E-mail Cannot Be Fixed. It Must Be Replaced

As a member of Generation X, I grew up with the development of the Internet, from the days of Geocities with its obnoxious banner ads to the dotcom bubble to the rise of surveillance capitalism. I’m not old enough to have some kid tell me “OK, boomer,” but I’m starting to look like a UNIX greybeard. Through all of the constant change of the tech industry, one of the few constants has been e-mail: it’s been around longer than I have, but I’ve seen it go from a useful form of communication to a blight upon the land which society has been unable to purge.

E-mail’s main problem is security. For hackers, it is a popular attack vector because of the large proportion of non-technical users on the platform. Phishing depends on this lack of security. Spam affects almost anyone with an account. Sending an e-mail is like a postcard: anyone with access and a desire can read it, so sending sensitive information in an e-mail is a Bad Idea. Even so, e-mail is so convenient that it still common for passwords and financial information to be sent with it anyway.

Privacy advocates are rightfully leery of e-mail. E-mail encryption with PGP is a little better, but while the message body itself and attachments are safe, everything else is unchanged. The sender’s address, the recipient’s address, the subject line, where the message was sent from, time and date information, and any other information about the message is still readable by anyone. The U.S.’s NSA actually likes people using PGP because it lights up a person’s communications like a Christmas tree. Factor in other little nasties, like remote images called “web bugs,” and it is no surprise why e-mail isn’t private.

If problems are so rampant, why is e-mail still used? Simply put, it’s everywhere, and nothing has been able to fully replace it. In some ways, e-mail is the ultimate social network: pretty much anyone and everyone has an e-mail address. There are more people who use e-mail than there are on Facebook by a large margin. Microsoft, Google, and Yahoo have made it ridiculously easy for anyone to have at least one account for free. Your e-mail address is also your online identity for most online services. Microsoft Exchange, by way of Outlook, is the lifeblood for thousands of businesses. Unfortunately for the vast majority, there is great inertia to be overcome by anything intending to replace it.

All things considered, it’s not terribly surprising that the world is in the mess that it’s in. Ray Tomlinson invented what evolved into e-mail back in the 1960s to send messages over ARPANET. The first e-mail client was hacked together from two existing programs, and the first e-mail was just a test message that contained throwaway gibberish that has long since been forgotten. The protocols used to send and receive e-mail as we know it now didn’t appear until the early-to-mid 1980s. The Internet was a much smaller, more academic, and more trusting environment than it is today, and so the protocols were designed with a very different set of assumptions.

Many have tried – or are trying – to replace e-mail, but none have succeeded. The possible alternatives are many: texting, IRC, Slack, Microsoft Teams, Facebook Messenger, Skype, Whatsapp, Snapchat, Signal, and Jabber (XMPP) are just the beginning. The inertia to overcome is unspeakably large. There are other reasons, though, the largest of which is none of them do everything that e-mail does in the same kinds of ways.

What does e-mail do, anyway? It mostly sends messages. These aren’t like the short chatroom messages found on IRC. E-mail messages can be longform, too. Because of HTML e-mail, these messages can be just as visually appealing as a slick website with a big marketing department behind it. Try that with Slack. Files can be transferred, too, although with spam and antivirus filtering being what it is nowadays, it can be tricky. E-mail is also a relatively simple channel-based form of communication, meaning that one-to-one conversations are the primary focus but it’s also possible to include others.

E-mail possesses a few qualities which make it quite good at what it does, too. It connects a large portion of people on the planet. No other platform has its reach. It is federated, so anyone can run their own server. No commercial entity owns it, unlike most supposed “e-mail killer” products. It is simple enough to easily integrate into a variety of products and workflows. Conversations are easily archived and it can even be used as a sort of data filing system. By being a channeled form of communication, not everything has to be a group chat. Few tools are as flexible.

On the opposite end, people have more than a few complaints about e-mail. First and foremost, there is far too much of it. Sadly, most of the e-mail that many people receive is from colleagues at work or the sales, marketing, or billing departments of corporations. So very little of it is the kind of one-to-one conversation that brings people together. According to a report from Statista, more than half of e-mail sent is spam. That’s a lot of traffic that people don’t want to see. Even worse are “Reply All” storms. Although less common, it’s not unheard of to receive an e-mail intended for someone else altogether, which could have potential legal ramifications. People receive too much junk, not enough useful e-mail, and some of it is dangerous.

