Is E-mail as Bad as You Say? Part II

The first article published on this project’s blog was titled “Is E-mail as Bad as You Say It Is? Yes. Yes It Is.” It demonstrated the title by listing a number of news pieces published by both well-known and less-well-known news sources which illustrated how so many security problems stem from e-mail.

DARKReading, 1/24/2017
The trouble with DMARC: 4 serious stumbling blocks
DMARC has major setup challenges and then comes maintenance.

Wired, 5/14/2018
Encrypted Email Has a Major, Divisive Flaw
An attack called eFail causes vulnerable e-mail clients to compromise encrypted e-mail.

Verizon, 2018 Data Breach Investigations Report
A 2018 study by Verizon revealed some awful statistics:

  • Phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%). (p.11)
  • 49% of non-Point-of-Sale malware was installed via malicious e-mail (p.5)

ComputerWeekly, 4/19/2019
A Quarter of Phishing Emails Bypass Office 365 Security
Even with advanced scanning techniques, malicious actors still manage to get phishing e-mails past Microsoft.

BleepingComputer, 8/20/2019
Scammer Tricks City Into $1 Million Wire Transfer
A scammer tricked the City of Saskatoon into wiring money. The attack was a classic case of [Business E-mail Compromise] fraud.

Bleeping Computer, 9/10/2019
Business Email Compromise Is a $26 Billion Scam Says the FBI
BEC scams are increasing and highly profitable for the bad guys.

Cisco Talos, 9/20/2019
Emotet is back after a summer break
One of the world’s most dangerous botnets is back and tricks users more by sending spam to a user’s contacts and quoting a user’s e-mail.

ZDNet, 10/1/2019
Former Yahoo engineer pleads guilty to hacking user emails in search for porn
Man uses access from former employer to access over 6,000 e-mail accounts and then pivot to other services from there.

Vice, 2/10/2020
How Big Companies Spy on Your Emails
3 popular e-mail apps on the Apple app store sift through users’ e-mails for the purposes of selling the data.

Bleeping Computer, 4/2/2020
Phishing emails impersonate the White House and VP Mike Pence
Malicious actors are utilizing Coronavirus and implied extortion by US vice president Mike Pence to trick users into clicking on a link.

The Verge, 5/16/2020
Edison Mail rolls back update after iOS users reported they could see strangers’ emails Abstract:
A bug in an e-mail app causes a data breach, despite publisher’s testimony otherwise.

Bleeping Computer, 5/14/2020
Scammers steal $10 million from Norway’s state investment fund Abstract:
Criminals hack e-mail server, monitor all e-mail passing through, execute Business E-mail Compromise attack.

Wired, 8/4/2020
Decades-Old Email Flaws Could Let Attackers Mask Their Identities
Ambiguities in how e-mail server software handles envelope information could enable phishing attacks in organizations with DMARC, DKIM, and/or SPF.

New York Times, 9/18/2020
Iranian Hackers Found Way Into Encrypted Apps, Researchers Say
Hackers linked to Iranian government use phishing, malicious documents, and malware to work around encrypted messaging applications

September 2020 News

Let’s be honest, not a lot of news has not been showing up in this section. It’s not to say, though, that nothing has been happening. Far from it, actually. Code has been committed on a regular basis for quite some time, but looking at blog posts, you wouldn’t know it.

The server code has been making steady progress and recently reached some development milestones. It is now possible to create an account and log in. Although that may sound like nothing special, an enormous amount of design work and learning went into it. Prior to Anselus’ founding, I didn’t know much about cryptography. The login process is a three step process. First, the client submits the workspace ID, which is just a UUID without any personally-identifying information. The server checks to see that the workspace ID even exists. Assuming that workspace ID checks out, the client is permitted to submit the user’s password. Nothing particularly special here. Once the password has been verified as authentic, the server performs an encrypted challenge-response request phase that the specific device must pass. Only then is the login complete and the device can access the workspace freely.

