Slashdot recently posted an interesting article titled An Inbox Is Not a Glove Compartment. The article covers legal rights and the government’s right to your data. It’s an interesting read, but it’s not what this article is about.
While reading the article I started thinking about cloud email solutions and the fact that you give all your data to them. The bottom line is that it doesn’t matter what their terms of service says, they’ve still got all your data. Given that you do want to throw away your in-house email solution (and there are a lot of reasons why), how can you still keep your data safe?
The obvious option is to use PGP or GnuPG. In a perfect world this would be enough. If people were smart about their privacy, they’d know that it’s in their best interest to encrypt their emails. Unfortunately that’s not the case. So if we assume that a PGP/PGP approach unrealistic for wide-spread adoption, what’s left?
After I spent some time thinking about it, I had something of a Eureka-experience. What if you have a local appliance which has two tasks:
- Receive incoming emails, encrypt them, and route them to the cloud server
- Receive outgoing emails and decrypt them
That way you would be able to both receive and send messages encrypted, and have them sent to the end-user unencrypted. Granted, that is not a perfect solution. End-to-end encryption is a superior technique, but far harder to achieve (as it would involve a massive change in the industry).
Here’s a sketch of how it could look:
As illustrated above, unencrypted incoming emails are passed through the first MTA (local appliance), gets encrypted, passed on to the cloud MTA and sent to the storage module. That way, the messages are fully encrypted on the cloud storage module.
Outgoing emails are sent encrypted to the local MTA and gets unencrypted. Assuming IMAP is used, the sent messages can also be stored encrypted on the cloud storage modules (e.g. IMAP or POP3).
The biggest weakness in this setup is that the emails are sent unencrypted over the internet. However, if the receiving MTA uses a similar setup, it would be easy to use some kind of handshake to determine the receiving side’s capabilities (which is already done to some extent). If the receiving side supports full encryption, the message could be sent fully encrypted over the internet too.
While this is a pretty big project, the good thing is that the MTA/SMTP market is dominated by open source tools, with Sendmail and Postfix being the largest players. Hence, if anyone were to write a plugin that does something similar to what I described above, a large market could open up.
As far as encryption goes, GnuPG is already available on desktop clients. Since GnuPG is open source too, a plugin could easily be written for most MTAs. Unfortunately, due to the nature of key-based encryption the private key must be stored on the MTA, which would leave it extremely vulnerable. Also, since the message goes in decrypted and out encrypted (or the other way around), if the system was compromised an attacker could sniff the traffic and use a known plain text attack to try to find the private key over an extended period of time. Of course the sniffer would also get all emails unencrypted, but if the private key is compromised, even end-to-end encrypted messages would be compromised.
While this is a just a theory and something I drafted in an hour or so, it is not completely unrealistic. These local MTA boxes could be built very cheap and either be a physical appliance, or a virtual appliance. Moreover, if this is fully open source, companies could easily build these boxes themselves.
There are still a few problems that I haven’t figured out. If the emails are encrypted when they are sent to the cloud based email provider, their spam system will not be able to detect the spam (since it’s encrypted). Hence, spam and virus scanning would need to be performed on the local appliance, which would add a lot more load and complexity to the system.
Again, this is just from the top of my head, but I thought it was interesting enough to share with you guys. If you have any thoughts or comments, please drop a line below.
[...] This post was mentioned on Twitter by Email marketing, etc and Email Service Guide, Email Service Guide. Email Service Guide said: http://bit.ly/3E1qgr [...]
Social comments and analytics for this post…
This post was mentioned on Twitter by emailservicegde: How Can We Keep Email Safe In The Cloud? http://bit.ly/3E1qgr #saas #cloud #security #encryption…
Hi,
This is exactly the same thing I was thinking of on how to improve cloud security :)
Djigzo email encryption gateway is an open source email encryption gateway with support for S/MIME and PDF encryption (www.djigzo.com). You can set it up in such a way that all outgoing email to a specific account (for example your Gmail account) is encrypted with a certificate (I use it in a similar setup to encrypt all my email sent to my BlackBerry). For Firefox there is already an S/MIME add-on that allows you to decrypt your S/MIME email from your Gmail inbox. The Gmail add-on allows you to sent encrypted email as well but this requires certificates for all receivers. So, I’m thinking of building my own add-on that allows you to encrypt the message with a gateway certificate. The email is then sent to the gateway instead of directly to the intended recipients (the message need to contain some meta info about the intended recipients). The gateway decrypts the message and then forwards the message to the intended recipients (the gateway is used as a relay). To make sure that it’s not an open relay all messages need to be digitally signed before being encrypted (together with a timestamp). I use a similar setup for a BlackBerry add-on we have created which allows you to send and receive S/MIME email with a BIS account.
If you want to use Gmail as an encrypted email backup and can run an email server you can chekout http://www.djigzo.com. It’s open source and a VMware virtual machine is available.
[...] few weeks back I wrote an article named ‘How Can We Keep Email Safe In The Cloud?.’ After I published the article I was contacted by a guy named Martijn Brinkers. Martijn told [...]