[Micronet] Webmail clients and secure email

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Webmail clients and secure email

Mike Friedman
Per recent discussions of Webmail vs email clients (like Thunderbird).

With the increased drive to have people use Webmail "clients" (Google, Microsoft, Yahoo, etc.), performing all email client functions on the server, what is the future of secure email?  Right now, it seems to me, if I were using only bMail and got rid of my Thunderbird client, it would not only be a nuisance to send signed or encrypted email, but there's a good chance my recipient, also using only Webmail, wouldn't be able, or know how, to verify/decrypt it.  After all those dreams we had of eventually integrating PGP/GPG, etc., into mail clients, it would seem that this kind of security has been ignored in the rush to hand over increasing control of important services to commercial conglomerates.

Sure, even with the  bMail web "client" now, if I wanted to encrypt sensitive mail (e.g., to my tax preparer), I could encrypt a file on my PC, upload the encrypted file as an attachment to bMail and send it.  On the other end, my recipient, assuming his Webmail "client" has this capability, could reverse the process.  That is, if  he knows how to decrypt files on his computer.

It's even worse for digital signing, because mail providers often insert ads or footer messages into the mail, thereby invalidating the sender's signature.  Even some CalMail mailing lists do this.

Remember that the idea was to make the process of sending/receiving secure and authenticated mail easier, so that novice, non-technical, users could benefit from this important capability.  Instead, it seems, the drift is toward signing away (pun intended) not only our privacy in general, by giving Google (Microsoft, Yahoo, etc.) all our mail on an ongoing basis, but also making it harder to do our own email security as well.

Is anyone working on this problem?

In the days of postal mail, it was (I hope still is) a federal offense for you to open mail not addressed to you without permission of the intended recipient, unless you're a postal inspector.  What is the equivalent for email?  I've seen articles in various places saying we should reduce postal mail services even more than they have already because, after all, "who needs postal mail?  I do all my bill paying online".

I'm afraid we've already begun the process of losing our ability to send and receive sensitive email.  But as the use of email increases, the tendency will be to reduce further the availability of secure ways to communicate on the assumption that email replaces all alternatives.  Webmail is a particularly egregious example of this problem, since with no personal client to store your private signing and decryption keys, you'd have to keep your keys on the Google (Microsoft, Yahoo, etc.) server.

Why don't I hear more concerns about this issue?  Has the Facebook generation taken over, with the attitude that we should share everything with everybody?

Mike
-- 
Mike Friedman
[hidden email]
http://mikefberkeley.com


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Webmail clients and secure email

Greg Paschall-2
Hi Mike,

What about this.

http://www.mailvelope.com/

I haven't tried it yet -- just found it a couple weeks ago when I was trying to answer your same questions myself. You're not alone.

Greg


On Apr 1, 2013, at 11:32 AM, Mike Friedman <[hidden email]> wrote:

