To be an encrypted ninja or not to be...
Its a debate whether or not foreign powers hacked into Hillary Clinton's private email servers. There is consensus however that the private email server was hacked though, and this is precisely how emails can easily get leaked. To solve this sort of problem you can either have Hilary and Hilary's friend's become ninjas at cryptography, have cryptography tools become mainstream and transparent, or have a middle ground solution somehow. For this year's 2017 Hackweek at SUSE and Aaron Swartz day I have worked on a middle ground solution as a proof of concept using GPG, forcing all incoming emails to you to be encrypted, even if you use gmail or yahoo to store your emails. On this post I will explain the motivation for such work, and document how to accomplish this for yourself, should you want to implement this for yourself.
Motivation
Emails sent to you when you are using popular email servers such as gmail or yahoo get encrypted only on the wire, as they make their way onto email servers hosted by the companies that provide these services. The emails are however stored unencrypted. Likewise for typical private email servers. You are at left at the whims of the security best practices of these companies, and even if you did have your private email server, to get things done right requires substantial work. In fact, even if you used a good company to store your email, you may still face issues with ensuring your email privacy remains outside of the control of intelligence agencies which may argue they should be able to read everyone's email.
Reasons for wanting your emails stored with good cryptography vary but here are a few reasons:
For most people's day to day, the below diagram simplifies and reveals how email transactions work, Exhibit-A:
One solution to this is to have everyone, for example, use encryption tools when crafting and sending emails, Exhibit-B:
pgphook unix - n n - - pipe flags=F user=www-data argv=/opt/bin/mail2pgp.sh ${sender} ${size} ${recipient}
smtp inet n - - - - smtpd -o content_filter=pgphook:dummy
Motivation
Emails sent to you when you are using popular email servers such as gmail or yahoo get encrypted only on the wire, as they make their way onto email servers hosted by the companies that provide these services. The emails are however stored unencrypted. Likewise for typical private email servers. You are at left at the whims of the security best practices of these companies, and even if you did have your private email server, to get things done right requires substantial work. In fact, even if you used a good company to store your email, you may still face issues with ensuring your email privacy remains outside of the control of intelligence agencies which may argue they should be able to read everyone's email.
Reasons for wanting your emails stored with good cryptography vary but here are a few reasons:
- You're a politician
- You're a therapist
- You're a journalist
- You're a human rights advocate
- You just give a damn about privacy
For most people's day to day, the below diagram simplifies and reveals how email transactions work, Exhibit-A:
This is a bit unrealistic, however for some folks this is possible, for instance if you're a journalist working with very sensitive material. If you fall into one of the categories below you might not be able to get to this point:
- You're a human rights watch group worker dealing with folks who can't easily become ninjas...
- Your're a therapist, who obviously deals with folks who don't even care about what a crypto ninja is
- You're a politician and just want to encrypt everything
- You want to open up your email on a certain date and use an escrow to stash your PGP key, such key becomes public after certain date
- You want to ask company admins to setup a secure and sensible way to forward some company emails to a public mail server safely (say, a way to get work email on public servers)
- You just care about cryptography
- You cannot trust your email provider's data store at all
- You don't want your data to be scraped by the company hosting it
Making cryptography more easily accessible is a much better approach. Such good efforts exists, one example I found was FlowCrypt which lets you uses Public Key Cryptography, however that does mean trying to trust a private key on the plugin store locally. Another effort, which doesn't use Public Key Cryptography is SecureGmail by streak, you encrypt emails using a one way cipher. Both and similar solutions still require some effort or deploying some sort of software on the sender's side.
