Email Encrypting and Protecting Privacy

I've looked through Stack Exchange before asking this question to see which is the most pertinent place to ask this, and it would either be here or Security Exchange. As some of you know, Lavabit and Silent Circle shut down, because they respect their users privacy and currently there's a battle going on here in the USA about privacy and the internet (this discussion may also be spreading in other areas too).

Is there an alternative to these that the U.S. Government can't shut down (would this mean that they are non-US companies) that anyone knows of? I ask because, for an example, if I wanted to send stock trading information to a friend (we talk about "value investments" regularly and why we like them, or how we've tweaked our methods to be more precise), I don't want employees (or anyone really) outside of my friend to know this information, which is the purpose of privacy protection. If "officials" can access it, on some level, others probably can too. Or, some really advanced hackers could theoretically obtain that information (which is why them storing this data is disturbing because this is the same institution that couldn't prevent the Tech Bubble in 2000, the Housing Bubble in 2009, and on and on ...).

Question3CPO

Posted 2013-08-09T19:36:34.140

Reputation: 283

– Ƭᴇcʜιᴇ007 – 2013-08-09T21:01:05.310

Answers

An alternative that cannot be shut down is to not rely on such services at all, and to use end-to-end encryption; instead of having a remote server hold your keys, hold them yourself.

For email, [Open]PGP (GnuPG) is relatively common. (I've heard that even Silent Circle just used PGP Universal behind the scenes.)

Another option is S/MIME, although it requires each person to buy or otherwise obtain an X.509 certificate, which can be expensive; on the other hand, more email clients have built-in support for it. (It seems to be common in Active Directory-based corporate environments, now that I think of it.)

(For both PGP and S/MIME, keys can be stored in smartcards instead of your computer. However, both have a downside of not supporting forward-secrecy – anyone who has your private key can read all messages you receive, both past and future.)

For instant messages over various protocols, Off-the-Record is popular.

PGP can be used over XMPP (Jabber) as well, but even fewer clients support that, and it's not possible with other protocols because PGP encrypted+signed messages become too large.

user1686

Posted 2013-08-09T19:36:34.140

Reputation: 283 655

Right. Many of these services do not offer proper security at all. For instance LavaBit only encrypted the mail while stored on their server (https://www.grc.com/sn/sn-413.txt), but it was still sniffable 'in transit'. Your best bet is always to encrypt before it leaves your machine, and decrypt only at the receiver end, with no plaintext or encryption keys being stored at any stage in between.

– Jan Doggen – 2013-08-09T19:55:58.620

If a service/protocol/layer does not provide encryption or reliable encryption, and you want it, there is usually nothing stopping you from adding it yourself.

This may seem silly, but I think it would work in a pinch: Install 7-zip, write your messages in a text file, and then place them in an encrypted 7-zip archive with a password the other end knows beforehand, that you do not transmit over email or an insecure way, of course. You can then send this as an attachment and nothing in the middle can do much with it (at least not while AES-256 is a viable algorithm).

It's probably a good idea if you try to make your messages all the same size as well, or at least do what you can do de-correlate the apparent size of the message from the actual size (i.e., throw some pictures in the .zip each time).

LawrenceC

Posted 2013-08-09T19:36:34.140

Reputation: 63 487

I guess this is far to the 'security' end of "security vs convenience". – user1686 – 2013-08-10T16:37:52.407

Cool, didn't thought of this solution before. – Pacerier – 2014-02-11T16:38:20.180