Security is a b*tch isn’t it?
Privacy is a big issues in the modern age, not just because certain high-profile issues have brought it to the forefront, but because we’re ultimately a very private species when it comes to some issues. And those aren’t always of a criminal nature. Perhaps we just don’t feel that it’s anyone’s business what sort of Brony event we’re planning or whether we’re discussing details for the next great novel. That’s our business, and we should decide who we tell, when, and why.
Even then, there are is always the possibility of nefarious individuals who want to take your information and use it for ill. Perhaps you’re discussing banking details that are sensitive, though not sensitive enough to use a specific secure messaging app. Maybe you’re sending fun, sexy photos to a friend. All legal and great, but you don’t want there to be a chance that anyone else that shouldn’t see you in your birthday suit is able to take those. Email is sent in the clear and it used to be that messaging services were like that too. But why settle for insecure when encrypting your email is actually fairly easy. It might mean using a desktop service, or switching to Chrome or Firefox, however.
Email encryption uses two methods at the moment, either PGP (or it’s open-source variant “GPG”) or S/MIME. Those are the most common, and what we’ll discuss here. Google, Microsoft and Yahoo are starting to use STARTTLS which creates an encrypted tunnel between email servers, though it doesn’t encrypt the message itself. It’s a great security measure that’ll at least provide protection from passive monitoring of your connection, though the contents can still be looked at by those truly willing.
Encryption is easy(ish)
This type of encryption is asymmetric and uses a public/private mechanism to encrypt and decrypt messages, respectively. People you communicate with will use the public key that you generate in order to encrypt messages while you use your private key to decrypy anything sent to you. The problem is in where those public keys are stored. Commercial solutions are made with businesses in mind while open-source solutions have public repositories of those public keys, but there’s no way to absolutely verify the identity of someone associated with it. You can send it in a file that can be easily imported over an unencrypted email, though. And since it’s only used to encrypt, then there’s no danger in doing that. It doesn’t compromise your private key, which is derived from random numbers not associated to the public key.
So what do we do with that? Well, currently there’s no easy solution. But knowing that, we can go forth with protecting our precious communications understanding that getting public keys may be somewhat difficult to manage. But that shouldn’t put you off, because if the people you communicate understand that too, then you can just exchange them with each other easily! Just a little pre-planning is needed before sending and receiving anything, regardless of how one goes about encrypting their communications.
Browser integration is the future
If you’re like me, then you probably use a web-based inbox far more than an actual desktop client. That’s normal for a tremendous amount of people. It’s convenient, and while the new Windows 10 email app is pretty slick, it still doesn’t beat the strangely complete experiences we can have online. Thankfully this means that email encryption can actually be somewhat simplified. There are a few app that make use of GPG and that actually integrates smoothly into the mail interface you’re using.
There are several options available, though one of the most complete is Mailvelope. Mailvelope allows for some very easy integration with your browser, making it an almost invisible procedure. The problem is still whether or not the people you’re talking about have the same system, or even whether you can get their particular public key. But the good thing is that you can import a public key from a variety of methods. Either have that person send you the key string in an unrelated email, hand deliver it or search through the various public OpenPGP public key servers, such as those from MIT, Ubuntu or even the OpenPGP key server. There are privacy concerns about storing these, but being an asymmetric algorithm, you can only encrypt with that key not decrypt, so there’s really no real threat.
Other than receiving a boatload of encrypted messages from admirers. The secret key is protected by your password and is stored in the local store of the browser. That doesn’t necessarily sound like it’s terribly secure, but at least it’s encrypted to a certain level. Unfortunately, anyone with access to your computer can simply export it. Also you’ve got to be absolutely certain to uncheck “Automatically send usage statistics and crash reports to Google” in Chrome, otherwise you’ll end up with the chance of accidentally sending out they key if it’s still in memory if a crash occurs. It’s slim, but it can happen. That doesn’t mean it’s not secure, just that there are limitations, as there are with nearly every method of security.
The extension itself access the browser and actually integrates with the various webmail clients with a pop-up that takes over the encrypting and sending of the mail. It’s all quite transparent and very simple(ish) to use. It makes finding other’s private keys quite easy by integrating with many different public key exchanges to make yet even more simple.
Of course you can also import any existing keys you might have from any previous attempts at encryption.
In all, its a intuitive way to enable encryption in your day to day, and doesn’t require you to change anything you do drastically, just add a few more steps that are more than worth the effort if you have data you don’t want potentially getting intercepted.
Though fairly easy to use but is limited to only the Chrome and Firefox browsers. No plans are currently in the works for Edge or Safari, but nonetheless, it’s still an effective way to make PGP, or OpenPGP to be specific, accessible. That’s the rub, isn’t it, making it seamless or easy to use while ensuring it “just works”. Unfortunately, for the moment, “easy” doesn’t quite apply to keeping you completely encrypted and safe from prying eyes. And then there’s the problem of how to integrate such things into the mobile world. That is a problem with a host of it’s own challenges. There are apps that do much the same, but they aren’t the most polished or integrated of experiences when compared to anything available on the desktop. Natural integration of keys and certificates would be a natural progression, making the process of exchanging keys seamless, something that Apple already does with iMessage and other integrated messaging apps. But again, you’ll have to settle on an ecosystem to use. Most major players offer encrypted tunnels using either SSL to the server or through asymmetric encryption with public/private key exchange.
For now, though, the browser integration is likely the easiest and most logical choice for anyone not in a corporate environment. It’s relatively simple to setup and use, but still offers a few challenges for those unfamiliar. It’s a worthy challenge that can help set you up for success, however, in having true privacy for those moments that you just don’t want anyone else knowing what you’re writing or communicating. Even if it’s something as benign as sharing a smashing cupcake recipe. If it’s secret and passed down through the centuries, no sense letting it leak now.