EFF’s STARTTLS Everywhere Project

As a sort of sequel to its highly successful HTTPS Everywhere campaign, the Electronic Frontier Foundation has initiated a STARTTLS Everywhere project to improve email security.

Unfortunately, this is likely to prove a bit more challenging than HTTPS Everywhere because of issues with STARTTLS,

Although many mailservers enable STARTTLS, most still do not validate certificates. Without certificate validation, an active attacker on the network can read and even modify emails sent through your supposedly “secure” connection. Since it’s not common practice to validate certificates, there’s often little incentive to present valid certificates in the first place. A brief experiment on Censys shows that about half of the mailservers that support STARTTLS use self-signed certificates.

. . .

When two mailservers support STARTTLS, their insecure connection is opportunistically upgraded to a secure one. In order to make that upgrade, the two mailservers ask each other if they support STARTTLS. Since this initial negotiation is unencrypted, network attackers can alter these messages to make it seem like neither server supports STARTTLS, causing any emails to be sent unencrypted. ISPs in the U.S. and abroad have been caught doing exactly this, and in 2014, several researchers found that encryption on outbound email from several countries were being regularly stripped.

But you have to start somewhere, and the EFF should be commended for going beyond simply issuing policy prescriptions and recommendations, and doing a lot of the heavy lifting to improve end user security.

InboxIt App for Android

InboxIt – Share to Mail is an app for Android designed to improve how Android handles sharing links via email, primarily for emailing links to yourself that you want to read later.

There is no need to type your email address, email title or body. InboxIt with a ‘single click’.

In addition, InboxIt grabs website’s image and description for nicer and more readable emails, no more clicking on emails to figure what article this is, images & videos are also supported (up to 25mb).

The premium 99 cent version will also automatically add a +keyword label for sharing to Gmail addresses, which makes it easier to sort these “read later” emails from other emails.

I have a variety of ways to track stuff I want to read later, and tend to email myself links that I need to follow-up on in the near future. InboxIt just makes those emails all the more useful.

Daniel Miessler: 4 Reasons to Run Your Own Email Server

Every so often on Twitter, a silly mantra goes around: it’s borderline insane to run your own email server. As Daniel Miessler sums up the case against running your own email server,

Email is complex. It’s hard to secure. Unless you’re the end-all, be-all of email administration, you’re likely to do a far worse job at it than Google, Yahoo!, Comcast, or whoever provides you the service today.

At the time Miessler wrote his response to this argument in 2016, he indicated that he no longer ran his own mail server but had done so for four very good reasons.

  1. It’s hard.
  2. You’re now running an internet-accessible service.
  3. You have more control.
  4. You have more privacy.

I still run my own email server largely for all of these reasons.

I do have to emphasize the first point, however. Running an email server correctly and securely is hard.  Even if you have a good deal of technical skills, you are likely to completely f— something up at least once.

On the other hand, I have occasionally had to talk to people at different companies about configuring email in production systems, and while I did not have the same level of knowledge as the folks working in email every day, my experiences did enable to discuss these issues intelligently.

Configuring SSL On Exim/Dovecot

I ran into a ton of problems recently trying to configure SSL on my server’s Exim/Dovecot services.

To solve them, I relied on the excellent CheckTLS.com to give me detailed information about how my server’s security was failing. I probably wouldn’t have been able to troubleshoot my particular problems without this.

In my case, it turned out to be problems with the intermediate certificate. I tried a number of ways to fix this before stumbling upon an answer that I never would have guessed. I kept grabbing the intermediate certificate from my CA, but no matter what I tried it would not authenticate.

I was able to get it to work, however, by copying the content of the CA cert into the exim.cert file using:

$ echo '' >> /etc/exim.cert
$ cat /etc/exim.cacert >> /etc/exim.cert

Phoneme: A Script to Encrypt All Gmail Archives with PGP

Phoneme is a Python script that will encrypt all of the email sitting in your Gmail account using GPG.

Every time it runs it will skip any messages that already start with “BEGIN PGP MESSAGE” in the body, so you won’t end up repeatedly re-encrypting messages.

A (very) simple script to encrypt all existing email in a gmail account with your gpg keys. The intent is that Phoneme is simple enough that even a layperson ought to be able to tell that there’s nothing suspicious going on with the code and it does what it says on the tin.

Phoneme goes through your email, encrypts it with your public key as the recipient, **DELETES THE PLAINTEXT UNENCRYPTED ORIGINAL** and appends it back to the folder it originally was in with the from and date information intact. It does not however remove the plaintext original from your trash folder, so when the full encryption process has finished you may want to check your trash folder and make sure everything is ok before you hit ‘delete forever’

Death of Email, Episode VII

It seems like someone is constantly proclaiming the death of email as in this GigaOm article about IT firm Atos Origin planning to stop using email in its internal operations.

GigaOm writer Miguel Valdes Faura points to things like social networking and tools like Salesforce’s Chatter as things that are gradually replacing email.

Look, here’s the thing — the beauty of (most) email is that it is based on an open protocol, SMTP. I have email I sent and received in the late 1980s that I can still read on an email client that was just released yesterday, thanks to the wide support for SMTP.

I’ve also had the same email address for 16 years even though I’ve changed email hosts 6 or 7 times during that period. During a small part of those 16 years, my email was hosted at another company, but for most of the time I’ve owned the server that my email domain ran on. Today, it is dirt cheap for anyone to grab a domain name and a hosting account that includes a mail server.

Social networking and similar systems are largely the antithesis of prevailing state of affairs with email. I can use my Google+, Twitter, Facebook and other accounts only because those companies have decided to continue to allow me to — and their Terms of Service make it clear they can change their mind at any moment and cut me off for pretty much any reason.

On the other hand, if I get fed up with one of my social networks, there’s little I can do but close my account and leave. Since all of these companies use proprietary standards, I can’t easily move my Twitter account to Facebook, much less even consider moving either account to my own webserver.

I can (and do) get my data out of these systems, with varying degrees of difficulty, but just having static copies of the data doesn’t come close to replicating my account. Moreover, most of these systems seem to be getting less open. Twitter, for example, used to make it obvious where the RSS feed for your tweets was, but now they hide it like they’re ashamed of it (or, more likely, can’t figure out how to monetize it).

Every time I read someone write about relying on social networking or closed systems, I always think of the BBC’s Domesday Project — an early attempt at creating a digital artifact in which more than a million people participated. But, of course, the Domesday Project is famous in part because the BBC chose to use a proprietary technology that quickly became obsolete and almost rendered the entire project unreadable.

Social networking, as it is currently constituted, is one giant Domesday Project just waiting to happen.