We are missing the point about Email!
Email is the killer application of the Internet. Sadly, it is profoundly misunderstood by users, developers, and even so-called “security experts”. Worst of all, it’s creating a global Privacy crisis that’s completely shadowed by the Media’s voyeuristic obsession with leaks e.g., those of recent secretaries of state Colin Powell and Hillary Clinton.
What is Privacy?
Self-calibration of one’s vulnerability, across any medium. A fundamental human right, that isn’t necessarily cost-free i.e., we typically pay to enforce privacy.
Your house or rented apartment or tent doesn’t cost $0.00.
When you break the law you can end up losing major chunks of your personal privacy etc..
What’s the problem?
Every individual is entitled to privacy. You compromise that dictum and everything goes down the toilet, in a free society.
On the technology front, we have a crop of broken Email Applications that are the by-product of a myopic system driven by greed!
Politics aside, for a second, here’s video convering the impact of Email as a privacy compromise vector.
Here’s an illustration depicting how phishing attacks occur via email:
At the current time, an individual (you or I) can’t easily create any form of self-identification that works via email because Identity and Intention have been conflated, for greedy reasons. Basically, you would have to pay a commercial 3rd party to verify and sign your identity claims should you want to use email to communicate in a manner that ensures:
- verifiable sender identity
- in-transit tampering prevention
- encryption in-transit and at rest — i.e., your inbox.
Here’s an email send and receive sequence that illustrates the point, across GMAIL, OutLook, and Mac OS X Mail:
Outgoing Email from Thunderbird
What happens when I receive that mail sent to myself using GMAIL, OutLook, and Mac OS X Mail:
GMAIL
GMAIL which doesn’t even recognize the PKCS#7 bundle that includes by Digital Signature and Digital Certificate (which includes by Public Key). Net effect, most will presume this is some kind of attachment related phishing scam or simply hit the “report as spam” button (assuming GMAIL doesn’t even jump to that conclusion itself).
Microsoft OutLook
OutLook insinuates that the Digital Identity Card used by the mail sender can’t be verified or trusted. In reality, it doesn’t know the identity of the Issuer of the Digital Identity Card used by the email sender and so it concludes (without any user control) that the mail sender’s identity can’t be trusted.
Mac OS X Mail
Like OutLook Mail decides (without any user control) that the Digital Identity Card was signed by an untrusted issuer rather than providing you with any option to determine trust.
What’s the solution?
Globally, sovereign governments (of democratic societies) MUST ban the current practice by vendors of developing Email Applications that do not provide users with the ability to CHOOSE any of following options
- Digital Identity Card (or Certificate) that has been self-notarized (self-signed)
- Digital Identity Card (or Certificate) notarized (signed) by a 3rd party Certificate Authority .
How would the solution be implemented?
Simply instruct all Email Application vendors about the mandatory need to support self-signed and/or 3rd certificate authority (CA) signed Digital Identity Cards (Certificates). That’s diametrically opposed to the current draconian practice of only supporting CA notarized certificates.
CA notarized certificates are the best options for electronic transactions that are commercial in nature (i.e., the intention is buying and selling). This kind of certificate isn’t the best (let alone sole) option for private communications between individuals. Remember, privacy is about “You calibrating Your vulnerability” rather then abdicating that to a questionable 3rd party.
Why will this work?
Existing Email Applications already have the ability to handle signed and encrypted emails. What they increasingly refuse to do is offer end-users a choice over the kind of certificates supported with regards to sending and receiving emails. Net effect, individuals, companies, governments unwittingly accept flawed unencrypted emails as the norm.
Emails that are unsigned make everyone vulnerable to privacy compromises via socially-engineered phishing attacks.
Conclusion
Privacy compromises are fun when you aren’t on the receiving end. The trouble with exponential network effects (something the Internet & Web exemplify) is that they are real, so you (or I) are only a socially-engineered network packet receipt away from the next privacy compromise, if we don’t fix this flaw in the system!