> Per recent discussions of Webmail vs email clients (like Thunderbird).
>
> With the increased drive to have people use Webmail "clients" (Google, Microsoft, Yahoo, etc.), performing all email client functions on the server, what is the future of secure email?  Right now, it seems to me, if I were using only bMail and got rid of my Thunderbird client, it would not only be a nuisance to send signed or encrypted email, but there's a good chance my recipient, also using only Webmail, wouldn't be able, or know how, to verify/decrypt it.  After all those dreams we had of eventually integrating PGP/GPG, etc., into mail clients, it would seem that this kind of security has been ignored in the rush to hand over increasing control of important services to commercial conglomerates.
>
> Sure, even with the  bMail web "client" now, if I wanted to encrypt sensitive mail (e.g., to my tax preparer), I could encrypt a file on my PC, upload the encrypted file as an attachment to bMail and send it.  On the other end, my recipient, assuming his Webmail "client" has this capability, could reverse the process.  That is, if  he knows how to decrypt files on his computer.
>
> It's even worse for digital signing, because mail providers often insert ads or footer messages into the mail, thereby invalidating the sender's signature.  Even some CalMail mailing lists do this.
>
> Remember that the idea was to make the process of sending/receiving secure and authenticated mail easier, so that novice, non-technical, users could benefit from this important capability.  Instead, it seems, the drift is toward signing away (pun intended) not only our privacy in general, by giving Google (Microsoft, Yahoo, etc.) all our mail on an ongoing basis, but also making it harder to do our own email security as well.
>
> Is anyone working on this problem?
>
> In the days of postal mail, it was (I hope still is) a federal offense for you to open mail not addressed to you without permission of the intended recipient, unless you're a postal inspector.  What is the equivalent for email?  I've seen articles in various places saying we should reduce postal mail services even more than they have already because, after all, "who needs postal mail?  I do all my bill paying online".
>
> I'm afraid we've already begun the process of losing our ability to send and receive sensitive email.  But as the use of email increases, the tendency will be to reduce further the availability of secure ways to communicate on the assumption that email replaces all alternatives.  Webmail is a particularly egregious example of this problem, since with no personal client to store your private signing and decryption keys, you'd have to keep your keys on the Google (Microsoft, Yahoo, etc.) server.
>
> Why don't I hear more concerns about this issue?  Has the Facebook generation taken over, with the attitude that we should share everything with everybody?
>
> Mike
> --
> Mike Friedman
>
> [hidden email]
> http://mikefberkeley.com
>
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.



---
Greg Paschall -- [hidden email]
Deputy IT Officer
Space Sciences Lab - University of California, Berkeley
510-643-6907 -- 510-725-5855 (c) -- 510-643-7629 (f)







 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Webmail clients and secure email

Kevin Burney
In reply to this post by Mike Friedman
 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

smime.p7m (28K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Webmail clients and secure email

Kevin Burney

This message has not been signed.  It looks to me like the mailing listserver cannot process signed email either.

 

-KB

 

 

From: Kevin Burney [mailto:[hidden email]]
Sent: Monday, April 01, 2013 12:52 PM
To: 'Mike Friedman'; [hidden email]
Subject: RE: [Micronet] Webmail clients and secure email

 

My experience with signing messages from Outlook or Thunderbird using gMail on the backend seems to work fine.  The only problem I have uncovered so far is if the recipient is using the Google webmail client to view the signed message, they do not see any of the body of the message.  Only the subject line is readable. 

 

On the encryption front, there is no simple way to encrypt email without a using a third party tool, PGP, or a shared PKI environment.  Even with these solutions it requires a fairly complex configuration on all ends of the communication.  Encryption using Outlook with an Exchange environment is a trivial issue, but it is only seamless when all parties are using Outlook and the same Exchange environment.  Signing mail outside your web of trust is still an unsolved problem.

 

This message has been singed using a free Comodo issued certificate.

http://www.comodo.com/home/email-security/free-email-certificate.php

 

 

-Kevin

 

Kevin D. Burney

Active Directory Architect

Enterprise Windows Team

University of California, Berkeley

(510) 827-8476

 

 

  

 

From: [hidden email] [[hidden email]] On Behalf Of Mike Friedman
Sent: Monday, April 01, 2013 11:33 AM
To: [hidden email]
Subject: [Micronet] Webmail clients and secure email

 

Per recent discussions of Webmail vs email clients (like Thunderbird).

With the increased drive to have people use Webmail "clients" (Google, Microsoft, Yahoo, etc.), performing all email client functions on the server, what is the future of secure email?  Right now, it seems to me, if I were using only bMail and got rid of my Thunderbird client, it would not only be a nuisance to send signed or encrypted email, but there's a good chance my recipient, also using only Webmail, wouldn't be able, or know how, to verify/decrypt it.  After all those dreams we had of eventually integrating PGP/GPG, etc., into mail clients, it would seem that this kind of security has been ignored in the rush to hand over increasing control of important services to commercial conglomerates.