What I've worked on means as a ninja, or if you have a ninja friend, you get the benefit of having your emails stored on your preferred email server encrypted, provided you can trust a particular middle service provider I'll describe how to set up, and you can get it secured. You end up with the following, Exhibit-C:
To accomplish this we need a middle end system which does the actual encryption for you using your public key. Email providers such as Google, Yahoo, and others won't do this for us today, and they have some reasons not to. By scraping your email they get the ability to provide search facilities, they get to scrape emails as they might legally see fit, and advertise for you. This is how they make money off of storing our emails for free. Using a middle layer to encrypt your email is reflected in the following diagram, Exhibit-D:
One must admin that this shifts trust to a particular server admin who sets this server up, and to trust the setup to parse and bounce emails to your preferred email server properly. Your emails are still at risk but they are not stored on the middle server if done propery, they are just being piped through. Also, with unencrypted emails even your old emails are at risk, once an email server is compromised all your emails stored on that server are at risk. With a super simple service such as the one I am describing, it would be fairly easy to monitor against attacks and only protect one thing: receive encrypted emails via TLS, encrypt them write away without writing them to disk, and immediately bounce them. Nothing unencrypted lands on disk or storage.
How do I get this?
If you're curious to try it for a few tests cases, you trust me for such tests cases, shoot me an email and I can set you up with an account on my proof of concept email system, encrypted.ninja. I can give you an account on such system, and if you get an email sent to that email address all emails will be immediately bounced back to you, encrypted with your PGP key.
I would not recommend you to use this setup just as-is though, it'd be best to have spam detection be done on your behalf, otherwise it may be possible your email provided's spam detection tool won't pick up spam, and you end up getting tons of spam.
As such, this is just a proof of concept at this point.
How do I replicate your setup?
Even though this uses PGP keys to encrypt data, you'll need to set up an email server with proper TLS certificates for encryption for communication between senders and bouncing emails to email servers. Fortunately letsencrypt can give you a free certificate, it must be renewed (easy to do). The same SSL certificate you get for them for your apache setup can be used for email as well. So first thing you should do is get a DNS name, then get a simple website up with an SSL certificate from letsencrypt.
If you have control over the email server you may not want to give an full shell login account to all users, but just an email alias. I used postfix for my email server, as its easy to setup, and has some hooks we'll use later. So get yourself postfix installed and setup, no need to setup TLS for your first setup. Just get it receiving emails locally first. Once you have that setup, setup the same SSL certificate you used for your apache setup for your postfix configuration. The following is my setup, roughly.
You'll then need to edit /etc/postfix/master.cf and add the following phphook like, and replace your smtp line with the one below as well:
smtp inet n - - - - smtpd -o content_filter=pgphook:dummy
Then setup virtual aliases, /etc/postfix/address.txt looks like this:
mcgrof@encrypted.ninja FILTER pgphook:dummy
Add more entries per email address you want to add. After updating it you must run:
postmap /etc/postfix/address.txt
Then its all a matter or just one script and one procmailrc file, and ensuring the script, its gpg directory, and keyring are all owned by the user the email server runs as. That's it.
I stashed the script, procmailrc and gpg directory and keyring for the email server in:
/opt/mail2pgp/
mkdir /opt/mail2pgp/.gnupg
chmod o-rwx /opt/mail2pgp/.gnupg
chmod g-rwx /opt/mail2pgp/.gnupg
sudo chown -R www-data /opt/mail2pgp/
To create a keyring with keys, or update them later with new keys as you update the alias file, and script provided later:
gpg --search-keys hexkeyid
gpg --export --output keyring.gpg
cp keyring.gpg /opt/mail2pgp/keyring.gpg
The script:
You'll also need a MIME preamble, and postfix:
And finally, the procailrc file:
That's it. In fact, you can use the MIME preamble and postfix and procmailrc file as a template on a system you *don't* have root on to bounce encrypted emails out to you in a much more secure way as well.
Now I'll surely see someone try to hack this server :) and I'm sure they will ;)
Comments
The content you posted that is related to technology is good. I expect more information from you like this.
