Defence Against the Dark Arts Lesson One: Encrypting Email

Okay, so I vowed in my post on 27th April that I would learn about encryption – “the Defence Against the Dark Arts of the digital realm,” according to Edward Snowden and others.

Encryption keeps us safe from all sorts of malicious entities that prowl the internet to get our passwords, bank details, metadata, contents, you name it.

What is more, encryption makes mass surveillance a lot more difficult and less cost effective for the spooks. German weekly Der Spiegel calls it an “effective form of protest”.

And so my reasoning went:

“If one of the things we – I – can do to make sure that the spooks have a harder time spying on millions of innocent people is to learn about encryption, if this is one way of reclaiming a free internet, then I think I should try”.

So far, I have been true to my word. As one of the first things that, according to certain anecdotes, initially hindered Edward Snowden’s communication with Glenn Greenwald was the latter’s reluctance to encrypt his emails, I decided to start with that.

I am not going to explain how to set up email encryption in this post. There are many great websites providing in-depth guides that explain this much better than I ever could – some of which can be found at the links in this post.

However, trying to teach myself email encryption has made it clear to me that this can indeed be quite difficult for the average user and so – by way of encouraging other rookies like myself – I would like to share some of the things I have found out and some of the difficulties I ran into. So here goes.


Dementors and Voldemorts: The dangers of unencrypted email

Warning! There are certain dangers to unencrypted emailing:

Your actual email messages are vulnerable as they travel over the Internet, after leaving your email provider’s server. Bad guys can intercept a message as it bounces from server to server on the Internet.

Email has often been compared to sending postcards: because there is no envelope, anyone can read your postcard, not just the person you send it to.

I would still concede that there is a point to the argument that probably not many people are interested in the content of our holiday postcards and quite possibly, the spooks really don’t care much about the contents of our emails either.

However, I am also sure that many people do send sensitive information (such as bank details) by email because it is, in fact, not immediately obvious just how unsafe email really is.

Also, just because the spooks may not be reading our emails, doesn’t make mass surveillance any less wrong on principle and part of this exercise is to make it harder for the Voldemorts, Dementors and members of the Ministry of Magic out there that are after our stuff.

So then: “encrypting your messages before sending them renders them unreadable from the point at which they embark on their journey to the point at which the intended recipient opens them”.


Complications #1 – Encryption depends on both sender and receiver

I mentioned last week that Der Spiegel has a series of articles on encryption which I was going to take as my starting point. Their article (in German) on email encryption is here.

Now, that article is a good starting point (if you speak German), as it provides links to the essential software you need to set up your email encryption. How to then work with what you have just set up though; that’s an entirely different – and much steeper – learning curve.

I am not surprised that Edward Snowden and Christopher Soghoian called for more user-friendly encryption across the internet.

Writes Lee Whitfield:

“While [encryption is] relatively simple to set up for […] geeks it is unlikely to see huge adoption throughout the world because the average computer user simply doesn’t care to know.”

I would suggest that this is because encryption does take a fair amount of work, I am not going to lie about that.

And here’s the other tricky bit: the success of your encryption does not just depend on you.

You can and should encrypt your individual email messages during transit, but both you and your recipient must do some work ahead of time to make the protection work properly.

You can encrypt messages all you like, unless your recipient has a means of decrypting them, you might as well be writing gibberish. Essentially, that is what encryption does: it turns the perfectly intelligible text of your emails into gibberish that is unreadable for anyone without the correct set of keys.

Now, there are two keys – a public and a private one:

The two keys work together so that you need both to decrypt anything. To send an encrypted message to someone you lock the message with their public key and when they get it, they can unlock it with their private key. If they want to respond, then they encode the message with your public key and you can read it with your private key.

If you want to send an encrypted message to someone you must first obtain their public key.

So, not only do you need to go through all the trouble of setting up encrypted email. The person you want to send an encrypted email to needs to do the same. Unless they have already done it that is.


Ways of setting up encryption

I tried encrypting my email in two ways.

As suggested by the Spiegel article, I first used Mozilla’s email client Thunderbird, together with an extension called Enigmail and an encryption software called Gpg4win – all of these are freely available on the web.