Sure, even with the  bMail web "client" now, if I wanted to encrypt sensitive mail (e.g., to my tax preparer), I could encrypt a file on my PC, upload the encrypted file as an attachment to bMail and send it.  On the other end, my recipient, assuming his Webmail "client" has this capability, could reverse the process.  That is, if  he knows how to decrypt files on his computer.

It's even worse for digital signing, because mail providers often insert ads or footer messages into the mail, thereby invalidating the sender's signature.  Even some CalMail mailing lists do this.

Remember that the idea was to make the process of sending/receiving secure and authenticated mail easier, so that novice, non-technical, users could benefit from this important capability.  Instead, it seems, the drift is toward signing away (pun intended) not only our privacy in general, by giving Google (Microsoft, Yahoo, etc.) all our mail on an ongoing basis, but also making it harder to do our own email security as well.

Is anyone working on this problem?

In the days of postal mail, it was (I hope still is) a federal offense for you to open mail not addressed to you without permission of the intended recipient, unless you're a postal inspector.  What is the equivalent for email?  I've seen articles in various places saying we should reduce postal mail services even more than they have already because, after all, "who needs postal mail?  I do all my bill paying online".

I'm afraid we've already begun the process of losing our ability to send and receive sensitive email.  But as the use of email increases, the tendency will be to reduce further the availability of secure ways to communicate on the assumption that email replaces all alternatives.  Webmail is a particularly egregious example of this problem, since with no personal client to store your private signing and decryption keys, you'd have to keep your keys on the Google (Microsoft, Yahoo, etc.) server.

Why don't I hear more concerns about this issue?  Has the Facebook generation taken over, with the attitude that we should share everything with everybody?

Mike

-- 
Mike Friedman
[hidden email]
http://mikefberkeley.com
 

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Webmail clients and secure email

Greg Paschall-2
Kevin,

The mime part of the 1st message was definitely signed. (smime-type=signed-data; name="smime.p7m"). My Apple Mail doesn't recognize it though; probably doesn't know what to do with it, so it just shows it.

Greg

On Apr 1, 2013, at 1:13 PM, Kevin Burney <[hidden email]> wrote:

> This message has not been signed.  It looks to me like the mailing listserver cannot process signed email either.
>  
> -KB
>  
>  
> From: Kevin Burney [mailto:[hidden email]]
> Sent: Monday, April 01, 2013 12:52 PM
> To: 'Mike Friedman'; [hidden email]
> Subject: RE: [Micronet] Webmail clients and secure email
>  
> My experience with signing messages from Outlook or Thunderbird using gMail on the backend seems to work fine.  The only problem I have uncovered so far is if the recipient is using the Google webmail client to view the signed message, they do not see any of the body of the message.  Only the subject line is readable.
>  
> On the encryption front, there is no simple way to encrypt email without a using a third party tool, PGP, or a shared PKI environment.  Even with these solutions it requires a fairly complex configuration on all ends of the communication.  Encryption using Outlook with an Exchange environment is a trivial issue, but it is only seamless when all parties are using Outlook and the same Exchange environment.  Signing mail outside your web of trust is still an unsolved problem.
>  
> This message has been singed using a free Comodo issued certificate.
> http://www.comodo.com/home/email-security/free-email-certificate.php
>  
>  
> -Kevin
>  
> Kevin D. Burney
> Active Directory Architect
> Enterprise Windows Team
> University of California, Berkeley
> (510) 827-8476
>  
>  
>  
>  
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Mike Friedman
> Sent: Monday, April 01, 2013 11:33 AM
> To: [hidden email]
> Subject: [Micronet] Webmail clients and secure email
>  
> Per recent discussions of Webmail vs email clients (like Thunderbird).
>
> With the increased drive to have people use Webmail "clients" (Google, Microsoft, Yahoo, etc.), performing all email client functions on the server, what is the future of secure email?  Right now, it seems to me, if I were using onlybMail and got rid of my Thunderbird client, it would not only be a nuisance to send signed or encrypted email, but there's a good chance my recipient, also using only Webmail, wouldn't be able, or know how, to verify/decrypt it.  After all those dreams we had of eventually integrating PGP/GPG, etc., into mail clients, it would seem that this kind of security has been ignored in the rush to hand over increasing control of important services to commercial conglomerates.
>
> Sure, even with the  bMail web "client" now, if I wanted to encrypt sensitive mail (e.g., to my tax preparer), I could encrypt a file on my PC, upload the encrypted file as an attachment to bMail and send it.  On the other end, my recipient, assuming his Webmail "client" has this capability, could reverse the process.  That is, if  he knows how to decrypt files on his computer.
>
> It's even worse for digital signing, because mail providers often insert ads or footer messages into the mail, thereby invalidating the sender's signature.  Even some CalMail mailing lists do this.
>
> Remember that the idea was to make the process of sending/receiving secure and authenticated mail easier, so that novice, non-technical, users could benefit from this important capability.  Instead, it seems, the drift is toward signing away (pun intended) not only our privacy in general, by giving Google (Microsoft, Yahoo, etc.) all our mail on an ongoing basis, but also making it harder to do our own email security as well.
>
> Is anyone working on this problem?
>
> In the days of postal mail, it was (I hope still is) a federal offense for you to open mail not addressed to you without permission of the intended recipient, unless you're a postal inspector.  What is the equivalent for email?  I've seen articles in various places saying we should reduce postal mail services even more than they have already because, after all, "who needs postal mail?  I do all my bill paying online".
>
> I'm afraid we've already begun the process of losing our ability to send and receive sensitive email.  But as the use of email increases, the tendency will be to reduce further the availability of secure ways to communicate on the assumption that email replaces all alternatives.  Webmail is a particularly egregious example of this problem, since with no personal client to store your private signing and decryption keys, you'd have to keep your keys on the Google (Microsoft, Yahoo, etc.) server.
>
> Why don't I hear more concerns about this issue?  Has the Facebook generation taken over, with the attitude that we should share everything with everybody?
>
> Mike
>
> --
> Mike Friedman
> [hidden email]
> http://mikefberkeley.com
>  
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.



---
Greg Paschall -- [hidden email]
Deputy IT Officer
Space Sciences Lab - University of California, Berkeley
510-643-6907 -- 510-725-5855 (c) -- 510-643-7629 (f)







 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Webmail clients and secure email

Mike Friedman
In reply to this post by Kevin Burney
Kevin,

Well, my Thunderbird client seems to process the signature certificate properly.

Mike

On 2013-04-01 13:13, Kevin Burney wrote:

This message has not been signed.  It looks to me like the mailing listserver cannot process signed email either.

 

-KB

 

 

From: Kevin Burney [[hidden email]]
Sent: Monday, April 01, 2013 12:52 PM
To: 'Mike Friedman'; [hidden email]
Subject: RE: [Micronet] Webmail clients and secure email

 

My experience with signing messages from Outlook or Thunderbird using gMail on the backend seems to work fine.  The only problem I have uncovered so far is if the recipient is using the Google webmail client to view the signed message, they do not see any of the body of the message.  Only the subject line is readable. 

 

On the encryption front, there is no simple way to encrypt email without a using a third party tool, PGP, or a shared PKI environment.  Even with these solutions it requires a fairly complex configuration on all ends of the communication.  Encryption using Outlook with an Exchange environment is a trivial issue, but it is only seamless when all parties are using Outlook and the same Exchange environment.  Signing mail outside your web of trust is still an unsolved problem.