Although in most cases a simple username and password combination might suffice, the Anselus platform is intended for more than just everyday situations. Multifactor authentication is becoming more and more necessary, but to be honest, it’s inconvenient and really annoying. The third login phase enables a much more elegant form of MFA. Each device is uniquely identified for a workspace. If the server discovers a new device, it can send a message to other devices on the workspace to request authorization for the new device. The user can allow or deny the new device. Assuming that the device is allowed, it is added to the workspace’s device list. In this way a user can instantly know if their password has been compromised because somewhere else in the world, someone has their workspace ID and password. It also provides a form of multifactor authentication that requires the second factor only when adding a device, and the second factor can utilize any device, not just a smartphone.

The server also provides administrators a number of different ways to create an account. The default mode, private, only permits administrators to register a new workspace. In order to account for the device encryption key handling, the new workspace must be preregistered. The administrator runs a command and the server generates a one-time-use Diceware registration code. The administrator then gives the user the workspace ID and registration code. The user can then finish registration, setting his/her password and the first device can add its device key to the workspace. At no time does the administrator have the user’s password, and because the registration code can only be used once, if a malicious actor does use it, the user will know because registration won’t work. Public mode, the most lenient of the registration modes, allows anyone to create an account. As such it is not recommended, but there are situations where it would be very helpful. Two other modes which will be implemented in the future are moderated, where the user creates the account and an administrator approves it, and network, which functions just like public registration but only for a specific subnet. Although Anselus draws a hard line about end-to-end encryption, it gives service providers ways to manage a service while maintaining the user’s privacy. Getting the design for registration and logins just right has been challenging but worth the effort.

Once registration and logins were running as designed, identity services became the focus. The Anselus platform borrows a number of ideas from the concept of signets, developed for the Dark Internet Mail Environment, to implement keycards. Keycards are digital certificates which do not require a Certificate Authority. They also provide only the minimum necessary identifying information needed to ensure two parties can connect without concern. Anselus servers provide a DNS-like lookup service that also facilitates key exchange. John Doe’s Anselus address, john_doe/, is translated into his workspace address, 38499ed3-92af-4f9b-99f4-7727dbedafa5/ This is so anyone can exchange an easy-to-remember contact identifier. At the same time, for those who want or need extra privacy, a person can simple opt out of creating a user ID and simply use his/her workspace address for communications. Each keycard contains a series of digitally signed entries which contain encryption keys. These keys are only used for key exchange, and the user’s keys for daily communications are never exposed to the outside world. To prevent malicious servers performing man-in-the-middle attacks, keycards are kept in a blockchain which can be altered only by authenticated users, but freely available for anyone to download. Servers are actually required to download full copies of keycard databases from other servers, which reduces synchronization complexity and still provides an easy way for a malicious change to be detected quickly – a user’s client can download a keycard from his/her organization’s server and from the recipient’s server and compare the two. Moreover, those users who would prefer having a local copy of a server’s database will have that option, and considering that each person’s keycard is just a few kilobytes, the entire database wouldn’t be huge except for the largest of organizations.

The potential of Anselus’ keycard service is immense. In addition to the encryption and signature keys used to establish communications between two parties, each keycard also has an extra general purpose encryption key which is public. This means that passwords could be a thing of the past. How? A person enters his/her Anselus address into a form on a website. The web app retrieves the person’s public encryption key and sets up an encrypted session which could only be authenticated properly by that user and no one else. The boost in security and usability cannot be understated: I go to a website, punch in my Anselus address, and I’m logged in. That’s it, and it’s secure, too. While it is true that there are other identity frameworks available, possibly dozens, this has the potential of gaining traction because the security is a side benefit, not the main goal. All in all, this project gets more and more exciting as it progresses. Until next time, friends.

Happy 1st Birthday!

It’s been officially one year since this wild and crazy ride began with asking myself the question, “What would it take to fix e-mail?” In the year since that thought experiment began, it has become apparent that this project will be far more than the question asked and while ridiculously ambitious, it is also possible.

