The Nuts and Bolts of Taking Security Seriously
So you’ve been to the website of the Electronic Frontier Foundation – EFF and you seen what you need to do. You’re going to quit using email as much as possible and choose a messaging service instead. A messaging service with end to end encryption. You will probably need more than one message service, depends on what your contacts are using. What sort of problems are you going to run into trying to implement good privacy and security practices? Where are the difficulties in setting this up? Is the technology and the software awkward to use? Or is the problem more about persuading other people to join the privacy and security club?
It's Getting Easier To Be Secure Online
There’s a plethora of secure messaging apps with end-to-end encryption. You could almost say there’s too much choice. So many apps to choose with various pros and cons, how do you know which one to work with? You research everything and eventually come to a conclusion which app is right for you. Go for something which automatically encrypts end to end as a default, every single message. Use an application which allows for ephemeral or exploding messages, so it covers its tracks automatically as you use it. It’s good to have an application which has forward secrecy. This is a system which keeps messages private even if the phone is lost or bashed with a hammer. Secret communications are not left lying around for someone to access either on the device or on a server somewhere. You’ve also managed to find a secure service which is based in a safe jurisdiction. It’s unlikely the government of the jurisdiction containing the servers will be able to launch a man in the middle attack on your data. The service doesn’t keep any of the cryptographic keys to your messages so there are no backdoors left open. Open source software is being used and has been checked by the security community. It isn’t a locked and hidden proprietary software which could have any sort of nefarious problems contained within. You’ve ensured your data is kept safe by not using any cloud backup services which could be unencrypted. Basically you are happy with your choice and you are ready to put it all into practice. What’s it really like when it comes down to the nitty-gritty?
The Big Problem Is Getting Other People to Realise There Is a Problem
The vast majority of people using the Internet have absolutely no idea how unsafe email is. Your average user doesn’t know anything about encryption. They have no idea sending emails is the equivalent of writing personal details on a postcard to send through an open postal system. The postal worker picks up the postcard and can read it when it’s being collected. As it is going through the system any of the people routing the postcard can read the plain text, even if you have bad handwriting. When the postcard goes to the other end the postman can entertain himself by reading the personal details before he puts it into the letterbox. Sending an email is the digital equivalent of that insecure process. Unless you learn to use encryption. It also means teaching other people, your recipients, to use encryption too.
What Can You Do to Really Make It Work?
1. Insist your email recipients also use encryption.
2. Stop using email and use a secure messaging service instead.
3. Put contents of email into a separate document and encrypt before attaching.
How Does It Work in Practice?
You want to send an encrypted email to a friend. Your friend doesn’t have any encryption installed and is unwilling or unable to do so. It could be just technically too much for them or they just don’t not care at all. There are two options to consider. The first option is to not send an email to the person and use a secure message app instead. The second option would be to send an email, but encrypt it using a password. Encrypt just the text of the email or encrypt a document and attach to the email – More or less the same thing. You then send the password by other means. You could speak on the telephone and say the password. Or you could use secure means such as a direct message through whatever messaging app you know will get to your friend.
How does this work in practice and how does it fall down? You can’t use the secure messaging app with end-to-end encryption if your friend doesn’t have any on their computers. There are free ones available, but some people seem to have some sort of aversion to downloading new software. For us geeks it’s hard to believe, but there are technophobes and Luddites out there. They’re not all burning down 5G masts because they think it’s a corona virus conspiracy, but there might be some reticence in trying something new. This is especially a case amongst the silver surfers.
Live Test of A New Encryption Session
I recently conducted a test sending an encrypted message to a Twitter friend who is fairly geeky. She actually works helping out older people get the most out of their technology. She doesn’t have any encryption setup and it was a test to send her a question using a Keybase Saltpack Encrypted Message. I sent it with an email – I pasted the encrypted text into the email.
The invite has to go to a Keybase user, a Twitter user, or someone with an account at Github or Reddit. It would be better if it could be to a specific email address. Then when that person signs up to Keybase they would get access to the encrypted messge. Might also work more smoothly if there’s a link to Keybase for signing up.
Sending the Encrypted text by Email
At the bottom of my email is a signature with a link to a Flowcrypt page to reply securely back to me. She used that link to send an encrypted email reply. She didn’t install Keybase and that was partly due to not wanting to install software she hadn’t heard of and her time constraints. Fair dues she wanted to research Keybase and know more about it. Despite some back and forth messages using Flowcrypt and Twitter she hasn’t installed Keybase. Might never do so and I don’t want to push it. I wanted to give an invite and see what happened.
FlowCrypt is an extension you add to a Gmail account which works in the Chrome browser. There’s also an iOS app which is not brilliant because it’s not quite at a release level. I’ve been testing it out and it does work. Within FlowCrypt there’s an opportunity to encrypt email using a password. (For people without Flowcrypt.)
What's Best? Encrypted Emails or Secure Messages?
I replied to her Flowcrypt email in Flowcrypt. I sent the Flowcrypt message password to her as a Twitter DM. Some would say it will be more secure to send the password via a messaging app which uses end to end encryption. For the messaging and encryption of this test that wasn’t necessary. Usually I would recommend always follow best practices. The gap made by using two separate services worked fine for security in this instance.
That was the sending of the reply email to my friend taken care of and it worked. She used the password I gave her and was able to read what I’d sent. I was pleased to get a reply which was also encrypted. This is where the email encryption can fall down. Some people hit reply and the email you sent encrypted is included in the reply – In Plain Text. So all the good work is undone! What was the point of it all when the reply exposes all the sensitive data. For that reason it can be best to not use email in the first place. Go straight to the end to end encryption with a Messages app like Signal, Threema, WhatsApp, Telegram or others.
The good thing about Flowcrypt is you can guide people to a web page which will send you an encrypted email. It works well. This is the link to my Flowcrypt page. https://flowcrypt.com/me/wizardgold . I put this in the signature at the bottom of emails I send out, to encourage people to reply using that link. To a large extent it’s all about training people to use encryption one person at a time.
If you have someone who does the reply and sends back the data unencrypted, maybe the answer is to encrypt a document. It’s less likely they will go to the trouble of copying the data from a separate document to put back into the reply. Not totally foolproof, but it’s something.
My friend turned out to be mostly good with the encryption thing. I gave an option to reply with encryption and she took it. She hasn’t set up her own GPG / PGP encryption setup. This could have been to get a Flowcrypt account set up for herself. She wasn’t using a gmail account for her email, so maybe it wouldn’t suit her. I didn’t really expect her to install GPG Tools and use Thunderbird as her email client. Apple Mail can do GPG also but it costs money to use it. I would have to teach her all about the PGP Key Pair system and a lot of people struggle with the concept. That’s all taken care of in Flowcrypt.
Keybase for Encryption
The email I sent was about the Keybase app. Keybase is great for encryption, but not so good with anonymity. To verify yourself you put in loads of connections to yourself. You could get around that to hack anonymity, but it would take too much effort.
The effort to see if someone would sign up with Keybase in order to read an encrypted message didn’t work. In a real world situation it is not refined to be foolproof easy. The test was saved by the Flowcrypt solution.
Long Term Connections
If you want you communications to always be encrypted you will have to only use the secure service. Otherwise your friend will forget and send you something unencrypted by email. When they send something like that, reply with encryption in a safe messaging app. Or ignore anything coming in by email. Basically don’t allow emails with any personal data to go out unsecured. You have to take charge of the process. Insist on using the best end to end encryption messaging service. It might take a while for it to sink in with some people.