[Cryptography] What ever happened to end-to-end email encryption?
Viktor Dukhovni
cryptography at dukhovni.org
Sat Aug 21 13:41:14 EDT 2021
On Thu, Aug 19, 2021 at 06:44:11PM -0700, R Perlman wrote:
> Despite PGP and S/MIME having been designed zillions of years ago, it
> seems like end-to-end email encryption/integrity protection are not
> widely used. Which of the following is reasonably close to the truth?
>
> - Of course they are widely used. I'm just not aware.
No.
> - The usability issues were not worked out. How would a user obtain
> a public key? How would a user get a certificate? How would a user
> know the public key of someone they are receiving from/sending to?
The actual usability barriers are NOT obtaining public keys, these only
address the data in motion problems. The real barrier is that once
end-to-end encrypted email becomes data at rest it is effectively
unusable.
1. Search is not addressed in most clients and servers.
I periodically search for and read some messages that are
many years old.
2. Email saved beyond the lifetime of its signatures is poorly handled.
3. Long-term storage of encrypted email in extant clients requires
retension of all past keys.
4. Multi-device support is difficult.
5. Anti-spam and anti-virus are difficult.
The above could potentially be addressed, if there were any investment
going into standards-based (not walled-garden web UI) MUAs. But that's
not the world we live in.
> - It never reached critical mass…there were never enough people who
> could receive encrypted email that it was worth trying to figure out how to
> send it.
Key management is not the real problem. If encrypted email were usable,
we'd have solved key management. As it is, there was never enough
incentive to do that.
> - Big companies do not want end-to-end encryption of email. They want to
> have middleboxes be able to scan for phishing links and perhaps they are
> legally required to keep records of all email sent to or from company email
> addresses.
That's actually important, and not just for "big companies".
> - Even individual users need middleboxes to scan for spam and other
> services (such as maybe warning about dangerous links)
Yes.
> - Ordinary users just aren't worried about having their email seen by
> others, at least not enough to figure out how to get an email client that
> can do encryption, obtain a key, etc.
They've clearly accepted the tradeoff.
> - Other solutions became popular, which (I think) involve a central
> server that a sender requests a secret key from, the sender encrypts with
> that secret key, and then the receiver needs to ask the central server for
> the key. I think if a big company is using such a product, it is
> implemented in a way that lets the company see plaintext of
> all email to/from that company's email addresses.
This is still focused on key management as the problem, and ignores
actual usability.
> - People don't really know what different forms of "encrypted email"
> mean, so central-server-secret-key-style, vs end-to-end with user public
> keys, vs using TLS between mail transfer agents all count as "encrypted
> email"
Transport encryption is actually usable.
> - Something else?
We don't have fully worked out (let alone deployed) models for usability
of encrypted email at rest. This would require at least:
* Usable search.
* Re-encryption of received email from the medium-term traffic
encryption key to a long-term storage key.
* Memoised signature validation on first read.
* The ability to efficiently rekey stored messages to an updated
storage key (like rekeying an encrypted disk).
...
--
Viktor.
More information about the cryptography
mailing list