Brother, can you spare a DIME for holy grail of secure webmail?
Lavabit man's new project: One of security's thorniest problems
Feature Lavabit founder Ladar Levison promised attendees at security conference DefCon that he'd carve out a secure messaging service from the wreckage of the email service favoured by rogue NSA sysadmin Edward Snowden within six months.
The Dark Internet Mail Environment (DIME) project is promising, but recent problems experienced by others attempting to put together snoop-proof email platforms show that Levison and his partners at Silent Circle are grappling with one of the most difficult problems in computer security.
Levison pulled down the shutters on Lavabit rather than handing over crypto keys that would have given the FBI access to everyone's email on the site – and not just those of their presumed target, NSA leaker Edward Snowden.
The Lavabit founder earned the respect of privacy activists, and the ire of the Feds, by responding to a court demand to hand over SSL certificates by printing the keys in 4-point font described by one prosecutor as "largely illegible". He eventually complied with the order before closing the service.
Can you spare a DIME?
The Dark Mail Alliance, announced last year, has evolved to become the Dark Internet Mail Environment (DIME). Levison unveiled the latest plans for the project at DefCon.
DIME aims to be so secure that not even its administrators can read messages sent and received by its clients.
The service will come with three security modes: Trustful, Cautious and Paranoid. When using Cautious and Paranoid modes, a user's email messages will be encrypted by keys that don't leave their device. DIME's operators will never have access to these keys, a move that is also designed to make the service more resistant to government-backed spying and over-arching law enforcement requests.
Messages sent through DIME will be segmented so that only the recipient and sender see the full contents of each email's headers. Headers are encrypted and envelope information is separated out so that each node has only enough information to get to the next hop.
The approach is designed to minimise the generation of metadata around the comms.
Encryption key management has traditionally been a bug bear for secure email users. DIME is adopting cryptographic profiles, dubbed "signets", that could be shared with trusted users and would operate much like PGP. The DIME client - called Volcano - is a fork of the Thunderbird open-source email client developed by Mozilla.
It is hoped that a beta for the new service might be ready in time for next Chaos Communications Congress in Germany.
Dozens of products and services have emerged to fight spying and restore privacy in the wake of the Snowden revelations. The discovery of severe flaws in two webmail services touted as "spy-proof" has illustrated the difficulty of providing secure email.
Both ProtonMail and German startup Tutanota were forced to acknowledge that their webmail services were vulnerable to a cross-site scripting bug despite boasting it offered an "NSA-proof email service".
Both websites perform message encryption and decryption in the browser, keeping the crypto keys in the hands of the users and out of reach of hackers and spies, at least in theory.
Roth told El Reg that the whole model of delivering secure webmail is flawed.
Part of the problem is that secure webmail services leave unnecessary ports open, increasing the potential for attack. For example, Protonmail left FTP, SSH, VNC and a DELL OpenManage console ports open, according to Roth. But the problem goes wider than that, according to the German security expert.
"As long as a hacked server can cause a compromise of the users, I won't use or recommend secure webmailers," he concluded.
Crypto researchers have previously uncovered flaws in Lavabit, which even Edward Snowden trusted (at least up to a point).
Gold standard devalued
PGP has been held up as the gold standard for email security for decades, despite problems with key management and usability. Last week influential cryptographer Matthew Green said it was "time for PGP to die" because of usability and other problems.
Green called for a move away from attempts to retrofit encryption into inherently insecure email systems and towards building networks designed from the ground up to protect messages from eavesdroppers. He named TextSecure and DarkMail as potentially interesting projects that are moving in this direction.
Secure webmail appears to be a particularly difficult problem.
Jon Callas, CTO of Silent Circle and co-founder of the Dark Mail Alliance, told The Register that "doing secure webmail is hard" because of problems such as XSS attacks, among other factors.
Although several startups have emerged with promises of offering spy-proof webmail services, users would do well to be wary of such claims, warns Callas.
"It's almost inevitable that there are going to be problems in services from someone who thinks it ain't that hard to provide secure webmail," he says.
Callas, who worked with Phil Zimmermann on PGP prior to their collaboration at Silent Circle, went on to outline the basic design principles behind what started out as the Dark Mail Alliance.
"Email is based on a design that's now 40 years old. You can encrypt the content but not the metadata. We've decided to step back and find something more secure by building a secure app that runs inside a browser," he explained.
And, of course, the best efforts of the computer scientists behind DIME to build a secure, encrypted email system that's surveillance-resistant would still rely on using it on devices that aren't afflicted by malware. ®