Gwebs Cryptographer

Some changes ahead

I’m wrapping up my work here in Gwebs company and within China. It has been pleasant to work here and with nice atmosphere. So many new things learned and gained the idea of business in China. But like said, time flies and now it’s time for me to head back to Finland, finish up my studies and head for the new challenges. Anyway before that, I still have some ideas and things to share with you.

I mentioned earlier in my posts that I will test Google Wave, when it will come available for everyone. Well, I have to pass this job to my colleagues, ’cause the Google Wave for regular users hasn’t been released yet. Only the test version for selected persons is available so far. (Here is the post about Google Wave.)

Then some other things which I also mentioned earlier, is that I’m willing to try out the Windows Mobile 6.5 with some email encryption application and see how well it will work with our MailCloak encryption software. Well, guess what ? Windows Mobile 6.5 hasn’t been released yet for HTC Touch Diamond 2, so I have to wait until end of this or next month. So far, the estimated release date is “during October/November 2009″, so still some time to go. Maybe I’ll try it out back in Finland and then just send the results to my colleagues, ’cause I think that this topic is very interesting for mobile users like me. These mobile issues are getting more and more important, because the smart phone markets are increasing rapidly.  (Here is the post about email encryption mobile usage.)

What else ?
I guess, quite many people found out that Windows 7 is finally released and available for consumers. So we took a sneak peek for that to check how different it really is, and how are the security issues handled there. For me it has always been as a thought in my head that Microsoft Windows and security doesn’t really belong in to the same sentence, at least not in a positive way. But we will see, I’m open-minded with this one, so much good I have heard about Windows 7 during the beta-testing.

Gwebs, email, encryption, google, new, software email, Email Encryption, encryption, Google Wave, Gwebs, MailCloak, Mobile, Windows 7, Windows mobile 6.5

Back at the old times, when I was a active student I used to use email a lot, for writing to my study-mates for setting up groupworks, to my professors to ask questions, for my family to keep in touch. Email started to be one of the main communication way. It was just so easy, fast and convenient. You don’t have to wait that the other person is available, you can write it a bit, save it and continue later, so you don’t have to bother someone many times to get all the information you really need. You can use email almost anywhere, especially if you’re using any kind of webmail, just have internet connection - log in and handle your mails.

Now when I’m looking back in time, it was really like that. But nowadays when all kinds of social networks and instant messengers (IM) are available, I can see that I’m not really using email so much anymore. It seems to be “too slow” way to contact people. I guess this technological awareness is really taking place in today’s daily life. People are getting so used to use different methods to keep in contact immediately. If one cannot reach you from any IM or social network, it might be that the person will give you a call or send a SMS. Just because they want to exchange the information now.

Sometimes I feel that it’s really distressing, that you have to be reachable always, because of projects, work, friends, family, etc. And if you are not reachable people will feel annoyed, it just seems that no-one is not allowed to have their own time anymore. And I’m not talking about vacations now, normally vacation time is sort of “holy-time” of course this depends pretty much that what kind of job you’re doing and what’s your responsibilities in the company. And who can say that after a couple of weeks vacation the email-inbox is empty ? I can tell you for sure, that mine is not. If there’s less than 100 emails I can be happy.

I made a little enquiry within our staff, that how they feel and use their email, encryption software and other software. This research was quite interesting, because the most of our staff is Chinese and I was quite amazed about some of the answers.

According this enquiry, I think usage of email is culture related, more or less. With this amount of data it would be close to impossible to hand out any inclusive report. I think that peoples’ opininions are anyhow quite different here in East that they are at West, I mean opinions among tech-related people. I won’t analyze the results themselves, just take a look and make your own judgement.

Well, here are the questions what we asked and also the results what we got. The results are in blue, that it will be easier to follow.

Enquiry -  We asked for short answers with arguments and here’s the conclusion.

Habits of e-mail usage ?
For what kind of communication you are using e-mail ?
For most of repliers e-mail is mostly used for work or business purposes, sending data, files, documents and pictures when the receiver is not reachable with instant messenger (IM).

How fast you’ll expect that the recipient will answer you  ?
The most of the people wish to get a reply within a same day, some even within one hour. Only a couple of answerer were satisfied if they will get reply within 2 or 3 days.

Do you check your email daily ? hourly ? weekly ? sometimes ?
Almost everyone is checking their email daily or several times per day.

