Sunday, April 7, 2013

Email: A Fundamentally Broken System

by Dietrich Schmitz

Many are too young to remember Phil Zimmerman.  He's the creator of Pretty Good Privacy (PGP) an encryption standard, now perhaps the most-used method of encrypting email. (Image right: Phil Zimmerman)

It was in 1991 when Phil saw the unmet need and brought into fruition a much needed way to encrypt human readable text.  Coincidentally, the Internet had begun to unfold and his method of encryption soon gained in popularity.

Mr. Zimmerman became, as a result, the target of a criminal investigation, brought by the U.S. Customs Service and RSA charged with violating provisions of the Arms Export Control Act.   Charges, however serious, ultimately were dropped in 1996 and Mr. Zimmerman went on to form the PGP Corporation which was bought by Network Associates in 1997.

You see, email is clear text.  Yes.  Naked.  When you casually press 'send' on an email, it travels across the mail transfer agents to its destination as a stream of human readable text which makes it child's play for interception and viewing by any agency or individual.  Essentially, you are placing your correspondence in the mail without an envelope.

Seems odd when it's put that way doesn't it?

We go to great lengths to assure the safety of all paper mail delivery (warnings on mailboxes even) as we diligently place our correspondences in an envelope for what?  Privacy, of course.  There are Federal laws on the books to protect your paper mail but none for the electronic equivalent.

So it begs the question:  Why isn't email encrypted by default?

It seems that no one really thought that question through, or, at least there was a time when the email RFC 2822 (supercedes RFC 822) was used only by a small population of  technology-elite individuals.  Times have since changed and along with change the RFC was never updated to contemplate electronic privacy.  Nor, has there been a Federal Mandate for such, which might have funded meeting a new email privacy standard.

Worse, is the now all too well-known fact that the email RFC standard can be exploited.  How so?

SPAM.  No, not the kind you eat.  Email RFC sending id field can be forged and Spammers exploit that design deficiency and insert forged sending email addresses into emails sent from compromised PCs, which unbeknownst to the user (usually a compromised Windows PC), is running a deamon process (svchost) spambot in the background, sending out literally millions of emails a day, all forged.

Thus, unless you have a spam filter program installed, your email in-box may be filled with unsolicited emails some of which are benign, others contain attachments which if opened will trigger a script to run on the victim's machine, which may be designed to gain administrative rights and install yet another trojan spambot, or, worse ransomware or keyloggers.

It's all fairly well-understood but nothing, to date, has ever been done to correct the RFC standard.

Phil Zimmerman has always been a privacy advocate, and while he developed PGP, others fortunately saw fit to follow and extend his work and developed an open source and compatible equivalent, called Gnu Privacy Guard (GnuPG).

Today, GnuPG or GPG is the linch-pin for the vast majority of Linux Distributions (Distros) and provides a 'keyring' feature to ensure that software obtained from a Distro's repository will be guaranteed to be safe from tampering (trojan horses, viral code insertions).  So, too, GPG is compatible with PGP email and allows users to encrypt (envelope) their email correspondences to guarantee privacy.

Thus far, however, the implementation of low-cost or free, 'easy-to-use' email systems with standard encryption have been few, so there truly is a huge unmet need here--world-wide.

As more users embrace the Internet and become comfortable incorporating it into their daily lives, they have also come to understand the crucial importance of privacy.  In fact, many feel that such privacy is their given right.  I agree with that.  The right to privacy is implicit and incorporated into our nation's Bill of Rights.  It's no different than the paper mail envelope analogy I gave above.

So, as I read about Phil Zimmerman in recent news, I thought, here is a Man who is passionate and truly believes in what he is doing.  You see, Mr. Zimmerman has surfaced once again, only this time he is building is own infrastructure available to the general public to use as a turnkey encrypted easy to use email service, an expansion of a company he opened last year called Silent Circle.