Wordpress Training in Chennai
Wordpress Training institute in Chennai
Wordpress Training Chennai
Wordpress Training in Porur
Struts Training in Chennai
Struts Training
Spring Training in Chennai
Hibernate Training in Chennai
JAVA Training in Chennai
Best JAVA Training institute in Chennai
Python Training in Chennai
Selenium Training in Chennai
Android Training in Chennai
Big data training in chennai
JAVA Training in Annanagar
java training in chennai anna nagar
Spoken English Classes in Chennai
Spoken English in Chennai
Top 10 Spoken English Classes in Chennai
Best IELTS Coaching in Chennai
IELTS Coaching Centre in Chennai
English Classes in Mumbai
English Speaking Classes in Mumbai
Best IELTS Coaching in Mumbai
IELTS Coaching in Mumbai
Spoken English Classes in Anna Nagar
Java Training in Bangalore
Best Java Training Institutes in Bangalore
Data Science Courses in Bangalore
German Classes in Bangalore
AWS Course in Bangalore
Best Devops Training in Bangalore
Python Course in Bangalore
Big Data Analytics Training in Bangalore
Hibernate Training in Chennai
Spring Hibernate Training in Chennai
Spring and Hibernate Training in Chennai
hibernate training in anna nagar
hibernate training in vadapalani
Spring Training in Chennai
clinical sas training in chennai
DOT NET Training in Chennai
QTP Training in Chennai
LoadRunner Training in Chennai
Digital Marketing Course in Chennai
Digital Marketing Training in Chennai
Digital Marketing Training
Digital Marketing Course
Digital marketing course in Tambaram
Digital marketing course in Guindy
Python Training in Chennai
Big data training in chennai
SEO training in chennai
JAVA Training in Chennai
Digital Marketing Course in Chennai
Digital Marketing Course
digital marketing institute in chennai
Digital Marketing Training in Chennai
Digital marketing course in Tnagar
Digital marketing course in Thiruvanmiyur
Big data training in chennai
Software testing training in chennai
Selenium Training in Chennai
JAVA Training in Chennai
Learn Best Digital Marketing Course in Chennai
Digital Marketing Course Training with Placement in Chennai
Best Big Data Course Training with Placement in Chennai
Big Data Analytics and Hadoop Course Training in Chennai
Best Data Science Course Training with Placement in Chennai
Data Science Online Certification Course Training in Chennai
Learn Best Android Development Course Training Institute in Chennai
Android Application Development Programming Course Training in Chennai
Learn Best AngularJS 4 Course Online Training and Placement Institute in Chennai
Learn Digital Marketing Course Training in Chennai
Digital Marketing Training with Placement Institute in Chennai
Learn Seo Course Training Institute in Chennai
Learn Social Media Marketing Training with Placement Institute in Chennai
Cyber Security Projects Ideas for CSE
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
digital marketing training in bangalore / https://www.excelr.com/digital-marketing-training-in-bangalore
content writing course in chennai
Blockchain Training in Chennai
Ionic Training in Chennai
IoT Training in Chennai
Xamarin Training in Chennai
Node JS Training in Chennai
German Classes in Anna Nagar
Spoken English Classes in Anna Nagar
content writing training in chennai
aws training in bangalore | aws online training
artificial intelligence training in bangalore | artificial intelligence online training
machine learning training in bangalore | machine learning online training
blockchain training in bangalore | blockchain online training
uipath training in bangalore | uipath online training
I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page!
Artificial Intelligence Training in Chennai
Ai Training in Chennai
Artificial Intelligence training in Bangalore
Ai Training in Bangalore
Artificial Intelligence Training in Hyderabad | Certification | ai training in hyderabad
Artificial Intelligence Online Training
Ai Online Training
Blue Prism Training in Chennai
selenium training in chennai
selenium training in chennai
selenium online training in chennai
selenium training in bangalore
selenium training in hyderabad
selenium training in coimbatore
selenium online training
I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page!Java training in Chennai
Java Online training in Chennai
Java Course in Chennai
Best JAVA Training Institutes in Chennai
Java training in Bangalore
Java training in Hyderabad
Java Training in Coimbatore
Java Training
Java Online Training
angular js training in chennai
angular training in chennai
angular js online training in chennai
angular js training in bangalore
angular js training in hyderabad
angular js training in coimbatore
angular js training
angular js online training
very nice blogs!!! i have to learning for lot of information for this sites...Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.
