NSA-Proof Your Email Without Encryption (opens in new tab)

(ryaneshea.com)

14 pointsrxl13y ago20 comments

20 comments

16 comments · 6 top-level

bowmessage13y ago· 4 in thread

What about the interception of the email as it travels through the ISPs? Won't the NSA still grab a copy as it's sent? I thought that was the whole idea of PRISM.

rxlOP13y ago

When the email is sent, there is no record of the message. There is only an image URI that points to the image that contains the message. So, the NSA won't be able to grab a copy as it's sent. However, if an organization has the ability to intercept all images that are loaded in the browser (through the ISPs, for instance), it can grab a copy of the image containing the message. In that case, some OCR would have to be done in order to extract the message (which, agreed, is not hard to do if you are explicitly looking for messages contained within images).

rfugger13y ago

I'm assuming you secure the image URL with HTTPS at least to minimize the chances that an ISP could intercept it on the wire?

1 more reply

rubyn00bie13y ago

+1 That was my exact thought.

If anything; I think this gives people an impression that they can NSA proof their email-- when in fact they cannot.

The NSA is capturing, and archiving, the data directly from AT&T and Verizon's network. The fact it's set to expire on the OPs servers is of little relevance on theirs (NSA).

Cryptography is the only way to "NSA proof" anything; and only if you do it right.

gopher113y ago

Exactly, they're allowed to store the email, even if ostensibly they're not allowed to read it. But if it ever becomes relevant, they'll simply go back to their copy of the email.

nicholasreed13y ago· 2 in thread

If the recipient's email client automatically downloads the image the first time and makes it always-available to the user, wouldn't that break GhostMail's promise? While Gmail/Hotmail/etc. may not do this now, is there any technical (even an extension) reason they can't? I simply don't see how, even using a 3rd party, you can prevent somebody from holding on to the message forever. In addition, you cannot assume the content is the most important part of the message; all the email headers will exist in perpetuity, and they'll always know you sent them something (if, in the future, GhostMail wanted to do an Undo Send type feature).

rxlOP13y ago

Why do people opt to talk on the phone or use off-the-record gchat instead of send something over email? In both cases, the conversation can still be stored, but the point is to use a communication method for which there is no automatic storage mechanism. You trust your recipient not to record all your phone calls or copy and paste all of your off-the-record gchats, but you just don't want a copy of your messages sitting in their inbox.

As far as your comment on the headers, you're absolutely right. There will always be a record that you sent some message to your recipient at a particular time with a particular subject. However, the details of the message itself are never contained within the headers.

Also, with GhostMail, you already have the ability to "undo send". You can just go into your "sent" folder and view your message before your recipient views it, rendering the message unreadable.

nicholasreed13y ago

I'd agree that there are use cases where it works. For example: if I wanted to send my roommate a password over email, this would be great because the message content would be gone, and I don't care about headers and timestamps. But if I'm sending some secrets, I wouldn't want any record that it was even communicated.

natdempk13y ago· 2 in thread

This doesn't prevent your server/CA being compromised like an encryption scheme like PGP would.

rxlOP13y ago

Yes, if the server is compromised before a recipient reads a particular email, that can allow the attacker to read that email. However, all emails that are read are deleted from the server and unread emails are automatically deleted after a certain number of days. So, if someone was to compromise the GhostMail server, he/she would only be able to read a paltry amount of messages.

bluetooth13y ago

If GhostMail was compromised, the attacker would be able to read messages as they are being sent. Sending messages as images does not stop them from being copied or held for an indefinite amount of time.

1 more reply

lifeguard13y ago· 2 in thread

This is obvious security snake oil. The FAQ makers it clear it does nothing to thwart PRISM etc.

rxlOP13y ago

As people have said, there is always a way from someone to intercept a message. An organization can, at the ISP level, intercept all images that you access in your browser and then perform OCR on the images you receive to extract the message. So there is no foolproof solution here. However, this is simply a service that allows you to send "read only once" emails, with no SMTP records of the message on any servers. It has a certain level of protection that I feel some people will find useful, in the same way that some people really value off-the-record gchat.

lifeguard13y ago

I saw nothing to convince me this is a true statement:

'allows you to send "read only once" emails'

1 more reply

fractalcat13y ago

This is laughable from a privacy perspective. So you delete the emails immediately after they're viewed? We're expected to take your word for this? Are you saying you don't back up your data at all? How do you handle secure removal from backups? How do you perform the deletion? Do your servers use journalling filesystems? Do you expect us to trust (say) Gmail not to prefetch image data embedded in HTML emails? What happens if you get raided?

im3w1l13y ago

This will be safe until it isn't, and the user wont be able to tell when that has happened.

The more you advertise it the faster that will happen.

j / k navigate · click thread line to collapse

20 comments

16 comments · 6 top-level

bowmessage13y ago· 4 in thread

What about the interception of the email as it travels through the ISPs? Won't the NSA still grab a copy as it's sent? I thought that was the whole idea of PRISM.

rxlOP13y ago

rfugger13y ago

I'm assuming you secure the image URL with HTTPS at least to minimize the chances that an ISP could intercept it on the wire?

1 more reply

rubyn00bie13y ago

+1 That was my exact thought.

If anything; I think this gives people an impression that they can NSA proof their email-- when in fact they cannot.

The NSA is capturing, and archiving, the data directly from AT&T and Verizon's network. The fact it's set to expire on the OPs servers is of little relevance on theirs (NSA).

Cryptography is the only way to "NSA proof" anything; and only if you do it right.

gopher113y ago

Exactly, they're allowed to store the email, even if ostensibly they're not allowed to read it. But if it ever becomes relevant, they'll simply go back to their copy of the email.

nicholasreed13y ago· 2 in thread

rxlOP13y ago

Also, with GhostMail, you already have the ability to "undo send". You can just go into your "sent" folder and view your message before your recipient views it, rendering the message unreadable.

nicholasreed13y ago

natdempk13y ago· 2 in thread

This doesn't prevent your server/CA being compromised like an encryption scheme like PGP would.

rxlOP13y ago

bluetooth13y ago

1 more reply

lifeguard13y ago· 2 in thread

This is obvious security snake oil. The FAQ makers it clear it does nothing to thwart PRISM etc.

rxlOP13y ago

lifeguard13y ago

I saw nothing to convince me this is a true statement:

'allows you to send "read only once" emails'

1 more reply

fractalcat13y ago

im3w1l13y ago

This will be safe until it isn't, and the user wont be able to tell when that has happened.

The more you advertise it the faster that will happen.

j / k navigate · click thread line to collapse