Virtu “encrypted” mail is a joke.

Let’s talk about the sheer comedy that is Virtru, an “encrypted mail provider”

1. You can send an “Encrypted” mail with them to multiple recipients.
2. They will then “encrypt” the mail, presumably in their system.
3. A recipient can log into to Virtru using email (WTF) and authenticate their email account by the fact that they can receive an email form virtru. — if you’d actually breached my email account, I’m sure that verifying as me is going to be trivial.
4. When Virtru sends an email to a user it sends the email via sendgrid. Unfortunately, they connect to sendgrid over HTTP , not HTTPS. Sendgrid then sends the mail to your account using proper TLS encrypted mail, but it’s too late at this point because of the initial non-HTPS transmission to sendgrid:

Received: from NzY4MDcw (unknown [173.245.54.10])
	by ismtpd0026p1mdw1.sendgrid.net (SG) with HTTP id i3zOrYkRTlazaH_OLodOGQ

They also send the verification token over HTTP, let’s consider that to be completely compromised to anyone who can read the HTTP stream between Virtu and Sendgrid. oops!

It’s also strange that the message data, which is served in encrypted binary form from “encrypted-storage.virtru.com” is encrypted using a key which it seems that javascript client has to request from the server. Perhaps there is no security here after all.

Additionally, the json is leaky and reveals the message metadata in transit. The software shouldn’t leak the subject of my message prior to decryption, for example. I’ve xxxx’d out the readable bits here.

{“policyId”:”xxxxx",”authorizedUser”:”jna@xxxx.xx”,”key”:”plaintext-key-here",”type”:”email”,”displayName”:”Re: plaintext-subject-was-here”,”state”:”active”,”authorizations”:[“forward”,”copy”,”print”],”isManaged”:false,”isOwner”:false,”attributes”:[],”leaseTime”:60000}