[liberationtech] Why can’t email be secure? - Silent Circle Blog
katana
katana at riseup.net
Sun Aug 25 11:59:10 PDT 2013
Hi,
> I thought this was very important.
I don't think so.
> You could go a step
> further and have a server that manages keys/users for you, or a
> collection of federated servers. Such a beast might look very much
> like the PGP Universal server.
And this was the heart of SC's problems and - realistic - fears, not the
"insecure email" marketing talk. They have used PGP Universal, managed
and generated the keys for their clients, because of the mobile
computing demands(?) of their customers - or their incompetence(?) / not
existing ressources to develop a mobile OpenPGP solution? As Phil said
in
<http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-problem-qa-with-silent-circle-co-founder-phil-zimmermann/>:
'We didn’t have a PGP client that could run on a smartphone, and our
market is primarily smartphone users. So how [could] we get it? Get a
server side implementation of PGP, a Symantec product called PGP
Universal, meant for enterprise customers who want to manage keys on the
servers. So that’s what we were using. But if someone comes to us and
forces us to hand over the keys, [we're in trouble.]' Yes, that is true,
if a "privacy" company like SC acts like a company with a PGP email gateway.
> As you can see, email security has become more complex than it used to
> be. In the past, securing the body of the message was sufficient. The
> tools and techniques used for snooping were not on a large enough
> scale to allow the metadata to be useful.
This is old and well known stuff since the old ZKS days. A company like
SC resp. all email privacy services need also an additional layer to
anonymize or pseudonymize emails with an infrastructure similar to the
mixmaster/mixminion network or a companion piece to email like Pond to
hide metadata an identification data too. But the error is not only on
SC's side, because we have heard since years, that email is no longer
important, that all the kids are using IM and that all things are done
with the browser, so we need ony an anonyization solution for transport
like Tor and so the focus went away from email and not so much was
invested to develop and fix solutions for email. Fixing the reply block
problems with mixmaster/mixminion? Develop good nym servers? Oh no,
that's not important.
But, as Ladar replied in
<http://www.democracynow.org/2013/8/13/exclusive_owner_of_snowdens_email_service>
to Amy's question 'Do you think people should use email?': 'Yeah, I
think it’s a great way to communicate ... And I think email still has a
very important role to play in communication between people.' ACK. Does
SC really think, that all can be done with P2P instant messaging
solutions? I don't think so. Show me a 'liberationtech' SC P2P-IM
mailing list. Oh yeah, we have IRC channels/XMPP groupchat rooms for that?
--
Katana
More information about the liberationtech
mailing list