[Cryptography] Email is unsecurable

[Benjamin Kreuter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 25 Nov 2013 09:01:31 +0300
ianG <iang at iang.org> wrote:

> PGP failed because it never succeeded in conquering the GUI clients. 
> That was in part because of what PHB calls the Betamax-VHS war.  The 
> providers of the major clients were already in the certificate camp,
> so they locked out the PGP side.  It was beyond the resources of the
> PGP group to crack that barrier.

In my experience, there is a more fundamental problem with PGP:  it
works as designed.  The problem here is that what PGP is designed to do
conflicts with the expectations users have about their email, their
usage patterns, and so forth.  People want to be able to go to their
friend's house, log in to their email using their friend's computer,
and actually be able to read it.  People use email as a way to transfer
files to computers they do not control e.g. to print from a public
library, just email yourself a PDF.

Even if PGP were the most user-friendly program ever created, it still
does the wrong thing for most people.  The problem is not the UI, it is
the system itself.

Fortunately, there is a solution that we have long been aware of, which
is smart cards.  You can plug a smart card into a computer, let it do
the decryption of your messages, and thus enjoy typical usage
patterns.  One can imagine some simple security features to help deal
with compromised computers.

Of course, standing in the way of this is the fact that such a system
would require a bunch of new hardware to be deployed, and the only
organizations that have the resources to do so (at scale) have an
interest in preventing such a system from being deployed.  The demand
among users is also a bit low, as most people do not really understand
the security implications of email (and even among those that do, it is
often not taken very seriously).  The only exception to these two
statements are banks, but banks have found other ways to deal with the
problem of insecure email.
 
> For example, consider traffic analysis or metadata or mass
> surveillance -- neither side did anything about that.  In fact, they
> made it worse. Both sides did not encrypt the entire important data,
> the Subject: being the obvious thing that wasn't encrypted.  S/MIME
> clients made it far worse by insisting that the From: field had to
> match the certificate used;  which made it a *validated surveillance
> indicator* as opposed to just another input to the spam filter.

This is a separate security problem, and there is a mountain of
research on solving it.  It is certainly a hard problem, but it is not
out of reach -- we do have anonymous remailers and they do work, albeit
with quite a bit of latency.

I think this brings up another important point:  we do not all agree on
what it means to "secure email."  Does it mean protecting the body of a
message?  Does it mean protecting headers also?  Does it just mean
authenticating the sender i.e. is digital signing enough?

> Then, the assumptions of email.  Everyone can send an email, and the 
> cost is zero.  Result: spam.

The solution is spam filtering.  Modern spam filters have basically
killed spam; the profit margins for spammers are so small that they
are barely staying in business.  Yes, a lot of that is due to third
party spam filtering i.e. spam filtering done by email service
providers, but I suspect that we could do a good enough job with
client-side filtering (maybe a little more spam would get through, but
we would not see anything like what we saw a few years ago).  Spam
filtering would also get a nice boost from message signing, since we
could associate reputations with public keys (if someone never sends
you spam, then a signature with their key is a strong indicator that
the message is not spam).

It is also worth pointing out that if we required that all email
messages were signed and/or encrypted, the rate at which spam could be
sent would plummet.  Public key cryptography is costly, and although
the recipients would have to pay for each decryption, a spammer would
have to pay as much as all the recipients combined (within a constant
factor).
 
> Hence, I've concluded that email is unsecurable.

I think this is a defeatist attitude.  For certain definitions of
security, email is very much securable.  I would love to see PGP or
S/MIME signatures on emails from my bank.  I would love if stores
encrypted the receipts they sent me.  We are not merely trying to
defend ourselves from the NSA, there are still a lot of other attackers
we need to deal with.

- -- Ben

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBAgAGBQJSk+sRAAoJEOV0+MnZK9ij6yYP/0DlDP29GnfYe9WFrt6a5Lrq
jYlsXNSeV97D8H5BoGpm9rWfSFgYZpKriKvu0zndom9WMgZisJ6GSWAkPZ5hMsp5
D0732bDx5L0VC6BIhhXDPVhPt291woTdytTNW7kK+F8BW5xfKqcQDiKFaBAcx64K
wRInSNmEwPruKJA5tLtI2Xg5GRZDCLl9rCyQ4euLbyQSaiQly67P/l9/bMBGZ19X
7qGTHHJVJFEHcP52lOiwl2ysK0fnnnoN+cP/FUYyPNLlU7ilC4drqHGQesQxm4JK
3bQs4kEWmEAHWcAe9JcyWjeLg6yfeOkG8rn3gEuZfHpGL0zNBCKog6Yy6yl/nOa1
tWNy4PKjxX62yA0lFjMxOzvUHq9AFujXg1ihi4Jwi+bOGeS514wqnRpmSSWSc5PX
Ac3o0uAeeEVwsz3PPaOsqHZcdMYTAFFeS/8uNhQ63gErG4Fx52eToZR85IljT2sy
CB0Ucmop14ixxbTw5lW7hlqcEMYImktnLtGkjRgdFjejeHg3TcqZJoMe3ygsC0/m
DPQODydU77QXUzc9mplSbpu7JnX8MTsdIbHeb5PI4drJYO+DIaqzhMUIqY7tKJHL
aM4nVief8OxlCQbPVfDvAv4CUe3Tskldrz9iKjKtvYgroKfXf2GLzfSr4nXGClDa
bfr4gV8jrmO0bmaHFOpL
=v1Xu
-----END PGP SIGNATURE-----