there's not enough requirement for it yet.  I suppose the message could be encrypted in a file, then attached to a message.  Poor man's secrecy good in a pinch.

-----------
A claim is as good as its veracity.
CraginS
Defender I


@ericgeater wrote:

Since my Gmail account isn't secure, and my employer doesn't have a legitimate necessity for doing server level mail encryption, if I wanted to create my own secure email system, what all is required?

 

With PGP, it's fairly easy -- as long as the other party you're communicating with uses PGP.

 

But I understand that with PKI, anyone can exchange messages with you -- provided they know the protocol.

 

If I go the PKI route, I would probably use a domain I own.  That way I can look at the whole thing in-house, except for the CA/RA part.

 

What experiences do y'all have with personal or "roll-your-own professional" secure email?


Eric,

I have not used it, but ProtonMail looks interesting. Have you investigated it?

 

Craig

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
ericgeater
Community Champion

I have not!  It does look like a useful solution, however!  Thanks for the link!

-----------
A claim is as good as its veracity.
ericgeater
Community Champion

I realize that a claim is only as good as its veracity, but I did notice this on the ProtonMail website:

 

"Revenue from paid accounts is used to further develop ProtonMail and support free users such as democracy activists and dissidents who need privacy but can't necessarily afford it."

 

I am aware that some ransomware thugs use ProtonMail too... but it's nice to see this type of declaration.  Pretty awesome.

-----------
A claim is as good as its veracity.
Caute_cautim
Community Champion

@ericgeater   What concerns you?  Your privacy in terms of exchanging messages between trusted parties or reducing the opportunity for Federal Authorities accessing the contents of your messages?

 

We all know G-mail is insecure and probably the contents end up in one of Google Datasets by default.

 

Has I have stated previously to @CraginS various countries around the world, have the authority by law to intercept all and any traffic passing through ISPs.  

 

You effectively make yourself a target, because if the authorities cannot immediately decrypt on mass and look for key words, or defined parameters makes you a target of interest.  Especially if you use a cryptographic algorithm, which is not fully defined or customised to meet a particular need.   In fact encryption in the USA is seen as a Munition:  https://law.stackexchange.com/questions/3705/what-exactly-makes-encryption-a-weapon.

 

Other countries have similar definitions and export rules.   I should know I have to go through such a process every time I define a solution, service for a client etc.

 

Regards

 

Caute_cautim

 

 

ericgeater
Community Champion

My inquiry was based on the usefulness of having a secure solution available for message exchange.  But it definitely sounds like there's a whole lot of trouble to go through, for a very limiting payoff.

-----------
A claim is as good as its veracity.