Email Postcards and our Web Contact Form

VultureYour normal email is less public than this web posting, but not by as much as you probably think. I’ll not get into how easy it is to intercept unencrypted email, except to say that it is very easy to do. Sometimes it is not only easy, but cheap to intercept your email. Yes, there are laws about such things, but some morally challenged people don’t care about those laws any more than the average spammer cares about the laws they break. Besides, those laws don’t reach everywhere your email travels. Even domestic email can be routed outside of the country you are in. Usually, you will have no clue that your email has been intercepted, read, or analyzed by someone you would not like reading your email. The unauthorized reader could be anywhere in the world: criminals, competitors, religiously violent people opposed to the Gospel of Jesus Christ, hostile governments, terrorists, etc. You would be amazed the routes your email takes, even when you aren’t on a particularly vulnerable network (like a wireless hot spot or cybercafe).
Sometimes I’m not really concerned about the privacy of communications. Sometimes, I intentionally put a message (like this one) in public view. Sometimes, I want more privacy, because the communications are personal, financial, proprietary, easily misconstrued, or something that could endanger someone if revealed to the wrong person. Sometimes I just feel like some communications should be private, even if there would be no harm in saying the same things openly.
OK, so what can we do about email privacy? Actually, there are some high security solutions, some medium security solutions, and some insecure solutions. For high security, use end-to-end encryption, like GPG or PGP. For medium security, use TLS or SSL encryption between your email client and your mail server. Although it is not hard at all to use GPG with Enigmail in Thunderbird, once it is set up, it does take a bit of effort to set up, and some learning to understand the concept of public key cryptography. Actually, that isn’t all that hard. Getting all of your correspondents to use GPG, however, is nearly impossible. That is why SSL and TLS are so attractive. With either SSL or TLS, the email is encrypted between the email client and the email server with no effort required from the user other than to get the initial settings right in the email client when setting up the email account. With SSL and TLS, the email is decrypted at the email server, and may be transmitted between email servers unencrypted, depending on how the email servers along the route are configured. This, naturally, makes this solution much less secure than end-to-end encryption, but it does get the email encrypted past the most vulnerable last leg of the journey, which might be at a wireless hotspot or some similar extremely insecure network. The SSL or TLS solution works well, however, within one organization (like SIL and its affiliates), which use only a few servers run by trusted parties in secure locations, and all email transfers between those servers are also encrypted. Of course, any email to or from a server that doesn’t support the encrypted transfer protocols (which most don’t) is like a post card.

Public key cryptography has a known weakness in that it is subject to a man-in-the-middle attack if you are not careful about making sure that the public key you use to initiate a session is actually the one belonging to the party you wish to communicate securely with. Philip Zimmermann, the creator of PGP, solved this brilliantly with the concept of the “web of trust” based on digital signatures on keys for which you, or someone you trust to do it right, has verified the identity and ownership of a public key. It is brilliant except for its asking people who spend much more time watching TV than reading about math and cryptography to care about key signing, let alone understand it. With SSL and TLS, the method of certifying key ownership is a more centralized system with a strict hierarchy of trust. It is worse in that failure in the security of just a few agents could essentially compromise the security of major portions of the secured Internet, but better in that average users need not understand much about how it works or do much to make it work.

To truly be immune to a man-in-the-middle attack with SSL or TLS, however, you need to (1) have a secure web browser and email client on a secure computer, (2) know what to look for in terms of security indications, like the padlock icon that is part of the web browser and not part of the web page, (3) set up your email client properly for SSL or TLS email, and (4) heed any security warnings you get.

That last one was a problem for us on our secure contact form until last week. You see, getting a security warning could mean that a man-in-the-middle attack was in progress, but it also could mean that I didn’t spend lots of money to get a rich corporation to verify my server’s key each year, digitally signing it so that it could be verified with one of the digital certificate authority credentials built into the common web browsers. Another solution was to create my own certificate authority and ask everyone using my site or email servers to import my certificate authority credentials into their web browser and/or email client. However, I found cert.StartCom.org, a service on the web that would act as a certificate authority for free, and which already had its credentials built into the most recent version of several web browsers, including my favorite, Firefox, as well as Safari, Konqueror, Seamonkey, Mozilla, and a couple others. Microsoft Internet Explorer and Opera users still have to install the StartCom certificate authority credentials to gain the full security benefit, but that beats starting from scratch with all of the browsers.

Now, people who use a browser with the StartCom certificate authority credentials in them (either pre-built or installed later) can use our web contact form without getting a security warning. It is important to get rid of the false alarms, so that people can recognize when a real attack might be under way. That form is a much more secure way to contact us than via regular email, because the message is encrypted in transit from your browser to the server via SSL, and from the server to my computer via Gnu Privacy Guard (GPG). Of course, my reply to you would be unencrypted once it leaves my email server, but even having a one-way secure line of communication is helpful.

You might wonder what that vulture picture has to do with this. Actually, not much, except that it was flying over the JAARS Center, which is the same place where I saw a computer security demonstration of how easy it is to pull off a man-in-the-middle attack, thus inspiring me to get a properly signed SSL certificate on several of my web sites, including eBible.org and cryptography.org.