Original URL: http://www.theregister.co.uk/2014/01/24/ex_nsa_cloud_guru_email_privacy_startup/

Ex-NSA guru builds $4m encrypted email biz - but its nemesis right now is control-C, control-V

Virtru claims it can prevent leaks, but first it's gotta get out of beta

By John Leyden

Posted in Security, 24th January 2014 10:32 GMT

Analysis A security startup founded by a former NSA bod has launched an encrypted email and privacy service, aimed initially at ordinary folks.

The ongoing revelations of PRISM and other US-led internet dragnets, fueled by leaks from whistleblower Edward Snowden, may render the premise of upstart Virtru laughable. However, that would be unfair to Virtru, which is trying to make encryption and decryption of email, plus the revocation of messages and other privacy controls, easy to use.

Its execs told El Reg that Virtru aims to do for secure email what Dropbox has done for sync-and-share. Crypto-protected email will be offered for free, and more advanced features, such as finding out where sent emails are forwarded, will carry a price tag. There are also plans in the works to license Virtru's encryption technology to businesses.

The startup has developed plugins that, in theory, let users control how emails and attachments sent to others are shared and viewed. The technology – today in beta – is compatible with Gmail, Yahoo!, Outlook mail providers, and Chrome, Firefox and iOS 7 Mail software (wider platform support is in the works).

Just tell us which cipher they're using

Virtru uses the tough AES-256 algorithm to encrypt every message with perfect forward secrecy before it leaves a computer or device, which is a good start. It wraps each missive in a container that requires permission from Virtru's servers to unlock it. This way, the startup can claim it never holds the actual data sent – just the encryption keys needed to decrypt a message. If you don't like the idea of Virtru's cloud holding your keys, you can set about creating your own one if you ask nicely.

So, having received an encrypted mail via your email provider, your mail client needs to contact the Virtru key store to get the unlock key and decrypt the message on your device or computer. Each message has its own unique key.

Thus, in theory, this mechanism can be used to revoke emails at any time, by refusing to hand over the decryption key and rendering the message and any attachments unreadable. The sender can also, again in theory, restrict the forwarding of a message because whoever ends up with the email may not have permission to download the unlock key from the key store. Similarly, you can finely control who exactly can open a Virtru-encrypted memo by restricting access to the decryption key. There's also the ability to give emails an expiration date.

The technology uses the Trusted Data Format (TDF PDF), an open-source security wrapper created by Virtru co-founder Will Ackerly. It's used by the intelligence community to secure sensitive data, we're told. Ackerly served for eight years at the NSA as a cloud security architect prior to founding Virtru in 2012.

Virtru complements the TDF technology with patented encryption-key management that, the company claims, makes it possible to control the fate of an email and its attachments even after it has left the sender's outbox. You can use OpenID and OAuth protocols to verify your identity to the key store via your email provider – whether that's Gmail, Yahoo! or Microsoft.

A bare-bones explanation of how Virtru's technology works can be found on its website, here. There's more info about the company's backend systems, here and even source code, here.

Recipients view encrypted emails in Virtru's Secure Reader web plugin, which handles the cryptography and access controls, as demonstrated in this brief video:

Youtube video

The in-browser reader plugin is written in JavaScript, with a mix of Component, JQuery, SJCL and Caja and others. A spokeswoman told us: "In addition, we have cryptographic components written in C and compiled to NaCl [Google Native Client] for accelerating encryption of attachments, but we have not yet released that version."

Breaking Virtru

So, say Alice uses Virtru to send an encrypted message with attachments to Bob, with settings in place to prevent Bob from forwarding the missive and ultimately revoking access to it in 24 hours. What is stopping Bob from cut'n'pasting the contents of the email before the expiry deadline, or saving the attached decrypted files to disk, and then giving the supposedly protected data to his friend, Eve?

We put this to Virtru, which told us in a statement that, at the moment, there's nothing stopping Bob from dumping the plain text out of the Virtru system:

In short, today we are not guaranteeing that a user won't have persistent access to plain text once they authenticate and are granted access to a TDF key. However, we will be rolling out persistent protection options in the coming weeks, As such, we explicitly allow copy and paste and unwrapping of all attachments, until we release these additional features.

