[Cryptography] would email encryption have saved Hillary Clinton's campaign?

[Philip Whitehouse]

On 2016-11-13 02:10, Jonathan Thornburg wrote:
> Someone whose message I mistakenly deleted :( wrote (paraphrased) that
> if Hillary Clinton's had been encrypted, she would have won the 
> election.
> 
> Hmm.  The emails were stolen by using spear-phishing to steal the
> credentials (passwords) of legitimate users.  I see no way in which
> email encryption would have been even a speed-bump.

Encryption, probably not. And without knowing the exact method of 
spear-phishing, signed email might not have helped.

For example if the spear-phished email looked like it came from 
hillary at clinton.com but wasn't PGP/SMIME signed by her, then if she 
always signed her emails you'd know it wasn't from her.

You could do something similar with SPF of course. Lack of SPF 
deployment should be a massive red-flag against a domain IMO.

Algorithms to protect against SPAM and heuristics like the above could 
do a lot of damage to spear-phishing attempts.  If you got an email from 
LinkedIn but it wasn't S/MIME signed by LinkedIn, you'd be able to say 
"well it's probably somebody trying to spear-phish my LinkedIn".

For the case of John Podesta, well, stuff like XOAUTH2 is starting to 
hit popular email providers (Hotmail, Yahoo and GMail now all deploy 
it). That goes a good way to help killing passwords.

It's not going to be a silver bullet but we could do better.

- Philip Whitehouse