[liberationtech] Announcing Scramble.io

DC dcposch at cs.stanford.edu
Fri Aug 23 19:07:33 PDT 2013 

>
> *Also are there any plan for Scramble to be a POP3 o IMAP client, so I
> can use another email with it?*


POP3/IMAP Client
====

To support an external POP3/IMAP server, someone would have to make a
Scramble client that's not web-based. It's not possible, I think, from a
web app. It might be possible if the user installs it as a browser
extension.

More importantly: if you want to use existing, normal email addresses (eg
bob at gmail.com, with a Scramble client pointing to Gmail's IMAP server,
instead of <hash>@scramble.io) then the key exchange problem returns. If I
want to send an email to joe at gmail.com, how do I find his public key?


POP/IMAP Server
====
By design, a Scramble server never sees your email in plaintext, and has no
way to decrypt it. So a Scramble server also can't be a POP or IMAP server
that a normal client could use.

(Even if you install PGP, you'd still need a client with the following
additional modifications:
* Decrypt the subject (since Scramble encrypts both subject and body)
* Look up recipient public keys from a Scramble server when you want to
send email)

So no, you can't use Outlook a Scramble server, and you can't use a
Scramble client with a normal email address + IMAP server.


I've thought a lot about secure key look up for existing, human-readable
email addresses. It's a hard problem! But I agree, it would be v useful
Best
DC








On Fri, Aug 23, 2013 at 1:53 AM, DC <dcposch at cs.stanford.edu> wrote:

> Hi everyone,
>
> I'm DC, and I've been lurking here for a few weeks :)
>
> Since the NSA leaks, I've been inspired to work on an old dream:
> end-to-end encrypted email.
>
> One difficult problem in public-key encryption is key exchange: how to get
> a recipient's public key and know it's really theirs.
> My plan is to make make your email the hash of your public key.
> For example, my address is *nqkgpx6bqscslher at scramble.io*
> (I borrowed this idea from Tor Hidden Services.)
>
> This lets you build an email system with some nice properties:
> * It's webmail. I want something easy to use and understand, unlike PGP,
> so that nontechnical people can grok it.
> * Webmail has an inherent weakness: if push comes to shove, the NSA can
> compel a Scramble server to serve bad Javascript to their users. I want to
> give users the option to install the app as a Chrome extension. Same HTML,
> CSS, and JS, but served locally, so the server is untrusted.
> * You can look up someone's public key from an untrusted server, and
> verify that it's actually theirs.
> * Anyone can run a Scramble server
> * It's open source
> * All email between Scramble addresses is encrypted. Both Subject and Body
> are encrypted via PGP.
> * With some precautions, it's possible to avoid associating your real
> identity with your email address at all. This means that even From and To
> can be anonymous.
>
> Feel free to try it out! https://scramble.io/
>
> Here's a more thorough description of my design and my motivations:
> https://scramble.io/doc/
> Finally, here's a more thorough description of the technical details:
> https://scramble.io/doc/how.html
>
> Thoughts?
> Best
> DC
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130823/82396be2/attachment.html>

More information about the liberationtech mailing list