It’s obvious that while e-mail has a lot going for it, it also desperately needs fixing, and the flaws in its foundations point strongly to replacement. For starters, without PGP, identity is a free-for-all. PGP replaces one issue for another, establishing identity at the expense of being notoriously tricky to set up and use. Pair this learning curve with requiring your contacts to learn and use it in order to send e-mail to you, and you have a recipe for poor adoption. Few want to be bothered. DMARC solves many problems, but it is challenging to set up correctly, doesn’t fix everything, and the individual setting it up doesn’t reap the benefits and protection. For many organizations there is little motivation to dedicate resources to its setup and use. In fact, most organizations haven’t bothered. E-mail servers expect to have access to metadata for routing and security, so it is impossible to completely encrypt an e-mail. Using HTML, the language of the World Wide Web, as a formatting medium creates potential for security and privacy problems. There has to be a better way.

Although defining a person’s identity has been a problem for philosophers for much longer, nailing down a definitive way to uniquely identify a person has been equally complicated in the realm of technology. Cryptography has the potential to solve this puzzle, and by applying cryptography effectively, it would be possible to remedy the problems of identity, security, and privacy in one fell swoop. This is where Anselus comes in. By starting with a different set of assumptions, new communications protocols can be designed to protect people and prevent the many kinds of bad behavior that are associated with e-mail. Will it succeed? Only time will tell.

Is E-mail as Bad as You Say? Part II

The first article published on this project’s blog was titled “Is E-mail as Bad as You Say It Is? Yes. Yes It Is.” It demonstrated the title by listing a number of news pieces published by both well-known and less-well-known news sources which illustrated how so many security problems stem from e-mail.

DARKReading, 1/24/2017
The trouble with DMARC: 4 serious stumbling blocks
DMARC has major setup challenges and then comes maintenance.

Wired, 5/14/2018
Encrypted Email Has a Major, Divisive Flaw
An attack called eFail causes vulnerable e-mail clients to compromise encrypted e-mail.

Verizon, 2018 Data Breach Investigations Report
A 2018 study by Verizon revealed some awful statistics:

  • Phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%). (p.11)
  • 49% of non-Point-of-Sale malware was installed via malicious e-mail (p.5)

ComputerWeekly, 4/19/2019
A Quarter of Phishing Emails Bypass Office 365 Security
Even with advanced scanning techniques, malicious actors still manage to get phishing e-mails past Microsoft.

BleepingComputer, 8/20/2019
Scammer Tricks City Into $1 Million Wire Transfer
A scammer tricked the City of Saskatoon into wiring money. The attack was a classic case of [Business E-mail Compromise] fraud.

Bleeping Computer, 9/10/2019
Business Email Compromise Is a $26 Billion Scam Says the FBI
BEC scams are increasing and highly profitable for the bad guys.

Cisco Talos, 9/20/2019
Emotet is back after a summer break
One of the world’s most dangerous botnets is back and tricks users more by sending spam to a user’s contacts and quoting a user’s e-mail.

ZDNet, 10/1/2019
Former Yahoo engineer pleads guilty to hacking user emails in search for porn
Man uses access from former employer to access over 6,000 e-mail accounts and then pivot to other services from there.

Vice, 2/10/2020
How Big Companies Spy on Your Emails
3 popular e-mail apps on the Apple app store sift through users’ e-mails for the purposes of selling the data.

Bleeping Computer, 4/2/2020
Phishing emails impersonate the White House and VP Mike Pence
Malicious actors are utilizing Coronavirus and implied extortion by US vice president Mike Pence to trick users into clicking on a link.

The Verge, 5/16/2020
Edison Mail rolls back update after iOS users reported they could see strangers’ emails Abstract:
A bug in an e-mail app causes a data breach, despite publisher’s testimony otherwise.

Bleeping Computer, 5/14/2020
Scammers steal $10 million from Norway’s state investment fund Abstract:
Criminals hack e-mail server, monitor all e-mail passing through, execute Business E-mail Compromise attack.

Wired, 8/4/2020
Decades-Old Email Flaws Could Let Attackers Mask Their Identities
Ambiguities in how e-mail server software handles envelope information could enable phishing attacks in organizations with DMARC, DKIM, and/or SPF.

New York Times, 9/18/2020
Iranian Hackers Found Way Into Encrypted Apps, Researchers Say
Hackers linked to Iranian government use phishing, malicious documents, and malware to work around encrypted messaging applications

September 2020 News

Let’s be honest, not a lot of news has not been showing up in this section. It’s not to say, though, that nothing has been happening. Far from it, actually. Code has been committed on a regular basis for quite some time, but looking at blog posts, you wouldn’t know it.