How important e-mail is for you ? Can you live one week / one month without e-mail easily ? If you’re not able to check your emails will you go crazy ?
Here the answers were basically divided into two, approx. half of the repliers told that they use email only for work or business, so they can live easily without it, and they won’t go crazy if they cannot check their email (of course depending if they will work that time or not). Then the other half seems to be more dependable about email, and they will go crazy if they cannot check their email even once within 3 days.

What did you expect when you first time used any kind of e-mail encryption software ?
Did you think that it will make your life more secured ? (From what?)
Almost everyone told that they feel more secured when they use email encryption, and the most common reason was privacy. They don’t like the idea that someone is snooping and reading their emails.

Did you thought that what might happen if you lose your encryption/decryption keys ?
Here also the answers were basically divided into two, the first group admitted that they didn’t thought that what might happen if they lose their keys. The other group seemed to have some experiences about this already and it seemed to be that someones are getting angry for the software for losing those keys, even if the fault was their own. And this normally led for changing the encryption software.

How did you felt when you used one (software) ? Did it effect immediately, giving you the emotion of security ? Or all the worries, “What if ?”
For everybody the first feeling was very positive, strong feeling that “now I’m secured”, but some of the repliers admitted that later they start to wonder with “what if?”-questions and also feeling annoyed of all inconveniences with the software, like reading email in many places, all the time feeling worried about the keys and so on.

When you tried some encryption software, did you think that “this is it!” I’ll use this forever or did you tried to find a better one, more secured one ?
The most of the answerers have been searching better ones after trying the first one. A Few told that they don’t mind to change their software but the current one is just fine too.

How do you feel about Free and Not-free software will it cause you feeling of trust/mistrust ?
All repliers think that free software is basically just for testing it and seeing the main features. And that the not-free ones are better, more reliable than free ones.

When you see free software, will you think how nice, there are still some kind people to offer this kind of tool free ? Or will you think that is there something behind “hidden” ? Will this company use my data for something else ? Maybe illegal activities ?
Quite many replier thought that there has to be something “hidden”, but still most of these repliers were not so interested if the company uses their data for something or not. Someones thought that the software can be free, ’cause the company will get funding from advertisements or from some foundations.

By which criteria you choose the software which you are using ? Free ? Well known ? Easy to use ?
Every single replier told that the most important things for their software is that it’s well-known and easy to use. If it is free of charge, even better, but someones said also that if the software is good enough, they will gladly pay for that it makes their life easier and more secured.

How you can trust that free software is really free ? or how you can trust that the software (what was SO expensive) is more trustworthy than the free one? Can you?
This question was made in purpose to be familiar with the earlier one. This question raised up the idea what I was willing to see.
If the company offers only   software which is free of charge the most of people don’t trust for it, but if they have for example products for individual use for free and for business use chargeable ones, then it’s fine. Then it’s the interesting part, the most of the repliers also thought that if the software is free of charge and open-source then it must be trustworthy, because basically anyone can check and modify the source code. Although, within security softwares this rarely happens, ’cause otherwise the hackers can see it too and then it’s not safe anymore.

Does the cost of software give you any kind of idea how good it might be or how trustworthy it is ?
The most of the repliers thought that the amount of money or cost is not really related for that how good it is. Quite often the most expensive one is having already so many features that it won’t be easy to use anymore.

Will you use any software which is delivered by government or other authority ? Why ?
Only one of the repliers is using software delivered by government and only because it’s required by the other business partner. Other ones thought that they won’t use any software which is delivered by government, because the software might include some spy-ware.

Gwebs, Security, email, encryption, privacy, software email, encryption, enquiry, Gwebs, IM, privacy, Security, social network, software

I guess most of the people have been following the news about “Bank screws up and sues Google”, which is very interesting news related to Email security. When I read this news at the first time, I just shaked my head and thought “This can only happen in USA”. And the worst thing here was that those emails were not secured at all, just basic emails full of customers’ private data.

I really cannot understand about the result that Judge orders Google to deactivate some random users accounts because of someone made a mistake, humane mistake. Especially one, whom these random users are not related to. I can say that I might go crazy if one day my email is de-activated without noticing it before, just because someone has sent some email to my email address which doesn’t belong to me.