Azure Training in Chennai
Azure Training in Bangalore
Azure Training in Hyderabad
Azure Training in Pune
Azure Training | microsoft azure certification | Azure Online Training Course
Azure Online Training
SAP training in Kolkata
SAP training Kolkata
Best SAP training in Kolkata
SAP course in Kolkata
Data Science training in Mumbai
Data Science course in Mumbai
SAP training in Mumbai
DevOps Training in Chennai
DevOps Online Training in Chennai
DevOps Training in Bangalore
DevOps Training in Hyderabad
DevOps Training in Coimbatore
DevOps Training
DevOps Online Training
blockchain online training
best blockchain online training
top blockchain online training
Full Stack Training in Chennai | Certification | Online Training Course
Full Stack Training in Bangalore | Certification | Online Training Course
Full Stack Training in Hyderabad | Certification | Online Training Course
Full Stack Developer Training in Chennai | Mean Stack Developer Training in Chennai
Full Stack Training
Full Stack Online Training
Digital Marketing Training in Chennai
Digital Marketing Course in Chennai
SEO Training in Chennai
Digital Marketing Training in Bangalore
Digital Marketing Training in Hyderabad
Digital Marketing Training in Coimbatore
Digital Marketing Training
Digital Marketing Course
Digital Marketing Online Training
Data Science Training In Chennai
Data Science Online Training In Chennai
Data Science Training In Bangalore
Data Science Training In Hyderabad
Data Science Training In Coimbatore
Data Science Training
Data Science Online Training
Web Designing Training in Chennai
Web Designing Course in Chennai
Web Designing Training in Bangalore
Web Designing Course in Bangalore
Web Designing Training in Hyderabad
Web Designing Course in Hyderabad
Web Designing Training in Coimbatore
Web Designing Training
Web Designing Online Training
Android Training in Chennai
Android Online Training in Chennai
Android Training in Bangalore
Android Training in Hyderabad
Android Training in Coimbatore
Android Training
Android Online Training
IELTS Coaching in chennai
German Classes in Chennai
GRE Coaching Classes in Chennai
TOEFL Coaching in Chennai
spoken english classes in chennai | Communication training
acte chennai
acte complaints
acte reviews
acte trainer complaints
acte trainer reviews
acte velachery reviews complaints
acte tambaram reviews complaints
acte anna nagar reviews complaints
acte porur reviews complaints
acte omr reviews complaints
AWS Course in Bangalore
AWS Course in Hyderabad
AWS Course in Coimbatore
AWS Course
AWS Certification Course
AWS Certification Training
AWS Online Training
AWS Training
PMP
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
360DigiTMG data analytics course
Nice work... Much obliged for sharing this stunning and educative blog entry!
hrdf claimable training
SAP training in Kolkata
SAP training Kolkata
Best SAP training in Kolkata
SAP course in Kolkata
Data Science training in Mumbai
Data Science course in Mumbai
SAP training in Mumbai
Data Science training in Mumbai
Data Science course in Mumbai
SAP training in Mumbai
Data Science training in Mumbai
Data Science course in Mumbai
SAP training in Mumbai
Security Guard License
Ontario Security License
Security License Ontario
Security License
Thank you..
Data Analytics Course Online 360DigiTMG
difference between analysis and analytics
data science institute in hyderabad
digital marketing course
typeerror nonetype object is not subscriptable
Pmp Training In Hyderabad
Cyber Security Course in Bangalore
Cyber Security Training in Bangalore
https://360digitmg.com/india/business-analytics-training-in-delhi
ve may bay tet gia re 2021
vé máy bay đi Mỹ Vietnam Airline
đường bay từ Việt Nam sang Pháp
từ việt nam sang hàn quốc mất bao nhiêu tiền
vé máy bay đi nhật bản bao nhiêu tiền
giá vé máy bay từ việt nam sang Anh
data science course in India
Artificial Intelligence Course
data science training
devops roles and responsibilities
7 habits
mobile automation testing tools
benefits of web designing
excel interview questions and answers
top 10 uses of python
jobs for ccna certified
scope of php in future
future scope of machine learning
data science interview questions and answers
seo executive interview questions
JMeter Training in Chennai
Appium Training in Chennai
Appium Online Training
Appium Training in Coimbatore
JMeter Training in Coimbatore
Soft Skills Training in Chennai
data science training in noida
săn vé máy bay giá rẻ đi Mỹ
cách mua vé máy bay giá rẻ từ mỹ về việt nam
gia ve may bay di Los Angeles
ve may bay tu canada ve viet nam