What has been accomplished? Quite a lot. A bargeload of research (or two) has been done, and I have spent many hours learning domain knowledge, such as cryptography and the Go programming language. This website was created. Specs have been written for client-server communications, messages, contacts, and even a replacement for HTML that will be secure and protect user privacy. There is even both server and client code, even if neither is yet complete. Even some general design work for Anselus Connect, the desktop client,

How much code is there? The server code, written from scratch in Go, is a great start. A lot of foundation code has been written and it is possible to log in. Although it sounds very simple on the surface, peeking under the hood says otherwise. The second project milestone, account registration, is very close. Rather than just slap together some test code, writing a proper client base sounded like more fun and a better use of time. The test client has been largely a matter of designing and implementing storage infrastructure. All in all, not bad for just one guy with a family, a day job, and other responsibilities.

The road ahead is an exciting one. Once account registration on both sides is complete, there will be other server-side milestones, such as upload, download, and file synchronization, message delivery, and crypto. Once the server is able to be useful, the really fun stuff – writing the client – can begin. Here’s to a bright future!

November 2019 Development Update

It’s been quite some time since the launch of the project earlier this year. Not much code has been written just yet because more research and thought has been needed. Instead, the project has been developing proper technical solutions.

First in development was research into a possible new binary-to-text encoding algorithm based on another algorithm, yEnc, developed by Juergen Helbing with the goal of reducing overhead when working with non-text files, like attachments and encryption keys. yEnc leverages the majority of the ASCII character set, unlike the standard encoding algorithm, base64. The test algorithm made a few small changes for compatibility reasons. However, it was discovered that both yEnc and the test algorithm were not compatible with the way text is stored, an encoding algorithm called UTF-8. As a result, development efforts in that direction were halted and, instead, base85 was chosen as the preferred encoding scheme, increasing efficiency while still retaining compatibility.

Also under development is AnTM, a new text format designed for a balance of safety and expressiveness. It was inspired by BBCode, another system originally designed for online message boards. “Why do we need ANOTHER format” you ask? Because HTML is a mess in regard to security, complexity, and privacy. Messages on the Anselus platform need to be expressive without compromising user security. It is very much possible to have both: AnTM is easy to write with just a text editor, easy to read and write from code, privacy-friendly, and closes a potential avenue for attack from bad actors that is made available by e-mail.

The structure and architecture of Anselus Server has also been better fleshed out. Originally, it was thought that avoiding the use of a formal database would reduce complexity, but doing so had the opposite effect. For the moment, PostgreSQL has been chosen to be the first official DBMS supported for Anselus Server, having exemplary support, technical excellence, and cross-platform compatibility. Rust was originally slated to be the language for the server’s production code, but for a number of reasons it was decided that Go should be used instead.

The months ahead will focus on building the server side of individual workspaces, starting with completing the database interaction layer. It is an exciting time for the project to see first steps toward a bright future.

Is E-mail as Bad as You Say? Yes. Yes it is.

Here at the Anselus Project, we are very passionate about seeing e-mail take a permanent vacation. If it seems like that passion is unfounded, consider the articles in this reading list. For those who would rather just get to the point, each article has a quick summary.

The Guardian, 8/9/2013
Lavabit email service abruptly shut down citing government interference
Encrypted e-mail service chooses to shut down than give the decryption keys for its users’ e-mail to the U.S. government.

The Register, 1/27/2016
Cops hate encryption but the NSA loves it when you use PGP
NSA loves PGP e-mail encryption technology because while the contents of a message are encrypted, information about the message is not.

Reuters, 10/4/2016
Yahoo secretly scanned customer emails for U.S. intelligence - sources
One of the largest e-mail providers built a search engine so U.S. intelligence could read any of its users’ e-mail.

Counterpunch, 10/6/2016
A Scandal that Reveals More Than It Says: Yahoo Scanned All Users’ Mail for the Government
Scrutinizing public comments from other Big Tech companies reveals additional cause for concern.

CNN, 10/4/2017
Every single Yahoo account was hacked - 3 billion in all
The initial count of compromised accounts in their 2013 data breach, 500 million, was revealed to be far less than reality. Oopsie.

The Daily Dot, 7/9/2019
Fallout over Superhuman’s email privacy scandal continues
Premium exclusive e-mail startup violates privacy of all its clients and their contacts even after making changes to make it slightly less creepy.

ZDNet, 7/29/2019
DMARC’s abysmal adoption explains why email spoofing is still a thing
E-mail technology designed to prevent phishing largely not used because it’s too hard to implement.