[Cryptography] What ever happened to end-to-end email encryption?

Viktor Dukhovni cryptography at dukhovni.org
Sat Aug 21 13:41:14 EDT 2021


On Thu, Aug 19, 2021 at 06:44:11PM -0700, R Perlman wrote:

> Despite PGP and S/MIME having been designed zillions of years ago, it
> seems like end-to-end email encryption/integrity protection are not
> widely used.  Which of the following is reasonably close to the truth?
> 
>    - Of course they are widely used. I'm just not aware.

No.

>    - The usability issues were not worked out. How would a user obtain
>    a public key? How would a user get a certificate? How would a user
>    know the public key of someone they are receiving from/sending to?

The actual usability barriers are NOT obtaining public keys, these only
address the data in motion problems.  The real barrier is that once
end-to-end encrypted email becomes data at rest it is effectively
unusable.

    1. Search is not addressed in most clients and servers.
       I periodically search for and read some messages that are
       many years old.

    2. Email saved beyond the lifetime of its signatures is poorly handled.

    3. Long-term storage of encrypted email in extant clients requires
       retension of all past keys.

    4. Multi-device support is difficult.

    5. Anti-spam and anti-virus are difficult.

The above could potentially be addressed, if there were any investment
going into standards-based (not walled-garden web UI) MUAs.  But that's
not the world we live in.

>    - It never reached critical mass…there were never enough people who
>    could receive encrypted email that it was worth trying to figure out how to
>    send it.

Key management is not the real problem.  If encrypted email were usable,
we'd have solved key management.  As it is, there was never enough
incentive to do that.

>    - Big companies do not want end-to-end encryption of email. They want to
>    have middleboxes be able to scan for phishing links and perhaps they are
>    legally required to keep records of all email sent to or from company email
>    addresses.

That's actually important, and not just for "big companies".

>    - Even individual users need middleboxes to scan for spam and other
>    services (such as maybe warning about dangerous links)

Yes.

>    - Ordinary users just aren't worried about having their email seen by
>    others, at least not enough to figure out how to get an email client that
>    can do encryption, obtain a key, etc.

They've clearly accepted the tradeoff.

>    - Other solutions became popular, which (I think) involve a central
>    server that a sender requests a secret key from, the sender encrypts with
>    that secret key, and then the receiver needs to ask the central server for
>    the key.  I think if a big company is using such a product, it is
>    implemented in a way that lets the company see plaintext of
>    all email to/from that company's email addresses.

This is still focused on key management as the problem, and ignores
actual usability.

>    - People don't really know what different forms of "encrypted email"
>    mean, so central-server-secret-key-style, vs end-to-end with user public
>    keys, vs using TLS between mail transfer agents all count as "encrypted
>    email"

Transport encryption is actually usable.

>    - Something else?

We don't have fully worked out (let alone deployed) models for usability
of encrypted email at rest.  This would require at least:

    * Usable search.

    * Re-encryption of received email from the medium-term traffic
      encryption key to a long-term storage key.

    * Memoised signature validation on first read.

    * The ability to efficiently rekey stored messages to an updated
      storage key (like rekeying an encrypted disk).

    ...

-- 
    Viktor.


More information about the cryptography mailing list