The situation is easy to compare to non-digital world. Let’s think that post is delivering to your postbox someones bank statements, without being in a letter. Just papers to your postbox, will you feel safe ? Will you think that is that the common policy of this bank ? Anyone can read that information on the way, the staff at post office, the delivery guy and anyone who is just on the way. Will you also consider that it’s reasonable that the Bank will sue the owner of your postbox, because they made the mistake ? And even worse, do you think that it’s reasonable that they will vanish/seal up your postbox, ’cause there is some information that doesn’t belong to you.

For me, this all sounds so ridiculous. If someone needs to be sued or punished the person will be within the bank staff. Also I really feel unsafe for this bank, that they didn’t use any encryption for those emails. Anyway, I assume that they are using letters when posting bank statements to their customers, so why not using encryption when data is in digital form ?

Luckily, I’m not a customer of this bank, and I feel safe with my own bank accounts. Banks that I’m using are really investing money for security and also offering the best service for their customers. Of course the situation is currently better in Europe than it is in Asia, but Asia is growing fast, very fast. About USA I really cannot say, I always feel unsafe about money issues there. The credit card policies are so loose and all the security issues seemed to be popping up all the time. I guess it’s only the matter of time that people are getting annoyed for so bad and unsecured service.

But luckily on the mean time suing in US is so easy and convenient so why not suing everybody and make people suffer about mistakes, maybe the ones they couldn’t prevent at all, ’cause that’s what it’s all about. I’m really happy about Google’s services so far, but this case is just a bad example how vulnerable this huge company is also for crazy laws and policies in US.

Although, I don’t know where is better, maybe in Europe. I’m currently living in China and getting so frustrated about governmental actions to limit access to “out there”, I mean the Chinese Great Firewall (GFW) is really bugging my nerves all the time. But that’s another story.

Here is the case file for you to make your own judgement “The Rocky Mountain Bank Vs. Google” (pdf-file).

Security, email, encryption, google, privacy bank, email, encryption, google, privacy, Security

This guide will help you understand the basic facts about email security — what it is and why you need it.

What is Email Security?
On one level, email security is ensuring that your emails are secure: that is, it involves the maintenance of the basic information security concepts:

• Integrity - ensuring that your message has not had unauthorized alteration
• Confidentiality - ensuring that no unauthorized person (or process) has viewed the content
• Accountability - being able to prove who wrote the email
• Availability - ensuring that the email can be sent/received
• Non-repudiability - being able to prove that the recipient really did receive it

But more than the email itself is involved in email security. It also involves:

• Ensuring that you neither receive nor send malware hidden within the email or any attachments
• Minimizing the receipt of spam, scams, phishing expeditions and illegal content
• Ensuring that staff neither accidentally nor with malicious intent allow or send confidential, sensitive or illegal content within or outside of the company

Why do I need Email Security?

You need email security simply because failure to do so has both commercial and legal ramifications. An example that can illustrate both aspects would be infection with a highly destructive and virulent virus. Let us assume that your own systems are infected, and the virus payload is delayed but destructive: that is, you manage to infect, say, a competitor before this virus destroys your system.

The commercial implication is obvious: loss of your systems, data, records, etc. will be severely damaging if not fatal. But on the legal side, many lawyers believe that you could be held liable for any loss suffered by a third party that you infect, whether intentionally or even knowingly or not. If that third party were a competitor, then it would have little incentive not to sue the elbow off you.

And the history of internet litigation is already strewn with examples of both staff and competitors suing companies that have allowed compromising information to circulate within, or worse, to escape from, the company network.

It would be much safer to ensure your email is secure rather than risk the potential problems of insecure emails.

What do I need in Email Security?

Since so much is involved in email security, it is not surprising that you will be lucky to find everything you need in a single product. Just on the basis of the above discussion, you will need:

• Anti-virus software (to ward off viruses and worms)
• Anti-spyware software (to ward off trojans, adware and spyware)
• Anti-spam, -phishing, -scam software (to cut down on wasted staff time)
• Content security software (to make sure confidential, sensitive or illegal content is neither circulated within nor leaked from the company)
• A company email usage policy (to reduce staff misuse of the email, and give you some redress for when they do misuse it)
• And last but not least, a secure email (as opposed to email security) capability

The secure email system is possibly the hardest of all. The problem is that it inevitably involves encryption - and the only form of encryption that does not create administrative problems between the sender and the receiver is a Public Key Infrastructure (PKI). But PKI is expensive to run and administer - and gets you involved with even more requirements. For example, if you operate a PKI, then you need to consider identity management software and provisioning software. Nevertheless, if you are a large company with lots of sensitive data, then PKI is the obvious route. For single user RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) encryption method is a bit simplier and lighter to use. Quite many free encryption softwares are using RSA instead of PKI. The encryption is still “hack-proof”, which means that cracking it, it takes more than 100 years.

