What about transparent email encryption?

Hello dear developers,

I’ve recently checked out Symantec Desktop Email Encryption and they had a very interesting approach. What do you think about a transparent encryption. Gpg could intercept the outgoing and incoming email traffic and do the work for you in the background.
If there’s any input to do, you could send a message to the message center.
It would be an non-intrusive approach to email encryption, one times setup, and it runs without further complications.



Datum: 13.03.2015 08:05
Sender: Bernhard Reiter

Hi Esh,
thanks for your feedback and the suggestion.
I think for the discussion part, the forum or one of the mailinglists would be the best place.
E.g. gnupg-users@. The “mail transfer agent” solution has been discussed many times.
What I have taken from these discussion are two challenges with it:

a) If you use this relay on a server, it is not end-to-end encryption anymore, so you have to trust this server.
So far the Gpg4win Initiative has focussed on end-to-end crypto, so it would be out of scope for us (currently).

b) If you use in on the desktop it could be a personal solution, but in order to make a number of choices
that are almost unavoidable in some situations, it would need to have an interface. The natural place for this
interface is within the application that already handles your email. So from the user interface point of view,
the end-to-end crypto should be build into the client you are already using.

Note that Werner (principal author of GnuPG) also started an MTA solution product in 2001, interest was low,
see http://g10code.com/p-geam.html

Best Regards,
ps.: Flattr Gpg4win at https://flattr.com/thing/2053326,
if you appreciate this answer and my work within the Gpg4win Initiative.
Datum: 12.03.2015 09:50
Sender: Esh L’Orac

I found an interesting project named GPGRelay (http://sourceforge.net/projects/gpgrelay/). It seems to be abandoned since 2005, nevertheless has yet today a userbase. It appears to solve the feature request mostly.

Of course there has to be fixed some bugs with imap relay and added some features mostly to notify and ask the user whether he likes to send the email unencrypted.

It is open source, so why not integrate it into the gpg4win project? It has several advantages, it’s easy to setup, runs even on windows 8.1 and last, but not least, it lets you use your favorite email client without a plugin (so no maintenance for plugins for further versions is needed). What speaks generally against this proposal?

Thanks for your reply.

I’m talking about an Desktop solution, so we can skip challenge a).

Regarding to challenge b) I do have some ideas.

a) the choice we’re all are working towards is to use encryption whenever it is possible. So it does not seem to be a problem to have it turned on by default.

b) You’re right, crypto should be build into the client you’re already using. But this is keeps to be a dream (you even don’t offer a touch enabled client nor an windows store app). So for me it’s the natural choice to pipe the encryption after the client. Also I’m not bothered with encryption as long as none of my friends is using it. (Just like an ABS in your car, you have not to think about it, but it keeps you secure, when you need it)

c) As the necessary user input ist concerned you could use the windows message hub. Just a little message like “you’re sending unencrypted, click to proceed”. In this way the user can keep control whether his messages are encrypted or not. (Or otherwise like gamification: congratulations you’ve send your first encrypted mail)

d) Maybe it is even possible to figure out a way to automatically guess the used email servers from listening to the traffic/connection while email is retrieved/sended from the client. The user would have a to do a minimum setup steps like entering localhost:port to his client and generate keys. No need to learn a new client, no need to enter username and password again.

e) It fixes the problem to have unsearchable mails in your inbox.

Main problems I do have with encryption (and I’m since 10 years aware and affiliated to GPG): change of my client, being not able to search my mails and constantly being remembered that none of my friends want to use encryption. All of these problems are solved by using an local mail relay.

You could even use pubkey.is (it verifies the emailaddress), so the relay can get the right key for the email address without user interaction.

One short remark to pubkey.is.
If you take a closer look at the website and the certificate you can easily find out that there must be something wrong/not trustworthy.
Certificate belongs to: CN = pubkey.is O = Alastair Clark L = London ST = London C = GB. On the website is no relation to this guy (and the certificate ends this month). So I would advise to keep hands off, perhaps just a honey pot for verified e-mail-addresses.