-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Once there was a time when the personal computer did not exist. A time when there were only mainframes and terminals to access them. Some bright spark eventually decided it would be a neat idea to connect them together. After a bit of this another luminous individual thought hey, wouldn’t it be cool if we could send funny little messages between them. Thus email was born, and therein lies the problems with it. The creators of the simple mail transfer protocol had no idea the extent to which the whole of society would eventualy come to depend on their technology.
Email, like so much of the framework of the internet, is a forty year old hand me down, patched and mended so many times there isn’t a shred of original cloth left. It is a garment that no longer fits – we have outgrown it.
A few April Fool’s Days ago I wanted to play a joke on my friend Ben, so I sent him an email. In it I mentioned that I was being investigated as a suspect for creating the NetSky computer virus, that I was currently under government surveilance and would soon be arrested. I sent him this email, but not using my own address – to ben the sender appeared to be from AusCERT, the Australian Computer Emergency Response Team. Convinced that the law would soon be beating down my door ben gave me call and began to read the email back to me in hushed tones… as soon as I heard the word “AusCERT” I pretended to panic, told him I had to go, and hung up the phone. After letting him sweat for five minutes I called him back and let him off the hook.
Sending email is about as insecure as it gets. Spend five minutes on google and you too can play practical jokes on your friends. Have them each confess their secret and undying love for each other then sit back and enjoy the show. Why not invite all their friends to an orgy while you are at it?
Fear not for your inbox – although spoofing a from-address is easy, actually breaking into someone else’s inbox and reading their mail is more difficult. If Ben had chosen to reply to my fake email, the message would have gone to the real AusCERT. That’s not to say that vulnerabilites don’t exist. Everytime you send an email to someone that email is stored on your computer, the computer of the person you are sending it to, at your ISP, their ISP and every single step in between. it is stored in plain text that anyone can read so long as they have access.
The solutions to these problems already exist. I have set up my Thunderbird email client to digitally sign every message I send, using the GNU Privacy Guard. That way the recipient can verify that I was really the one who sent the message. I can also choose to encrypt the entire message so that only the recipient can read it. That way even if the message is intercepted by a third party it will just look like gobble-de-gook to them.
The Chinese government wouldn’t be too happy about that. Any form of personal encryption is illegal there – the government likes to know what you are up to. But that’s a story for another day. If you are interested in the political motivations behind cryptography go and learn all about cypherpunks and crypto-anarchism from the equally cool sounding cyphernomicon.
Of course the problem with securing my email system is that you need to set up your email system in the same way. Otherwise you won’t be able to verify that the messages really come from me, and I won’t be able to send you encrypted messages at all.
Setting up such a system is complicated and beyond the ability (or patience) of most people, so naturally it has not gained much popularity. If it had there would be a lot less spam in your inbox right now. The problem is that all this security should not be the user’s responsibility – it should all be happening behind the scenes, automatically. It should work similarly to the way internet banking uses cryptography, where the end user only needs to keep an eye out for a little padlock icon in the bottom right hand corner of their browser. This kind of integration cannot happen in the current hand-me-down email system. The time has come to discard the old, and bring in a new standard. Email, IPv4, the x86 instruction set, I’m fucking sick to death of backwards compatibility. Nothing makes an IT worker cringe more than the word “legacy”.
In the meantime I have little choice but to keep sending those digitally signed emails just in case someone, somewhere is actually verifying them.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) - WinPT 1.0.0 iD8DBQFFD9tmoYlj6HJS2ckRApUXAJ4xvJG1Oz0/6AN79Htm4RhH9puPNACbBt00 3gwnU+duNUttGESJbH20GlE= =kQaa -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.5 (MingW32) - WinPT 1.0.0 mQGiBEUN9MQRBACgYiZ381Mf08O+p1RNt4LzlR+gHtW6ZekETZdhB3VX1iaEKsnQ eZ3w6YojyRLSLL/UZe91ZL9ibFdhrAzM7DVYZFOSBozziNrWV7Hds+WaKbRfaOpJ vsUd7HrdFTZSsaXLanVdOp2tqfuoMWg5kNiIy5rNx/a3wmVkpB8lCZeymwCgjVcA bo5Eurmc4NfxZk0SRtnuIGMD/2bUo+vWW7/GevXXjOTD7/XOwLJqJAfj9UGr1kco UGvGqJhYL3SPex5GzxUHZRtBoZO/EWtMFWIFPXi4pnlEIGcn4zOeT4bXKxM0VYOn q2AMnlJ4gkO8p2hDdDOFayx//5udgVeAjS3v/72RZuKAYPzQV/CJ/UAu6eBbF0+1 tvedA/4pZpsBKAeNivpsmf77fWKZX8dGlNujViYUnoG5uL1w5cHI+Pr51R/VFaZl UwSLu3VfAFhKuejACf0bZXh9cAeVYQXQPu6JhCbfnEIE2hHd7WMwYofe+y5LC8Jb iRk+yEEjcGp6TaGcRcvDKvyAekY6P6Lapm45a+w18hSwjvJBN7QpRGFuaWVsIEtp bnNtYW4gPGRhbmllbC5raW5zbWFuQHN5Yml6LmNvbT6IYAQTEQIAIAUCRQ30xAIb IwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEKGJY+hyUtnJycwAn0CerknspBXY MNXoBeAaZ6MQQ1DEAJ9D3Q1XIbg7ZIreQVIpJve31F4UmLQoRGFuaWVsIEtpbnNt YW4gPGRhbmllbGtpbnNtYW5AZ21haWwuY29tPohgBBMRAgAgBQJFDfdsAhsjBgsJ CAcDAgQVAggDBBYCAwECHgECF4AACgkQoYlj6HJS2cn6gwCeNIP8sLk+wi66wOcx /hOYJKvggvUAnAkvwtoBuHJ1GJvXk6/4zL/sKjQBuQENBEUN9MUQBACEYDon7XBj AS1WaFuaip3EDpcIzeNHZE/6ep1biWFIoq2AYItk8zw5K4ZvOBH1WcJWvNEk8xVt VhXfNF3mg9w69yU9rsqslLjgOIlxQxrcQaIa1upuPnUtnW7I2lu1L5DevWr23zi8 fuzAUk812D0k2B2WI4Q3wLRuJVhZ0kdCLwADBQP/b0pxuF0zvNuHsSFq35vREaSk jTZtO4oT1tSM813eT7+5Lpyr5hkZhD/xByDKJ2wTZzhCQC4NL28v+ut3eZNBgmC2 EN1I3wum09vnNf04yv0dh4NM5ElWpgJsNOA3qo4n8DnbmGEDU5fBJVd41weUPm0j ESjBcK/1YeFS5Nrovn+ISQQYEQIACQUCRQ30xQIbDAAKCRChiWPoclLZyZMnAJ90 xW6VeorLUO7Zt6yOel+s4Q7EUgCeMLtYd7WgBwBXJ11BorrxXExox80= =WGc/ -----END PGP PUBLIC KEY BLOCK-----