Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Email Privacy
Posted by: idisappear
Date: April 08, 2012 05:41PM

Using free web Email, everything is stored on servers of the company providing the service and that company (inferring from the ToS agreements I read) can read all of my messages. Archiving everything with a company who has every right to access my inbox also increases risk of government obtaining messages. According to the EFF, subpoenas to Email providers are more likely than wiretapping and searches. A public/private key system of encryption is strong but doesn't solve the issue. If I am assuming correctly, encryption can only be achieved if both parties (sender and recipient) communicating opt to use it. The overwhelming majority of people don't. I read an interview of a Hushmail employee who stated he never used encryption with Hushmail because almost nobody else does. If those assumptions are correct and I want to conveniently and privately exchange mail with most people, then encryption will not suffice to provide privacy. Could that interview be obsolete? Does anyone disagree with anything so far? Have I overlooked anything?

Storing Emails on my own computer is the idea I want to explore. If I set up my own Email server/host, wouldn't I need to leaving running 24/7 to ensure I can recieve an Email any time? Maybe this is a dumb question, but can I store Email messages on my computer without them being archived by an online web mail provider, and without leaving my computer on 24/7? Also, if I left the computer running 24/7, wouldn't it just open another port on my computer and just divert the potential method of attack?

Options: ReplyQuote
Re: Email Privacy
Posted by: Albino
Date: April 09, 2012 05:05PM

You don't need to run your own email server to achieve that. Just use a provider that provides delete-is-delete functionality (eg not gmail) and an email client that stores the messages locally. I use this approach myself, just remember to make backups.

Make sure you're clear on who you're worried about and what capabilities they have. Someone burning a 0day to hack an email server is on a different level from a subponea. If you're concerned about hackers rather than subponeas, gmail might be a better choice; it's the only email provider that offers a vulnerability bounty, for a start.

Finally, it's my experience that the most sensitive emails I send are to people who use public key encryption (Mozilla, zero day initiative)

-------------------------------------------------------
Research blog

Options: ReplyQuote
Re: Email Privacy
Posted by: idisappear
Date: April 09, 2012 08:04PM

How can I truly know that a provider does or doesn't have "delete-is-delete" functionality? Do you know of any providers that grant enough control to actually wipe the Emails or access them with a command prompt? There have to be website hosts that also offer Email that can be accessed via FTP/SFTP, right?

Options: ReplyQuote
Re: Email Privacy
Posted by: Albino
Date: April 10, 2012 04:47AM

I'd hazard a guess that most of the smaller email providers would, probably the ones with tight mailbox size limits. You could ask them to confirm, as long as you phrase it right. If you want to pay for hosting you might as well get a VPS and install the email server yourself; that way you can make sure it's relatively secure. However if you take this approach you'll have to worry about uptime and not getting added to spam blacklists.

-------------------------------------------------------
Research blog

Options: ReplyQuote
Re: Email Privacy
Posted by: infinity
Date: April 11, 2012 08:30AM

Hi idisappear,

from my experience almost nobody uses public key encryption for email communication, even for sensitive informations like passwords. Everything is sent in plain text. Nobody has ever asked me about a public key. The last time when I asked somebody for a public key all I got was a blank stare like this: o_o

If you are worried that someone might read your emails you really should use some form of encryption, because otherwise the mail will be transmitted in plain text.

One possible problem is that in the future new methods could be discovered to break some of the cryptographic systems which are in use today and considered safe. Maybe somebody finds a way to solve the problem of computing discrete logarithms or the problem of large integer factorization - both of which are difficult problems today, no efficient algorithms for ordinary computers are known (as far as I know). Or maybe some genius will construct a working and cheap quantum computer for everybody. Today it is easy to break most ciphers of the past.

Another problem is traffic analysis: even if some form of encryption is used it will be possible to deduce some information from the patterns in communication. This is somehow like “One cannot not communicate”, one of the axioms of theory on communication of Paul Watzlawick:

Quote

“Every behavior is a kind of communication. Because behavior does not have a counterpart (there is no anti-behavior), it is not possible not to communicate. Even if communication is being avoided, that is a way to communicate.”

Source: http://en.wikipedia.org/wiki/Paul_Watzlawick

I think that most free mail providers will always put a clause in their terms of service which states that they will cooperate with the police or the government or whoever seems to be in charge, because most of them will try to run a profitable business, maybe based on advertising or affiliate marketing. Being shut down by the authorities is not compatible with most business models.

Maybe you as a user of a mail service have agreed to some terms of service, but people who send emails to your address have generally not agreed to the same terms of service and their emails may be treated in the same way. For example, the emails which you receive from other people may be stored indefinately even after you have deleted them.

Even if you have your own mail server and you can be sure that deleted mails are actually deleted, you can never be sure where the mails which you send to others will end up. They might be stored until the end of time, send to other people, or read by people from the IT department of the company. If you have used some encryption, it is possible that your (possibly confidential) mail will be send to other people unencrypted.

Maybe it is better to regard everything which is transmitted in emails as contributing to the “world’s information”, which may be visible and searchable one day to the whole world.

Quote

“Google’s mission is to organize the world’s information and make it universally accessible and useful.”

Source: http://www.google.com/about/company/

Options: ReplyQuote
Re: Email Privacy
Posted by: idisappear
Date: May 13, 2012 01:14AM

I appreciate the responses, especially your lengthy post, infinity. When you expounded on the problems with privacy, I at least felt like I was sane in the context of messages and archiving. I may be in a minority of people for treating electronic communication entirely different from verbal communication, but I am apparently in the majority with respect to security forum users.

When I have the knowledge and money, I will host my own Email server on a secure OS like OpenBSD. Purchase a domain name from a foreign country that does not have strong sharing agreements with my own. I will encourage people who do not want to put effort into encryption to use a user-friendly, HTTPS website with a form/app that encrypts messages before sending them.

Options: ReplyQuote


Sorry, only registered users may post in this forum.