A conversation about the lack of security in sending emails despite having a free universal option available for more than two decades.
Episode #10-22 released on January 12, 2020
I am not going to lie, when it comes to the Internet, there is a lot left to be desired. Heck, our lives have a lot left to be desired. We send and receive daily emails from numerous people and organisations. We send and receive many text messages and we browser the Internet daily. To this day, all these methods of accessing and sending information have security issues. Accessing Internet has issues with unencrypted DNS communications. To send and receive text messages, we must contend with SS7 security flaws, and bad employees of telecoms. And, emails, to this day, continue to be sent in plaintext, easily read by every server that intercepts them, making man in the middle attacks possible. I've talked about how to secure your Internet, and Today, we talk about securing your email.
Now, it is time to talk about OpenPGP, the standard by which we can and have been able to all benefit from the possibility of encrypted emails. This is technology has been around since 1997 and has allowed many people to send and receive secure encrypted emails, that are immune to issues related to MITM interception by both malicious groups and industries. No one can read the email except for the desired receiver.
The reason OpenPGP is so resistant is due to its asymmetric encryption scheme. Like the SSL certificates issued to websites, only the owner has the private key. Everyone else gets a public key. You can equate this public key to a person issuing thousands of boxes with locks, but no key. Only the issuer has the key and only they can open the locks to see inside the box. The main difference between OpenPGP key encryption and that of websites is the how you get the encryption key. In order to have the public key, you must get it from a database where the user voluntarily posts it, their website, or directly from them by other means. This makes the process a little more cumbersome for most users, but fret not, it isn't impossible to do.
Still trying to figure out why we don't have universal MITM resistant email?
It is due to the learning curve. There is a standard, but there is no standardized why of implementing it. Thus, some programs can do most of the functions required, but lack the necessary functionality to make it universally capable of every option available by the standard. The cost of entry is, also, an issue. There are many free options, but many developers do charge for the applications.
There are many services that have started offering the public key encryption service to allow for emails resistant to MITM interception. This makes those communications more secure. And, as part of project for 2020, I will, also, aim to integrating that option, but this means that together we will have to explore options that make sense for my own community, but on YouTube and the rest of the Internet.
So, in the meantime, I challenge you all to use a free utility called GPG4USB which you can get at https://www.gpg4usb.org/. Tell me what you think of this tool and try to integrate it for a week in your own lives.
Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net