 

This message has been singed using a free Comodo issued certificate.

http://www.comodo.com/home/email-security/free-email-certificate.php

 

 

-Kevin

 

Kevin D. Burney

Active Directory Architect

Enterprise Windows Team

University of California, Berkeley

(510) 827-8476

 




-- 
Mike Friedman
[hidden email]
http://mikefberkeley.com


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Webmail clients and secure email

Mike Friedman
In reply to this post by Greg Paschall-2
On 2013-04-01 12:24, Greg Paschall wrote:
> Hi Mike,
>
> What about this.
>
> http://www.mailvelope.com/
>
> I haven't tried it yet -- just found it a couple weeks ago when I was trying to answer your same questions myself. You're not alone.

Greg,

Thanks, this is good to know.  Although I plan to keep using
Thunderbird, the fact that at least someone has built a browser plug-in
to accomplish encryption/signing with Webmail is somewhat encouraging.

Of course, there are still other issues, such as the fact that signing
won't work as long as email providers or list servers insist on
inserting content into mail messages after they've been signed.  (Notice
the Micronet blurb that was added to the bottom of my original mail,
included below).  How would you feel if the Post Office inserted
advertising flyers or "public service messages" into each piece of first
class mail you sent?

Mike

> On Apr 1, 2013, at 11:32 AM, Mike Friedman <[hidden email]> wrote:
>
>> Per recent discussions of Webmail vs email clients (like Thunderbird).
>>
>> With the increased drive to have people use Webmail "clients" (Google, Microsoft, Yahoo, etc.), performing all email client functions on the server, what is the future of secure email?  Right now, it seems to me, if I were using only bMail and got rid of my Thunderbird client, it would not only be a nuisance to send signed or encrypted email, but there's a good chance my recipient, also using only Webmail, wouldn't be able, or know how, to verify/decrypt it.  After all those dreams we had of eventually integrating PGP/GPG, etc., into mail clients, it would seem that this kind of security has been ignored in the rush to hand over increasing control of important services to commercial conglomerates.
>>
>> Sure, even with the  bMail web "client" now, if I wanted to encrypt sensitive mail (e.g., to my tax preparer), I could encrypt a file on my PC, upload the encrypted file as an attachment to bMail and send it.  On the other end, my recipient, assuming his Webmail "client" has this capability, could reverse the process.  That is, if  he knows how to decrypt files on his computer.
>>
>> It's even worse for digital signing, because mail providers often insert ads or footer messages into the mail, thereby invalidating the sender's signature.  Even some CalMail mailing lists do this.
>>
>> Remember that the idea was to make the process of sending/receiving secure and authenticated mail easier, so that novice, non-technical, users could benefit from this important capability.  Instead, it seems, the drift is toward signing away (pun intended) not only our privacy in general, by giving Google (Microsoft, Yahoo, etc.) all our mail on an ongoing basis, but also making it harder to do our own email security as well.
>>
>> Is anyone working on this problem?
>>
>> In the days of postal mail, it was (I hope still is) a federal offense for you to open mail not addressed to you without permission of the intended recipient, unless you're a postal inspector.  What is the equivalent for email?  I've seen articles in various places saying we should reduce postal mail services even more than they have already because, after all, "who needs postal mail?  I do all my bill paying online".
>>
>> I'm afraid we've already begun the process of losing our ability to send and receive sensitive email.  But as the use of email increases, the tendency will be to reduce further the availability of secure ways to communicate on the assumption that email replaces all alternatives.  Webmail is a particularly egregious example of this problem, since with no personal client to store your private signing and decryption keys, you'd have to keep your keys on the Google (Microsoft, Yahoo, etc.) server.
>>
>> Why don't I hear more concerns about this issue?  Has the Facebook generation taken over, with the attitude that we should share everything with everybody?
>>
>> Mike
>> --
>> Mike Friedman
>>
>> [hidden email]
>> http://mikefberkeley.com
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

--
Mike Friedman
[hidden email]
http://mikefberkeley.com


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.