In particular, PKI and RSA can demonstrably provide four of the five security basics we noted at the outset of this article: integrity, confidentiality, accountability, availability, non-repudiability (availability is the one not specifically provided by PKI).

Where do I get Email Security?

If you are looking for email security software then you have a basic choice: you can look for best of breed point products in all of the above; you can look for an email security specialist that bundles different aspects within a single product or suite; or you can go for a hosted service. Or then you can just download our MailCloak-software from our company’s website (www.gwebs.com/mailcloak.html). Yes, it’s free!

Other related topics:

Encryption for Dummies
http://opsec.spaces.live.com/blog/cns!62F870188540FB1E!1097.entry

Public Key Infrastucture, PKI, encryption for dummies
http://www.networkworld.com/news/64452_05-17-1999.html

Public Key Infrastructure, PKI (Wikipedia)
http://en.wikipedia.org/wiki/Public_key_infrastructure

RSA encryption (Wikipedia)
http://en.wikipedia.org/wiki/RSA

Terminology and encryption algorithms
http://www.easeus.com/resource/encryption-algorithms.htm

Gwebs, PGP, Security, email, encryption, how to, personal, privacy email, encryption, guide, MailCloak, PKI, RSA, Security

When I started my work at Gwebs, this was one of my first questions. I mean, so far that our own products don’t support mobiles, smartphones, pdas, etc.  Anyhow, our product co-operates nicely with all software that use GnuPG (GPG), it’s tested with quite wide scale of applications.

I wanted to know how I can access my encrypted messages whenever and wherever. I just got so dependent on mobile usage of email from my previous job at one telecommunications company, sometimes you just have to be there 24/7 available, for your colleagues all around the world, your customers and clients. This is it what’s going on right now within IT-industry. Although, no-one is paying me 24/7 salary, but it just integrated for me as a habit. And now, sometimes I found myself at the bus stop reading my email, thanks for the reasonable price of data transfer.

I made some research about this topic and found out that encryption with GPG in smartphones is not so common than I thought. Although, nowadays, when smartphones are having Windows Mobile, Linux, Android, Apple, Symbian and maybe some other operating systems too. It seems to be easier to find a solution for encryption from PGP (Pretty Good Privacy).

I found out that Symbian used to have one component, made by Nokia, but no-one really knows is it still usable or not. About Apple and Android I really cannot say so clearly, ’cause both systems are pretty unfamiliar to me. So far Apple seems to have quite much research and development around iPhone, so I’m pretty sure that there are some encryption software as well.

Windows Mobile then, there seems to be a huge gap between versions (5.0/6.0/6.1/6.5) while searching supported applications, anyhow there are some software for encryption available. I haven’t tested these yet by myself, but will do later. At first I’d like to have the official update for WM 6.5.

Well, Linux is another chapter of it’s own. There are so many free, open-source encryption software available that it will be more difficult to find the one which suits the best for your needs, than just find one.

The other solution for encryption in mobile devices is PGP (Pretty Good Privacy), it’s not open-source and normally these applications are not free. But this also makes the difference to availability. There are so many PGP applications available for all these operating systems that I mentioned earlier. And of course, while the software is not freeware, you can expect some support for troubleshooting and equivalent for your money.

Anyway, I think that this is one of the main things nowadays while talking about email security and privacy. Because so big share of today’s business emails are sent by mobile devices, it’s really needed to have some software to obtain privacy within this communication way too. And for covering usability issues, it’s nice to have a software which co-operates with the same encryption method as while using a PC.

I’ll let you know later about my testing, WM 6.5 + PGP or GPG encryption software + MailCloak in PC. Having my own key in every single device (work, laptop and smartphone). And then testing it out, how it works and how easy it is really to use. But that’s going to happen after the Windows Mobile 6.5 release, which suppose to be soon.

Gwebs, PGP, Security, email, encryption Android, Apple, email, Email Encryption, Email Security, encryption, GPG, Gwebs, linux, Mobile, PGP, privacy, Symbian, windows

Security issues have been at the news recently and all the time more and more things are coming up. So many people are interested about their own security, when spending time with online societies and communicating with others, but just so few people are really using any software which is offering better security. The most of these people are just waiting the easiest one to use and cheapest one to buy, the whole field of Internet security seems to be offering too many options and choices. “Do I really need this? Which one is best for me? It’s too difficult to use, isn’t it ?” These questions are common among people, who have interest but don’t know where to start.