The server code has been making steady progress and recently reached some development milestones. It is now possible to create an account and log in. Although that may sound like nothing special, an enormous amount of design work and learning went into it. Prior to Anselus’ founding, I didn’t know much about cryptography. The login process is a three step process. First, the client submits the workspace ID, which is just a UUID without any personally-identifying information. The server checks to see that the workspace ID even exists. Assuming that workspace ID checks out, the client is permitted to submit the user’s password. Nothing particularly special here. Once the password has been verified as authentic, the server performs an encrypted challenge-response request phase that the specific device must pass. Only then is the login complete and the device can access the workspace freely.

Although in most cases a simple username and password combination might suffice, the Anselus platform is intended for more than just everyday situations. Multifactor authentication is becoming more and more necessary, but to be honest, it’s inconvenient and really annoying. The third login phase enables a much more elegant form of MFA. Each device is uniquely identified for a workspace. If the server discovers a new device, it can send a message to other devices on the workspace to request authorization for the new device. The user can allow or deny the new device. Assuming that the device is allowed, it is added to the workspace’s device list. In this way a user can instantly know if their password has been compromised because somewhere else in the world, someone has their workspace ID and password. It also provides a form of multifactor authentication that requires the second factor only when adding a device, and the second factor can utilize any device, not just a smartphone.

The server also provides administrators a number of different ways to create an account. The default mode, private, only permits administrators to register a new workspace. In order to account for the device encryption key handling, the new workspace must be preregistered. The administrator runs a command and the server generates a one-time-use Diceware registration code. The administrator then gives the user the workspace ID and registration code. The user can then finish registration, setting his/her password and the first device can add its device key to the workspace. At no time does the administrator have the user’s password, and because the registration code can only be used once, if a malicious actor does use it, the user will know because registration won’t work. Public mode, the most lenient of the registration modes, allows anyone to create an account. As such it is not recommended, but there are situations where it would be very helpful. Two other modes which will be implemented in the future are moderated, where the user creates the account and an administrator approves it, and network, which functions just like public registration but only for a specific subnet. Although Anselus draws a hard line about end-to-end encryption, it gives service providers ways to manage a service while maintaining the user’s privacy. Getting the design for registration and logins just right has been challenging but worth the effort.

Once registration and logins were running as designed, identity services became the focus. The Anselus platform borrows a number of ideas from the concept of signets, developed for the Dark Internet Mail Environment, to implement keycards. Keycards are digital certificates which do not require a Certificate Authority. They also provide only the minimum necessary identifying information needed to ensure two parties can connect without concern. Anselus servers provide a DNS-like lookup service that also facilitates key exchange. John Doe’s Anselus address, john_doe/example.com, is translated into his workspace address, 38499ed3-92af-4f9b-99f4-7727dbedafa5/example.com. This is so anyone can exchange an easy-to-remember contact identifier. At the same time, for those who want or need extra privacy, a person can simple opt out of creating a user ID and simply use his/her workspace address for communications. Each keycard contains a series of digitally signed entries which contain encryption keys. These keys are only used for key exchange, and the user’s keys for daily communications are never exposed to the outside world. To prevent malicious servers performing man-in-the-middle attacks, keycards are kept in a blockchain which can be altered only by authenticated users, but freely available for anyone to download. Servers are actually required to download full copies of keycard databases from other servers, which reduces synchronization complexity and still provides an easy way for a malicious change to be detected quickly – a user’s client can download a keycard from his/her organization’s server and from the recipient’s server and compare the two. Moreover, those users who would prefer having a local copy of a server’s database will have that option, and considering that each person’s keycard is just a few kilobytes, the entire database wouldn’t be huge except for the largest of organizations.

The potential of Anselus’ keycard service is immense. In addition to the encryption and signature keys used to establish communications between two parties, each keycard also has an extra general purpose encryption key which is public. This means that passwords could be a thing of the past. How? A person enters his/her Anselus address into a form on a website. The web app retrieves the person’s public encryption key and sets up an encrypted session which could only be authenticated properly by that user and no one else. The boost in security and usability cannot be understated: I go to a website, punch in my Anselus address, and I’m logged in. That’s it, and it’s secure, too. While it is true that there are other identity frameworks available, possibly dozens, this has the potential of gaining traction because the security is a side benefit, not the main goal. All in all, this project gets more and more exciting as it progresses. Until next time, friends.

Happy 1st Birthday!

It’s been officially one year since this wild and crazy ride began with asking myself the question, “What would it take to fix e-mail?” In the year since that thought experiment began, it has become apparent that this project will be far more than the question asked and while ridiculously ambitious, it is also possible.

