back to article ISP GMX attempts the nigh impossible: PGP for the masses

Internet service provide GMX claims to have overcome the notorious usability problems of PGP with the launch of a new email service that offers end-to-end encryption. The new email security works across all devices and platforms: including laptops, tablets, smartphones and web browsers, according to GMX, which says that the …

  1. Dan 55 Silver badge
    WTF?

    "One alternative is of course SSL", said the expert.

    No it's not. SSL offers security for data in transit but not for data at rest.

    1. Anonymous Coward
      Headmaster

      Re: "One alternative is of course SSL", said the expert.

      Somewhat sketchy use of the word "security" there Dan

  2. Anonymous Coward
    Anonymous Coward

    ... said Ken Munro of PenTestPartners

    "One alternative is of course SSL"

    If he really did say that, I suggest you may want to look for a different "expert".

    As mentioned by Mr. Double Five, SSL is transport, not content, encryption.

  3. Anonymous Coward
    Anonymous Coward

    This may explain...

    ...the recent change, last month or so, when they moved their email operation from the US back to Germany (where GMX originally started).

    This would stop them from getting hit with a subpoena a la Hushmail, as there is no remotely legal way you can pull that off in Germany.

    I've been a GMX user for close to 20 years now and I've been entirely satisfied with them all along the way thus far.

    1. DropBear Silver badge

      Re: This may explain...

      I'm genuinely happy for you if you are. Just let me mention as an anecdotal data point that after years of use, they simply locked me out of my account then when I inquired as to why, using a different account from a different provider, they only replied "yep, it was not an error, the decision was justified". Failing again to offer any clue regarding the reason. And I'd like to note I've never, ever, ever did anything sketchy with that or any other mail account I ever had - to this day it's a complete mystery for me what they were smoking when they did that. So I sincerely hope you have a local copy of your mail and never, ever end up needing to rely on their fucked-up idea of customer support. Oh, and by the way - fuck those uncle-molesting fuckers with a @%$^## &U%^ @#$# &U*&* @#$#$ *)(#$ #$%^^& @$ #$% ^&...!!!

      1. Anonymous Coward
        Anonymous Coward

        Re: This may explain...

        > Just let me mention as an anecdotal data point that after years of use, they simply locked me out of my account

        Were you using a gmx.net, gmx.de, or gmx.at account without having German or Austrian residence? I don't know if that's still the case, but those are subject to different conditions than other addresses, and in that case you would not have had a leg to stand on.

        In any event, if there were no ongoing legal proceedings or blatant abuse on your part, they should at least have allowed access to your account to retrieve your emails, as I recall from their T&Cs. Failing that you could have sent them a (paper) letter or requested assistance from the relevant consumer organisation.

        I agree with always backing up your emails. Personally I have three online (as in, real time) copies, and two off-line ones. Redundancy is key with anything computer related.

  4. JimmyPage Silver badge
    Big Brother

    How long until it's illegal in the UK ?

    Just wondering

    1. Mage Silver badge

      Re: How long until it's illegal in the UK ?

      April 2019

      1. Dan 55 Silver badge

        Re: How long until it's illegal in the UK ?

        Not sure. Seems like crypto is illegal now...

        Cops charge Cardiff man with “training, researching” how to use crypto software

        1. Anonymous Coward
          Big Brother

          Re: How long until it's illegal in the UK ?

          Christ alive!

          He has additionally been charged with being in possession of a "Universal Serial Bus (USB) cufflink that had an operating system loaded on to it for a purpose connected with the commission, preparation, or instigation of terrorism."

          WTF?

          They have made possessing an operating system (shock! horror!) on a USB stick (more shock! more horror!) a "terrorist" offence too???? What the hell OS was it? Windows 10?

          I suddenly feel compelled to burn anything that might ever have had Qubes, Tails, Whonix, BSD or Linux on it before I get "rendered"

          The police state's gone completely stark-staring 100% certifiably MAD. Didn't take long, did it? :(

          1. tony2heads
            Joke

            Re: How long until it's illegal in the UK ?

            the operating system must have been Vista, since that is well known to cause terror.

        2. Walter Bishop Silver badge
          Facepalm

          Cardiff man named Samata Ullah ..

          Well that should have been a red flag right away. If he'd called himself Da'i Ullah he might of got away with it. I guess 'Land of my Fathers' should now be re-titled "Land of my 'alaba" :)

          @ Dan 55: 'Cops charge Cardiff man with “training, researching” how to use crypto software' ref.

  5. Gnosis_Carmot

    If you aren't doing the encryption yourself.....

    ... you should have no expectation that it will remain encrypted. If you really have to encrypt it's safer to assume there's a flaw/backdoor in place than to trust a provider to do encrypt for you.