It seems to be that the most of the people have a belief that “e-mail is pretty secured service”, and “anyway no-one is interested about my e-mails”, but in fact there are so many people who have interest for normal users’ accounts, and information. And e-mail itself, is not secured at all. Even if the user’s own computer is having anti-virus software and firewall doesn’t guarantee that outgoing or incoming messages are secured. The following table (Table 1.) shows a little comparison between postcard, e-mail, registered letter and encrypted e-mail. This kind of comparison is quite common while talking about security issues among delivering messages from person to another. In my humble opinion I think this comparison is pretty close to truth, and gives you the idea, how messages are really going “out-there”.

The following picture (Pic.1.) shows how message can change on the way and how come neither sender or receiver cannot be sure that if the message has been tampered or not, if any kind of encryption is not used. This case represents also the postcard. Posting a letter or encrypted e-mail, then the possibility that message changes on the way is decreasing significantly, it’s represented in a picture (Pic.2.).

Pic 1. Postcard / E-mail without encryption

Pic 2. Letter / E-mail with encryption

The animations above are representing the situations of sending a message via postcard and letter / or e-mail with and without encryption. In both cases sender and receiver are not aware which kind of picture the other one is seeing. They can just believe that “This is the picture the receiver will see. / This is the picture the sender wanted me to see.” So it is very difficult to prove afterwards that was the message changing on the way or not. Well, common sense says: “How about I give him/her a call and ask about this?” But are people really willing to do it after every single message? I am not. Then the whole idea about sending an email is basically useless, if it’s not sure whether the message is going through without changing on the way.

Whenever people are sending their personal information, job applications, contracts, what ever that contains any piece of personal information, like name, social security number, address, phone number, etc. Why not using encryption ? Well, at least I’m not willing to put those pieces of information to the postcard, are You ?

There was earlier a bit similar post in our blog: “The Difference Between A Stolen Mailbox and a Steel Envelope: An interview with gWebs CTO Anderson Jin.” Please check it through also!

MailCloak, Security, email, email encryption, encryption, personal comparison, email, Email Encryption, email encryption software, Email Security, encryption, letter, MailCloak, postcard

MailCloak Pro is now in Public Beta!

MailCloak for Pro is a combination of all of Global Web Security Systems’ breakthrough encryption programs, and a little more. Download MailCloak Pro here!

MailCloak Pro = MailCloak for Firefox + MailCloak for Mail Clients + MailCloak for Internet Explorer (only available in MailCloak Pro)!

MailCloak was designed from the ground up to be the first encryption program for browser-based email, and POP3/SMTP email. MailCloak Pro supports ALL mail clients, while making GnuPG public-key encryption so simple anyone can use it! And everyone using it is the goal, That’s why MailCloak works with today’s most popular webmail systems as well.

Now you and your contacts can easily exchange encrypted email, and it doesnt matter what they use - Gmail on Firefox? Hotmail in Internet Explorer? YourCustomDomain.Com with Outlook (custom domains are only supported in Outlook and our upcoming SMB version)? They’re all supported! And MailCloak works with cross platform systems too -  that’s because we use the Gnu Privacy Guard MailCloak compatible with tons of other GPG programs on any platform you can think of. Mac, Linux, even legacy DOS users can exchange email with MailCloak users.

Key features include:

Automatic Key Exchange: MailCloak’s automatic key exchange feature automatically attached your public keys to outgoing emails, and automatically imports your contact’s public keys from incoming emails.

Automatic Encryption: Just turn MailCloak on and send email as usual - if you have already done a key exchange, your email will be encrypted.

Respect for Privacy: MailCloak stores your keys on your computer, not ours. So you can be confident that only you and your recipients can read MailCloak encrypted emails

End-to-End Encryption: MailCloak encrypts your email on your computer, and decrypts it on the recipient’s computer. Absolutely no one else will ever be able to read your email. See my previous post to understand the difference between HTTP/S encryption and End-to-End encryption.