What has been accomplished? Quite a lot. A bargeload of research (or two) has been done, and I have spent many hours learning domain knowledge, such as cryptography and the Go programming language. This website was created. Specs have been written for client-server communications, messages, contacts, and even a replacement for HTML that will be secure and protect user privacy. There is even both server and client code, even if neither is yet complete. Even some general design work for Anselus Connect, the desktop client,

How much code is there? The server code, written from scratch in Go, is a great start. A lot of foundation code has been written and it is possible to log in. Although it sounds very simple on the surface, peeking under the hood says otherwise. The second project milestone, account registration, is very close. Rather than just slap together some test code, writing a proper client base sounded like more fun and a better use of time. The test client has been largely a matter of designing and implementing storage infrastructure. All in all, not bad for just one guy with a family, a day job, and other responsibilities.

The road ahead is an exciting one. Once account registration on both sides is complete, there will be other server-side milestones, such as upload, download, and file synchronization, message delivery, and crypto. Once the server is able to be useful, the really fun stuff – writing the client – can begin. Here’s to a bright future!

November 2019 Development Update

It’s been quite some time since the launch of the project earlier this year. Not much code has been written just yet because more research and thought has been needed. Instead, the project has been developing proper technical solutions.

First in development was research into a possible new binary-to-text encoding algorithm based on another algorithm, yEnc, developed by Juergen Helbing with the goal of reducing overhead when working with non-text files, like attachments and encryption keys. yEnc leverages the majority of the ASCII character set, unlike the standard encoding algorithm, base64. The test algorithm made a few small changes for compatibility reasons. However, it was discovered that both yEnc and the test algorithm were not compatible with the way text is stored, an encoding algorithm called UTF-8. As a result, development efforts in that direction were halted and, instead, base85 was chosen as the preferred encoding scheme, increasing efficiency while still retaining compatibility.

Also under development is AnTM, a new text format designed for a balance of safety and expressiveness. It was inspired by BBCode, another system originally designed for online message boards. “Why do we need ANOTHER format” you ask? Because HTML is a mess in regard to security, complexity, and privacy. Messages on the Anselus platform need to be expressive without compromising user security. It is very much possible to have both: AnTM is easy to write with just a text editor, easy to read and write from code, privacy-friendly, and closes a potential avenue for attack from bad actors that is made available by e-mail.

The structure and architecture of Anselus Server has also been better fleshed out. Originally, it was thought that avoiding the use of a formal database would reduce complexity, but doing so had the opposite effect. For the moment, PostgreSQL has been chosen to be the first official DBMS supported for Anselus Server, having exemplary support, technical excellence, and cross-platform compatibility. Rust was originally slated to be the language for the server’s production code, but for a number of reasons it was decided that Go should be used instead.

The months ahead will focus on building the server side of individual workspaces, starting with completing the database interaction layer. It is an exciting time for the project to see first steps toward a bright future.

Is E-mail as Bad as You Say? Yes. Yes it is.

Here at the Anselus Project, we are very passionate about seeing e-mail take a permanent vacation. If it seems like that passion is unfounded, consider the articles in this reading list. For those who would rather just get to the point, each article has a quick summary.

The Guardian, 8/9/2013
Lavabit email service abruptly shut down citing government interference
Encrypted e-mail service chooses to shut down than give the decryption keys for its users’ e-mail to the U.S. government.

The Register, 1/27/2016
Cops hate encryption but the NSA loves it when you use PGP
NSA loves PGP e-mail encryption technology because while the contents of a message are encrypted, information about the message is not.

Reuters, 10/4/2016
Yahoo secretly scanned customer emails for U.S. intelligence - sources
One of the largest e-mail providers built a search engine so U.S. intelligence could read any of its users’ e-mail.

Counterpunch, 10/6/2016
A Scandal that Reveals More Than It Says: Yahoo Scanned All Users’ Mail for the Government
Scrutinizing public comments from other Big Tech companies reveals additional cause for concern.

CNN, 10/4/2017
Every single Yahoo account was hacked - 3 billion in all
The initial count of compromised accounts in their 2013 data breach, 500 million, was revealed to be far less than reality. Oopsie.

The Daily Dot, 7/9/2019
Fallout over Superhuman’s email privacy scandal continues
Premium exclusive e-mail startup violates privacy of all its clients and their contacts even after making changes to make it slightly less creepy.

ZDNet, 7/29/2019
DMARC’s abysmal adoption explains why email spoofing is still a thing
E-mail technology designed to prevent phishing largely not used because it’s too hard to implement.