It’s certainly worth setting up if you are serious about encryption but I didn’t find the set-up process very straightforward at all. My suggestion is that you find a visual guide that takes you through it as I often had trouble identifying from written guides what exactly was required of me.

Here is what else annoys me about this: inflexibility. Obviously, you can only use this with your own email client. Supposing I am used to webmail and want the freedom to use that as well?

So then, the second option I tried is a Chrome add-on called Mailvelope which “offers free, OpenPGP encryption for most popular webmail services that’s easy to configure and a breeze to use”. Their website offers a free download and step-by-step set-up guide.

I understand that this may have some pitfalls which you can read about here, although comments suggest these have been amended in the most recent versions.

Finally – and I haven’t tried this option because it seems too insecure to me – “In a pinch, you can use a Web-based encryption email service like Sendinc or JumbleMe, though doing so forces you to trust a third-party company.”

Infoencrypt is probably one of the easiest means to encrypt a one-off email. All you need to do is visit the site, type the email to be encrypted, type a password (and verify the password), and click Encrypt. The site will encrypt the email and post the encrypted text so you can then copy and past it into an email to be delivered to a recipient. Once the recipient gets the email, they go back to the site, paste the text into the window, enter the password you used to encrypt the email, and click Decrypt. Your email will be quickly decrypted for the recipient to read. It’s that simple. Although not for the most ardent of security fanatics, Infoencrypt will work just fine for those needing simplistic email encryption.

The reason I am mentioning this is that it may still be better for all you lazy bears out there to use this rather than no encryption at all. Correct me if I’m wrong.


Complications #2 – Fantastic keys and where to find them

Now, once I had my software installed (which did take some effort, swearing and several Thunderbird crashes but may be a smoother ride for anyone who isn’t as inept as I am), I was getting excited at the prospect of creating my sets of keys.

The Enigmail set up wizard takes you through the necessary steps for generating your first set, so this is easy the first time round. If you only have one email account you want to use encryption for, you’re good to go.

However, like most people, I have more than one email account so once I had set everything up for my first account, questions started cropping up:

I have a set of keys for one of my email accounts – how do I get keys for the others?

The answer is actually quite simple as soon as you start familiarising yourself a bit more closely with the programme. Me, being a total rookie with an aversion to email clients, I even had trouble finding the Thunderbird right-hand side menu (yes, I know). Hint: it’s the icon with the little lines in the top right hand corner. From here select “OpenPGP” and then “Key management”.

From then on, it’s quite straightforward and I had some fun playing around with it – particularly searching for people’s public keys via the Keyserver.

For Mailvelope it’s just as simple: click on the little padlock that appears in your browser bar once you have installed Mailvelope and Select “Options”.

Another question that puzzled me initially was how to get at my public key so I could send it to someone. Just like the above question, this is easily resolved by going to the “Key management “or “Options” sections. They will allow you to copy keys to a clipboard or send them directly by email.

My Defence Agaist the Dark Arts training is still in its early stages.

There are a number of questions about email encryption that I have not yet been able to clarify for myself. For example: how do I make sure that a public key I get from, say, a Keyserver rather than the actual person I want to email, really belongs to that person? Ideally, of course, I will swap keys with my friends face to face but supposing I cannot meet the person I want to email face to face? Then how do I verify their identity? From what I understand, anyone could create a public key for anyone else and pretend to be them.

Obviously, my investigations are ongoing. I will keep you posted on how I get on.

In the meantime, I encourage you to have a go. The swearing and nail-biting aside, it’s actually quite fun and knowing that you can stop Voldemorts, Dementors, Death Eaters and rogue officials from the Ministry of Magic from reading your emails – well, that just gives you a nice feeling of empowerment.


3 thoughts on “Defence Against the Dark Arts Lesson One: Encrypting Email

  1. Pingback: Verteidigung gegen die dunklen Künste, Lektion Eins: Emailverschlüsselung | Notes from Self

  2. Pingback: Defence Against the Dark Arts, Lesson 1.2: Further on email encryption | Notes from Self

  3. Pingback: Need another reason to encrypt your email? Read this. | Notes from Self

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s