From the story at, Chief Technology Officer for Silent Circle elaborates on this new service:

"Email is fundamentally broken," Jon Callas, Silent Circle's CTO, tells The Register, pointing out that security was not a serious factor in the original protocols. Wrapping messages in the best possible encryption will give a measure of security, and the team have spent nearly two years honing their product. 
"We believe we've got it as good as we can get it," he said. "Nothing is perfect, and anything we find there's a problem with, we'll fix it." 
To further test the system's mettle, Silent Circle has put its source code up on Github for analysis by the security community. So far, Callas said, three possible problems have been found. None of them were serious, and all have since been fixed or ameliorated. 
The new email service will take the best of this encryption, plus some extra special sauce and tools from PGP, and aims to offer secure service to subscribers across the world.

This is going to revolutionize and create a new 'de facto' standard for email privacy.  Code for the email service is being published to GitHub for security analysts to examine and provide feedback on including recommended feature enhancements and bug fixes.

As Phil Zimmerman wrote in an essay on his website, Why I Wrote PGP:

It's personal. It's private. And it's no one's business but yours. You may be planning a political campaign, discussing your taxes, or having a secret romance. Or you may be communicating with a political dissident in a repressive country. Whatever it is, you don't want your private electronic mail (email) or confidential documents read by anyone else. There's nothing wrong with asserting your privacy. Privacy is as apple-pie as the Constitution.
The right to privacy is spread implicitly throughout the Bill of Rights. But when the United States Constitution was framed, the Founding Fathers saw no need to explicitly spell out the right to a private conversation. That would have been silly. Two hundred years ago, all conversations were private. If someone else was within earshot, you could just go out behind the barn and have your conversation there. No one could listen in without your knowledge. The right to a private conversation was a natural right, not just in a philosophical sense, but in a law-of-physics sense, given the technology of the time. 
But with the coming of the information age, starting with the invention of the telephone, all that has changed. Now most of our conversations are conducted electronically. This allows our most intimate conversations to be exposed without our knowledge. Cellular phone calls may be monitored by anyone with a radio. Electronic mail, sent across the Internet, is no more secure than cellular phone calls. Email is rapidly replacing postal mail, becoming the norm for everyone, not the novelty it was in the past. 
Until recently, if the government wanted to violate the privacy of ordinary citizens, they had to expend a certain amount of expense and labor to intercept and steam open and read paper mail. Or they had to listen to and possibly transcribe spoken telephone conversation, at least before automatic voice recognition technology became available. This kind of labor-intensive monitoring was not practical on a large scale. It was only done in important cases when it seemed worthwhile. This is like catching one fish at a time, with a hook and line. Today, email can be routinely and automatically scanned for interesting keywords, on a vast scale, without detection. This is like driftnet fishing. And exponential growth in computer power is making the same thing possible with voice traffic.

So, are you just a little bit incredulous about this story now?  Well, you should be and I hope you will exercise due care in your Internet activities.  

This service cannot come soon enough.

-- Dietrich

Enhanced by Zemanta


  1. Why are you so worried about email Dietrich?

    IF you really want to know someone's secrets all you have to do is follow their facebook and twitter accounts for a year... run all the data through a data mining software and you can guess most of their personality trends. Email is probably the least of people's security concerns at this day and age.

  2. Fundamentally, encryption is the only too we have to exact control over our Internet privacy. I am worried and you should be too.

  3. let me suggest another way e-mail is fundamentally broken. It doesn't scale down. I should not be dependent on a centralized server to handle all of my e-mail. I should be able to get e-mail in aggregate from a collection of machines. Redundancy provided by messages scattered across multiple anonymous machines should provide as high reliability as we currently have with the current mail system architecture. resistance to spam should be even higher because we have a greater number of nodes that could be instrumented to detect spam and communicated to peers.

    is obviously more that would need to be discussed but by scanning e-mail down, we increase reliability, increase resistance to government intrusion, and to spam

  4. I would tend to agree--take a look at the RetroShare P2P model.

    I think it has great potential.