[Cryptography] would email encryption have saved Hillary Clinton's campaign?
Philip Whitehouse
philip at whiuk.com
Sun Nov 13 12:43:24 EST 2016
On 2016-11-13 02:10, Jonathan Thornburg wrote:
> Someone whose message I mistakenly deleted :( wrote (paraphrased) that
> if Hillary Clinton's had been encrypted, she would have won the
> election.
>
> Hmm. The emails were stolen by using spear-phishing to steal the
> credentials (passwords) of legitimate users. I see no way in which
> email encryption would have been even a speed-bump.
Encryption, probably not. And without knowing the exact method of
spear-phishing, signed email might not have helped.
For example if the spear-phished email looked like it came from
hillary at clinton.com but wasn't PGP/SMIME signed by her, then if she
always signed her emails you'd know it wasn't from her.
You could do something similar with SPF of course. Lack of SPF
deployment should be a massive red-flag against a domain IMO.
Algorithms to protect against SPAM and heuristics like the above could
do a lot of damage to spear-phishing attempts. If you got an email from
LinkedIn but it wasn't S/MIME signed by LinkedIn, you'd be able to say
"well it's probably somebody trying to spear-phish my LinkedIn".
For the case of John Podesta, well, stuff like XOAUTH2 is starting to
hit popular email providers (Hotmail, Yahoo and GMail now all deploy
it). That goes a good way to help killing passwords.
It's not going to be a silver bullet but we could do better.
- Philip Whitehouse
More information about the cryptography
mailing list