Don't understand encryption

Elektra
Active Albatross
Posts: 152
Joined: Fri Oct 24, 2008 7:25 pm

Don't understand encryption

Wed May 27, 2015 7:10 pm

Please excuse me if the following sounds stupid but I'm having trouble getting my head around this subject.
If I let Hideaway encrypt all Outlook mail I send, I understand it will be very difficult for snoops to intercept and read but, if that's the case, how will the person I am sending it to be able to read it?
User avatar
rusticdog
Firetrust Monkey
Contact:
Posts: 14814
Joined: Mon Jun 13, 2005 6:27 pm

Re: Don't understand encryption

Thu May 28, 2015 3:12 pm

Right yeah, it's not your emails that get encrypted, rather your connection to our servers. I'll see if we can expand on that information on the product page.

For example when using public wifi that can be snooped, and when using an email client that doesn't make use of SSL/TLS then your password is transmitted in plain text so potentially could be extracted.
User avatar
nick.bolton
The Big Cheese
Posts: 2086
Joined: Thu Aug 28, 2008 4:02 pm

Re: Don't understand encryption

Thu May 28, 2015 3:30 pm

The data in your emails are encrypted (Everything is, including the email and connection info) up to the point that they reach our server in a different country, then the email is decrypted at that server and sent on its way to the destination so the recipient can read it.

If you want encryption all the way for your email (end to end), we're working on something for that but it means the sender and recipient need to have the same encryption and decryption software.
Elektra
Active Albatross
Posts: 152
Joined: Fri Oct 24, 2008 7:25 pm

Re: Don't understand encryption

Thu May 28, 2015 7:33 pm

nick.bolton wrote:The data in your emails are encrypted (Everything is, including the email and connection info) up to the point that they reach our server in a different country, then the email is decrypted at that server and sent on its way to the destination so the recipient can read it.
So, in this case, the only things that change are the country of sending and IP address. Not very useful in the grand scheme of things.
If you want encryption all the way for your email (end to end), we're working on something for that but it means the sender and recipient need to have the same encryption and decryption software.
This makes sense and was always the way that genuine encryption worked to date. Thanks to both of you for the explanations. :)
User avatar
nick.bolton
The Big Cheese
Posts: 2086
Joined: Thu Aug 28, 2008 4:02 pm

Re: Don't understand encryption

Thu May 28, 2015 7:46 pm

FYI, here's the product page for the email encryption product when it's finished
http://www.firetrust.com/en/products/en ... encryption
Elektra
Active Albatross
Posts: 152
Joined: Fri Oct 24, 2008 7:25 pm

Re: Don't understand encryption

Thu May 28, 2015 9:10 pm

Again, probably a stupid question...
In order to read the content of the mail you are sending, the recipient also needs to have EncryptUs installed at his end. Unless you are using an unique PGP key for each mail sent, logic seems to suggest that all anyone wishing to snoop needs to do is to install EncryptUs too?

And the fact that your sales page uses government spying as one of the main criteria for installing your product will make it a priority for such agencies to find a way to circumvent your encryption. It would not surprise me at all if you get approached with a deal to provide them with a back door while maintaining the sales pitch based on security from prying eyes. It serves their purpose much better if users feel they are protected when in reality they are anything but!

As you have decided to give EncryptUs away free, it would seem a better option to automate the sender verification and make that an integral part of Mailwasher Pro. Classic 2-step marketing...get a foot in the door with a useful freebie then upsell a paid-for product by tying the 2 together with an indispensable option!

Why automated verification? I imagine many people are like myself and receive well over 50 mails per day. Clicking on a verification link for each mail would be more a nuisance then a benefit. Therefore, if the verification was automatic so that MW would alert the user only in the event of a suspect mail, he would waste much less time.
User avatar
nick.bolton
The Big Cheese
Posts: 2086
Joined: Thu Aug 28, 2008 4:02 pm

Re: Don't understand encryption

Thu May 28, 2015 9:30 pm

Each email is encrypted with AES encryption using a unique random password, that password is then encrypted with the recipients public key and both the encrypted email and the encrypted password are sent to the recipient. The recipient uses their private key to decrypt the password which is then used to decrypt the email message. Everyone has their own unique public and private key, so you can't decrypt other people's messages because they won't be encrypted with your public key and you won't have their private key. So, no, there's no chance of snooping unless you have the recipients private key - which is only stored on their PC. We're not doing a cloud based system.

Yes, governments around the world all have spying legislation. In New Zealand here we have a Telecommunications Interception Act and if required they may ask to gain access, although I'm not sure how we'd do this because everything is done on the users computer so there's nothing to give them access to. It's not a cloud based system they can tap in to.

The sender verification is pretty easy actually, we'd add a link in the bottom of the email but also use the standard digital signature icon found in email clients, also in the application you'll be able to go through a list of emails and see an audit trail. Good idea on the integration with MW, we planned to do something like this so you could also read the emails decrypted in Mailwasher - because otherwise it's not a very good preview.

Return to “HideAway”