Here’s an animation of MailCloak working in Mozilla Thunderbird:

MailCloak Pro is tested and works with the following email clients:

• Outlook 2002
• Outlook 2003
• Outlook2007
• Foxmail 5
• Foxmail 6
• Outlook Express 6
• Koomail 5.32
• Thunderbird 2.0.0.21
• DreamMail 4.4

If you don’t see your email client on the list, don’t fret, MailCloak for Mail Clients  works with most (all that we’ve tested) Windows XP POP3/SMTP Mail clients- so go ahead, download MailCloak and give it a spin.

MailCloak has also been tested on following web browsers:

Mozilla Firefox 3.0 - 3.1b (not included in our current beta, but can be added seperately with a free download and will be included in future releases.)

Microsoft Internet Explorer 6， 7

And all Trident based browsers, including (but not limited to):

• Avant Browser  11.0
• gisoon 1.0
• GreenBrowser 5.0
• maxthon 2.0
• MyIE 3
• Tencent Treveler 4
• The World Browser 2

Download MailCloak Pro here!

If you would like to report that MailCloak works with your email client or browser, or if you experience any problems installing or using MailCloak, please let us know!

Gwebs, MailCloak, Release, Security, email, encryption, new, software Email Encryption, email encryption software, Release

MailCloak for Mail Clients now in public beta!

MailCloak for Mail Clients, a cross-compatible cousin of MailCloak for Firefox, is the first GnuPG encryption plug-in which works in any email program, and it’s super easy to use too! You just install it on your Windows XP or Vista computer and then continue sending email with your current email client.

MailCloak supports: Outlook, Outlook Express, Thunderbird, Foxmail, Eudora, Pegasus Mail, Lotus Notes, and more (we haven’t tested all email clients, but it works with everything we’ve tested).

To start using MailCloak for Mail Clients, you don’t have change a thing, just download, install, do a key exchange, and start sending strong GnuPG encrypted emails! MailCloak even works with your existing PGP keys.

Click here to go to the MailCloak for MailClients download page.

MailCloak for Mail Clients allows users of any POP3 or SMTP email service to use MailCloak’s GnuPG email encryption. GnuPG is strong PGP encryption with up to 4096 bit public keys, and MailCloak is compatible with all other GnuPG encryption programs, so with MailCloak you can send secure email to anyone on just about any platform.

MailCloak supports Outlook, Thunderbird, Eudora, and more (we think it supports all POP3/SMTP mail clients, but we can’t test them all).  If you use webmail, like Yahoo! mail or Gmail, try MailCloak for Firefox!

We worked really hard to ensure using MailCloak for Mail Clients is easy as pie.

To use MailCloak for Mail Clients install it and fire up your mail client – which ever it may be.

At this point you should notice the MailCloak floating menu. Right click it to turn it on, and send an email. MailCloak will automatically attach your public key to this message if you don’t have the recipients public key, or encrypt the message if you do. When you are done sending encrypted messages, simply turn MailCloak off and write emails as usual.

To make MailCloak even easier, we’ve created an automated testing program called Cryptobot. Turn MailCloak on to attach your public key to all outgoing email, send Cryptobot an email, and wait for a reply to see what happens!

After you give MailCloak for Mail Clients a whirl, please tell us what you think on the MailCloak Encryption Forum. You can also use the forum to ask us your questions. We’ll do our best to answer your questions and help you through any problems you might have.

You also can find documentation on our email encryption wiki.

MailCloak, Release, Security, email, email encryption, encryption Beta, Email Encryption, email encryption software, Email Security, Release

Misguided Impressions.
A majority of the people I talk to mistakenly think that email is safe. The slightly more tech savvy among us – people who read about things like email security in Wired or Cnet or Lifehacker, believe, incorrectly, that HTTP/S encryption will protect their email from eavesdroppers. Yet only the true security aware understand that it takes “end-to-end” and “data-at-rest” encryption to truly protect an email message across its entire life cycle. These individuals also understand that whole accounts are practically impossible to protect – so they concentrate on protecting the important messages.

While it is true that “data-in-motion” encryption like SSL and HTTP/S will protect emails from internet-café wireless eavesdroppers; we should be cognizant of the fact that that’s about all they protect us from. As the notorious Sarah Palin incident so poignantly illustrates, it doesn’t matter how you connect to your webmail, using just data-in-motion encryption is not enough.

