16

In a different Question, in the first answer is written that some meta data doesn't get encrypted.

What you shouldn't forget about encrypted e-mail, is that while the message body is properly encrypted, some meta data like the subject, sender or receiver aren't.

What is the reason that Proton Mail doesn't encrypted some meta data?

forest
  • 64,616
  • 20
  • 206
  • 257
Nightscape
  • 329
  • 4
  • 12

2 Answers2

31

Proton Mail uses an encryption format called OpenPGP. It is only designed to encrypt the message. Unless the subject is put in the message and the subject field is left blank, the subject will be kept unencrypted. The e-mail sender and receiver fields, on the other hand, need to be unencrypted for proper routing to occur. This is all a limitation in the design of e-mail, a default unencrypted system.

Community
  • 1
forest
  • 64,616
  • 20
  • 206
  • 257
  • 1
    So, in *any* email system, the sender and receiver will be unencrypted? Didn't realize that, good to know! – BruceWayne Oct 24 '18 at 15:02
  • 1
    Same as in HTTPS - The destination url/servers IP/clients IP has to be unencrypted even when the body is encrypted so that network infrastructure can route it. – razethestray Oct 24 '18 at 16:02
  • Why does the sender have to be unencrypted? And the receiver field can be hidden with onion routing. – Acccumulation Oct 24 '18 at 16:13
  • 16
    @Acccumulation See the last sentence of the answer. It's not that you couldn't design *a messaging system* where these fields weren't plaintext; it's that *the standard e-mail protocol* (SMTP) requires these fields to be plaintext. – IMSoP Oct 24 '18 at 16:22
  • 3
    @razethestray In https url is encrypted, though the domain is often not. – CodesInChaos Oct 24 '18 at 16:55
  • 8
    @IMSoP SMTP wouldn't care if PGP just used a fixed subject like "Encrypted Message". Leaving the Subject unencrypted is PGP's fault. – CodesInChaos Oct 24 '18 at 16:57
  • This answer does not seem to answer the question at all. The OP asks *why* those fields are unencrypted, not *whether* all fields are. Technically, it would easily be possible to take great care to remove *any* non-routing-relevant parts of the header and move them into the encrypted body, either stripping them from the header/envelope, or replacing them by innocuous dummy values, as part of the OpenPGP design. – AnoE Oct 24 '18 at 17:04
  • @AnoE How would you be able to route properly with dummy data? – Nightscape Oct 24 '18 at 17:13
  • 1
    @AnoE PGP, from which OpenPGP derives, was not designed only for e-mail. It was, and is, fully general-purpose. – user Oct 24 '18 at 17:15
  • @Nightscape, " to remove any *non-routing-relevant* parts of the header" – AnoE Oct 24 '18 at 18:23
  • @αCVn, I see you addressed my comment in your own answer - that's what I meant (I know PGP, GPG, (S)MIME etc. pretty well). – AnoE Oct 24 '18 at 18:26
  • 2
    @CodesInChaos SMTP wouldn't care, but e-mail clients would consider that string, without any further processing, to be the subject line *of every single e-mail*. To actually encrypt the subject, there would need to be some standard place for the "real" subject to be stored in the body, or a standard way of encoding the encrypted subject header. After all of which, you'd still have all the SMTP routing information in plain text, and the more you rewrite the header processing, the more you're inventing your own messaging protocol, rather than using SMTP. – IMSoP Oct 25 '18 at 08:46
  • @CodesInChaos I believe the subject is left unencrypted because they have yet to develop a search features that works on encrypted content. Right now, you can only search for text that is located on the subject of the email and not in the body. I believe when they will have developed the encrypted search feature, subject will be encrypted to. – Xavier59 Nov 23 '19 at 22:03
11

As already discussed, Proton Mail uses OpenPGP (RFC 4880).

OpenPGP traces its roots to the original Pretty Good Privacy, written by Philip Zimmermann in 1991. At that time, while Internet (SMTP) e-mail was accessible, primarily via research institutions (general Internet access started to become a thing around 1994-1996), Internet access was far from common among the general public.

Given that, it's not surprising that PGP's message structure and file formats are general-purpose in design. While encrypted e-mail is a major use case for PGP, GnuPG and other OpenPGP implementations, that's not the only way they can be used. (For example, I use GnuPG to encrypt large blobs of compressed data before uploading them to a cloud storage provider for backup purposes.)

Therefore, the OpenPGP standard cannot mandate a particular plaintext message structure. Doing so would go against its general-purpose nature.

However, Internet (SMTP) e-mail does have a structured format. There's envelope data (which is technically outside of the message), header data and body data (which itself can be structured, for example as described in the MIME standard).

The envelope data is used for message routing, and primarily consists of the sender and recipient e-mail addresses. These must be accessible to any mail server along the message's path, and although the sender e-mail address can be masked (VERP is one variation of that), it must be valid. One can't hide these from the mail servers yet claim to do SMTP e-mail. However, a large fraction of Internet e-mail these days is protected by SMTP STARTTLS encryption, which is opportunistic and typically unverified, but does protect against passive eavesdropping. Depending on your threat model, that may be good enough; best current practice in Internet protocol design is to consider pervasive monitoring to be an attack which should be mitigated where possible in new designs.

The header data contains trace headers (Received:), subject, sender, recipients (except the Bcc field), message threading information, and a variety of other diagnostic data, technical information and other message metadata. Some of this must be unencrypted; for example, Received: headers are added by mail servers, which may not have knowledge of who the ultimate recipient is. Since it's all lumped together, the common approach is to just keep it all unencrypted (within the opportunistically encrypted channel) in transit. Doing it otherwise would require revisiting the basic standards governing the Internet e-mail format, which go back at least to RFC 822 from back in 1982.

The distinction between envelope and header data is also why you can receive an e-mail that doesn't show your e-mail address in any of the recipient fields.

The body data is what you normally might think of as the e-mail, and contains whatever you write typically in the large text field in the mail client. MIME can support carrying a payload that is encrypted, signed or both; usually either S/MIME or PGP/MIME.

It would be technically possible to retrofit e-mail such that certain metadata fields are moved to within the MIME data instead of the header section of the e-mail. Doing so might even be relatively easy, since the MIME payload can itself be an entire e-mail message (headers and body, but not envelope data). However, this would require specialized mail client support (it would no longer be Internet e-mail, but rather something that uses Internet e-mail as its transport layer and for inspiration for its structure), and it would also require the entire message to be decrypted before the protected header fields can be viewed or otherwise worked with, including for example searched for.

My understanding is that this has just not been seen as a priority, given that it is relatively easy for the user (assuming, that is, that they are aware of the need) to restrict their use of the fields that do end up in the unencrypted header section. Recent, fairly widespread deployment of SMTP STARTTLS, as well as the generally low amount of end-to-end (as opposed to transport) encrypted e-mail traffic, has likely done little but reinforced this.

And that's almost certainly why Proton Mail doesn't encrypt such metadata when sending e-mail across the Internet.

Community
  • 1
user
  • 7,670
  • 2
  • 30
  • 54