Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] The missing awareness: SMTP Security Indicator in Email|WebMail clients

Fabio Pietrosanti (naif) - lists lists at infosecurity.ch
Sat Oct 31 12:02:21 PDT 2015


Hi all,

so, the in-transit email encryption problem isn't yet solved.

The uses of opportunistic encryption with SMTP STARTTLS help, but also
this is out of the end-user control.

An email users, using a desktop, mobile or webmail client, doesn't have
any way to know if his email messages, already received or going to be
sent, will be encrypted in-transit with SMTP STARTTLS.

We are missing the ability for end-user to:
- KNOW if emails being received from Mr. X has been in-transit encrypted.
- KNOW if emails he's going to send to Mr. X are likely going to be
in-transit encrypted

That's something that can be implemented with a Thunderbird plug-in and
with a Chrome plug-in (for mostly used WebMails).

Reading
http://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/
we know that 96% of Gmail traffic in Tunisia is being downgraded it's
in-transit security.

Well, without a technical analysis it would had not been possible to
know about that, unless if all the end-users would be given the
possibility by email|webmail clients to know about it.

That's a piece of technology i'd really love to see being implemented
before or later, giving back to end-users the awareness of their email
traffic security.

Whenever some project with knowledge about Thunderbird and Chrome
plug-in development would like to work on it, it would be amazing

If Mozilla and Google would implement that in their email clients, it
would be even cooler!

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org -
https://ahmia.fi



More information about the liberationtech mailing list