    1. Charles 9 Silver badge

      If you can't just turn the key and get an encrypted system set up...

      ...you're never going to go mainstream. Encryption is too difficult for the average user to understand, so "going it alone" is not an option. By your standards, if the only way to do it right is too hard for the average person, no wonder encrypted e-mail never takes off. You're basically saying it's a bridge too far. And that's bad for ALL of us.

      Besides, what's to say the program you use to create your own keys isn't backdoored in some clever way or is already broken by the TLAs without your knowledge. And you can't code encryption from scratch because doing it right is HARD. Meaning you can't trust YOURSELF to do it, nor can you trust ANYONE ELSE to do it, either. Logically, that means you can't trust ANYONE to do it right. IOW, we're screwed.

      1. Doctor Syntax Silver badge

        Re: If you can't just turn the key and get an encrypted system set up...

        "...you're never going to go mainstream."

        Even if you have it working turnkey that won't be enough to go mainstream because it's still an add-on. Few people know anyone who uses encrypted email because the people they know don't know anybody who uses encrypted email because...so it's not worth using encrypted email. It needs to be incorporated in email standards as the default mode of operation. As it also makes provision for signing it should have a major part to play in preventing phishing and other email scams.

        1. Anonymous Coward
          Anonymous Coward

          Re: If you can't just turn the key and get an encrypted system set up...

          But then the keys get STOLEN. I recall Realtek's driver signing key (a private key) got stolen and used to make signed malware that couldn't be revoked easily (because so many PCs use Realtek chips on their motherboards for audio).

    2. joed Silver badge

      Re: If you aren't doing the encryption yourself.....

      if nothing else, the "assistance if the key is lost" makes the whole scheme sound fishy. Unless the assistance is limited to consolation email.

    3. Major_Variola

      Re: If you aren't doing the encryption yourself.....

      And If it not encrypted, its published. Lol, fappening, DNC, Sony, love it.

    4. Anonymous Coward
      Anonymous Coward

      Re: If you aren't doing the encryption yourself.....

      You haven't read or understood the article. You *are* doing the encryption/decryption, that's why it's called end-to-end. The provider has no copy of your private key.

  6. C. P. Cosgrove
    WTF?

    re: How long until it's illegal in the UK?

    OK, it's a fair cop, I'll put my hands up to it !

    About twenty years ago I had a copy of 'The Anarchist's Cookbook' on a hard drive - briefly - and right at this moment I think I have two memory sticks with different versions of Linux on them on my desk at the moment..

    Chris Cosgrove

  7. P. Lee Silver badge

    The issue is less "encryption" and more "identity management"

    What if public keys were put in email headers and once you had someone's public key you could send them encrypted email? Otherwise it goes out plain-text.

    You still have the problem of email systems without plugins - web-based for example.

    What if you also automatically web-hosted all your *sent* email and included an https URL with your correspondent's public key automatically added to your web-server and associated with their identity? With any web client in which they have installed their certificate, they can read the mail you sent them. Maybe after the certificate exchange there could be an automated password exchange so that your mail server can accept passwords for those using non-certificate-capable platforms. You might want that for friends, but disable all encryption for non-sensitive commercial email, circulars etc. Identity management is, er, key.

    Since you hold the data, if they lose their key that isn't too bad and there is no reason why a mail client can't decrypt email and store the plain-text if you want. They can generate a new key-pair and send you the new public key. Your mail client can do a three-way handshake to confirm the identity isn't just spam and flag you to check with the person manually that they haven't had their account compromised.

    Key distribution, multi-application key management and graceful fallback is the key to success.

    1. Dan 55 Silver badge

      Re: The issue is less "encryption" and more "identity management"

      The problem is you're supposed to already have the public key, not the message, because you don't know if you can trust the message. You may also want to send a message to them first, but you can't encrypt it because you don't know their public key.

      Maybe putting the public key in a header is okay, if they all match from that sender then the mail client can assume it's safe to go ahead. Something like SSH's first connection certificate - it makes things easier and it's probably okay to use.

  8. Reliance

    The Browser Can Be Spoofed

    It's pretty simple to install, or just run, JavaScript malware in the browser. So it shouldn't be too hard to spoof the user into entering the plaintext to the malware. Afterwards, the malware could run the GMX code to send the message as intended.

    The browser itself is a security hole.

    1. Charles 9 Silver badge

      Exploits All The Way Down...

      With that attitude and a Don't Trust Anyone world, ANYTHING could be a security hole, even the CPU used to run your OS and everything on top of it. IOW, you're basically saying NOTHING is safe. At which point, you're left with a choice. Do you take the chance or abandon everything and go live in the mountains somewhere?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019