So let’s get things straight. HTTP/S, SSL and TSL protect your messages as they travel from you to your email service provider or vice versa – usually the first fraction of a second in an email’s online life. During the rest of the email life cycle, HTTP/S encrypted emails exist in plain text. Only true end-to-end encryption, encryption like MailCloak, FireGPG, Enigmail and PGP provide, can protect an important email for it’s entire life cycle.

The Email Life Cycle:
Below as an outlined the life cycle of a typical email. As you’ll see, an email passes through a lot of hands (routers) between sender and recipient – and there’s no way to tell how clean these hands are. We will use the example of you, a gmail user, sending email to your friend Alice, a Yahoo! Mail user, to make things more concrete.

1.    You write an email and click send.

2.    The email travels from your computer over your LAN to your router, it then “hops” to your ISP, and then over the Internet to Google’s nearest gmail data center. The connection between your computer and Gmail may be encrypted with HTTP/S. If so, your message will be protected across these hops (I usually count 12-15 hops on a traceroute to gmail). If you didn’t use HTTP/S, each of these routers could (and many of them do) copy and index your message – you have no way to know.

3.    The message arrives at Google, and is indexed and saved on redundantly backed up servers. You can now see your message in your “sent” mailbox.

4.    Google now sends your message across the Internet to Yahoo’s datacenter. You can’t do a traceroute from Google to Yahoo, but you can assume that the route takes at least a few hops. At this point your message is traveling in plain text, so each router between Google and Yahoo can copy and index your message. And of these routers may be located in a government surveillance center.

5.    Yahoo! receives and indexes your message, then transfers it to Alice’s inbox.

6.    Alice now connects to Yahoo! and downloads the message. Again, the message hops over a dozen or more routers or computers before reaching Alice.

7.    Alice reads the message.

8.    The message and attachment resides indefinitely on Google’s and Yahoo’s servers. Anyone who logs into either your or Alice’s account can search the account, and if they search the right keywords, they will find your message.

Protecting an Email Message Throughout its Life Cycle.
It turns out that with minimal changes to this life cycle and the user experience, a message can be permanently protected from any and all eavesdroppers. All one has to do is encrypt (cloak/scramble) the message between steps one and two (after clicking send, but before the message goes out over the network), and decrypt the message between steps six and seven (after downloading, but before reading) and the message will always be safe, because it will never be exposed to the internet in plain text. This is called end-to-end encryption because your message is only in plain text at the endpoints. It’s also called data-at-rest encryption, because the email is only stored as an encrypted message.

MailCloak and Standards-Based Encryption
MailCloak, along with a host of other OpenPGP based programs, will all help you to encrypt your messages with end-to-end encryption. When we wrote MailCloak, we chose to use GnuPG OpenPGP encryption because all OpenPGP programs can talk to each other – and there’s an OpenPGP program for just about every computing platform out there. If you have Windows XP and you use Gmail, Hotmail or Yahoo! Mail, or a standard POP3 Email Client, you can use MailCloak – MailCloak will be available for Vista and Windows 7 soon. If you have Mac or Linux we recommend FireGPG for Gmail on Firefox, Enigmail from your POP Mail.

Security, email, email encryption, encryption Email Encryption, Email Security

MailCloak Personal Edition, Email Encryption for Firefox is finally open for Beta Testers!

MailCloak is the new GPG based email encryption add-on for today’s top webmail services. MailCloak encrypts Google Gmail, Yahoo! Mail and MSN Live Hotmail with super strong 4096-bit key GPG encryption.

After you have installed MailCloak, you will be prompted to create a key pair, once that’s done you’re ready to go.

Check out our detailed quick-start guide if you want some hand-holding, otherwise go ahead and login to your web-based email account (This version supports Google’s Gmail, Yahoo! Mail and MSN Live Mail) and send someone an email. If MailCloak is turned on, your public key and an invitation to MailCloak will automatically be attached to this email. If the recipient is using GPG, PGP, or MailCloak, They will be able to send you encrypted email. When you get their key, you will be able to send them encrypted email. We’ve also created Cryptobot to make this easy to test.

Open Source Encryption, closed source connectivity.
We chose to build MailCloak on top of the industry standard, open source GNU Privacy Guard (GPG/GnuPG). GPG uses the OpenPGP standard, first written by Phil Zimmerman in 1982, OpenPGP-standard compliant encryption is used by 96 of the top fortune 100 companies, the Department of Defense, and millions of home and business users around the world.

Gwebs, Security, email, email encryption, encryption, software encryption, firefox add-on, GPG, PGP, Release