We are in the midst of testing 'persistent protections' across our platforms. Given the importance of assuring that these features cannot be subverted, we are waiting to release them until we have such assurances across the spectrum of platforms.

Even if Virtru is able to disable control-C, control-V in the browser, the decrypted plain text will be in memory on the device, and a user will be able to extract that – there are many programming tools that can freeze the browser application and root out the unencrypted goods.

Virtru told us it will consider using anti-piracy tech in modern browsers to keep TDF data away from prying debuggers, or simply watermark the message so that any leaks can be traced:

For the browser we are pursuing the use of emerging technologies such as Encrypted Media Extensions (EME) to help ensure such protections even in an open source client, and in the mean time leveraging HTML5 features like Canvas to flatten and watermark content before it is injected into the webpage.

Our next thought was: bypass the browser plugin, and just download the keys from Virtru to decrypt the TDF package using your own software and save the plain text to disk. Or hijack the key-fetching code in the plugin using debugging tools.

Virtru reckons it can thwart that by only handing decryption keys to trusted applications – which presumably are programs that can cryptographically prove their authenticity to the server. The reader may have to be digitally signed to prove it hasn't been compromised to leak plain texts and keys. A spokeswoman for the startup told us:

For TDF, any file or message without persistent protection obligations may be opened by any app that supports TDF, even one you write on your own. Where there are obligations such as copy/print and unwrap protection, we must ensure that we are delivering keys to an application we can trust, and there are some techniques that may be leveraged that have varying levels of assurance.

Gaining this trust will vary per application and per platform. Some of the strongest mechanisms are available in modern mobile devices, but are weaker on older desktop environments. In many cases it will require signed code, and we may be able to rely on delivering EME extensions when the technology matures.

Essentially, Virtru will have to play a game of whack-a-mole with anyone attempting to break its system. There are many avenues of attack, each of which the startup will have to secure, if that's even possible given the available software interfaces: only one slip up will blow the thing out of the water.

Its developers will have to trust so many layers of code, from the browser down to the operating system, to enforce its touted message access system. At least revoking a message sent in error will work as expected, provided it's revoked before the decryption key is fetched.

Alice should just trust Bob, and hope he doesn't betray her or get hacked, because, ultimately, Bob could use a camera, or a screenshot tool, to leak the information to Eve, or simply share his Gmail password. Virtru, or its users, could use watermarking, or the old-fashioned technique of slightly altering each document, to trace and identify leakers. Simple steps that could render the aforementioned elaborate defences redundant.

And this is assuming the online decryption key store is hacker-proof.

That aside, and with millions of dollars in funding, Virtru is serious about secure email – even vowing to fight government demands for folks' decryption keys.

'Building trust is the core of our business'

Chief exec John Ackerly, who cofounded the biz with his brother Will, told El Reg that while they're big on email privacy, Virtru's technology offered no anonymity. "The focus is on protecting content – not anonymity," he explained.

Their company's software has been audited by iSec Partners, the security firm called in to audit TrueCrypt, the widely used file and disk encryption software.

The Ackerly brothers are working with privacy campaigners such as the American Civil Liberties Union and the Electronic Frontier Foundation. "Building trust is the core of our business," John Ackerly told us. "It's the right thing to do given our mission."

Virtru has rules in place for dealing with g-men who come knocking for a citizen's crypto-keys: its privacy policy is open what the level of privacy its users can expect. The FAQ on how it cooperates with government surveillance requests states:

We won’t provide your keys to anyone without your consent – unless we are ordered to divulge them by a judge with jurisdiction over us. If we are ordered to divulge them, we will fight for you to have notice and an opportunity to object.

Another section states that it won't be a part of internet dragnets, although it may not have a choice in this:

Would Virtru cooperate with broad surveillance orders permitting blanket surveillance by the NSA or other government agencies?

No – we do not think the law requires this, and we would fight an order to cooperate.

