[liberationtech] The missing awareness: SMTP Security Indicator in Email|WebMail clients
Fabio Pietrosanti (naif) - lists
lists at infosecurity.ch
Sat Oct 31 12:02:21 PDT 2015
Hi all,
so, the in-transit email encryption problem isn't yet solved.
The uses of opportunistic encryption with SMTP STARTTLS help, but also
this is out of the end-user control.
An email users, using a desktop, mobile or webmail client, doesn't have
any way to know if his email messages, already received or going to be
sent, will be encrypted in-transit with SMTP STARTTLS.
We are missing the ability for end-user to:
- KNOW if emails being received from Mr. X has been in-transit encrypted.
- KNOW if emails he's going to send to Mr. X are likely going to be
in-transit encrypted
That's something that can be implemented with a Thunderbird plug-in and
with a Chrome plug-in (for mostly used WebMails).
Reading
http://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/
we know that 96% of Gmail traffic in Tunisia is being downgraded it's
in-transit security.
Well, without a technical analysis it would had not been possible to
know about that, unless if all the end-users would be given the
possibility by email|webmail clients to know about it.
That's a piece of technology i'd really love to see being implemented
before or later, giving back to end-users the awareness of their email
traffic security.
Whenever some project with knowledge about Thunderbird and Chrome
plug-in development would like to work on it, it would be amazing
If Mozilla and Google would implement that in their email clients, it
would be even cooler!
--
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org -
https://ahmia.fi
More information about the liberationtech
mailing list