All of which sounds upstanding, but we've been let down in this area by other providers despite reassurances to the contrary. It's difficult to be wholly reassured. Asked directly whether they had a backdoor in their product, the Ackerly brothers said "no", as anyone would be bound to say. Both took this blunt question in good humour.

"People will be watching carefully," explained John Ackerly, a former associate director of the National Economic Council and official in President George W Bush's White House. "There's a healthy scepticism. And we want to be transparent from a legal perspective."

Secure webmail is a difficult and perhaps intractable problem given the limitations of the architecture. By default, email is like a postcard, readable by anyone it happens to pass by. And even encrypted email betrays metadata - such as the sender and recipient and the time messages were sent.

End-to-end encryption using cryptographically powerful packages such as PGP are the only way to shield the contents of a message. Webmail services such as Hushmail that touted secure communications have fallen short of their promises in the past – well before users were aware of the lengths intelligence agencies go to to secretly hoover up all internet traffic.

PGP guru Phil Zimmerman's Silent Circle shut down its secure email service in August rather than face the possibility of receiving a secret court order to compromise its users, which happened to the email provider Lavabit used by Edward Snowden.

Since then, Lavabit founder Ladar Levison has teamed up with the peeps behind Silent Circle to form the Dark Mail Alliance, a group dedicated to creating an end-to-end encrypted alternative to email that would guard against eavesdropping. The Dark Mail Alliance is looking to develop an Email 2.0 that offers superior privacy.

What Virtru can offer, however, is the ability to send official documents, such as tax returns, securely online. Its encrypted email capabilities for consumers can loosely be compared with those offered by Hushmail. It's an imperfect comparison, admittedly, but serves to illustrate a more general point.

Hushmail, which offers web-based PGP-encrypted email and file storage, is based in Canada, but users with long memories will recall that Hush Communications was obliged to turn over clear text copies of email messages associated with several addresses back in 2007. This was the result of a court order under a Mutual Legal Assistance Treaty between Canada and the US, as a part of a drug trafficking investigation.

Hushmail's marketing claims at the time stated that not even its own staff could access encrypted email, but in reality, its server-side encryption option did provide a way to recover the plain text of scrambled communication. It's terms of service were updated after the incident.

Where Virtru scores over Hushmail is perhaps in its ability to disable or track forwarding as well as the facility to recall messages, if it manages to nail down those features. All this is of interest to ordinary folks as well as regulated industries that deal with private information, such as healthcare or finance, once enterprise versions of the technology are developed – and shown to be locked down.

Recall to sender

"Virtru thinks everyone deserves real privacy and control over their data, even after hitting the send button," explained Will Ackerly. "This means masking the complexity of encryption and making it dead simple for the everyday user. With Virtru, users gain confidence knowing that only intended recipients have access to messages and that their information is protected from third-parties like advertisers, governments, criminals and Internet Service Providers."

He added: "The Silent Circle app offers top-flight security but you can only send messages to other people who have download the app."

Despite the growth of self-destructing messaging and other trendy mobile communications technology, Virtru reckons email will remain the dominant web communications method. Research from Harris Interactive, commissioned by Virtru, found that 83 per cent of Americans are concerned about the privacy of their email communication, and even more have not yet taken steps to secure their email because they don't know how. Americans worry about being targeted by advertisers based on the content of their private emails (83 per cent) as well as messages being read by unintended recipients (75 per cent).

"Most email users have nothing to hide, but everything to protect," said John Ackerly. "Until now, true email privacy protection has not been available to the average user because it required considerable expertise on the part of both sender and receiver."

Arguably, relying on the user to authenticate with the decryption key store using their email account username and password means a hijacked account could be seriously turned over – with many messages maliciously revoked and restricted. The Ackerly brother argue that email account hijacking is always going to be a big problem and that's why consumers should use two-factor authentication or other approaches to safeguard their sensitive accounts.

The Washington D.C.-based startup has raised $4 million in angel funding to develop its Virtru email privacy product. Over the next few months, Virtru plans to extend its product suite beyond email to allow users to control their texts, posts, tweets, and other digital communications. Additionally, Virtru will be introducing products and services aimed at small businesses and enterprises later this year. ®