I was recently asked how to read encrypted emails securely in some untrusted environment via webmail. Imagine you’re sitting on someone else’ computer and absolutely need to check your inbox for this one encrypted email which contains a password without which you can’t continue. Or you’re in some internet cafe and got an important encrypted email – how would you do that?
Actually, the only thing which comes into my mind here is a combination of Portable Firefox and FireGPG on an USB stick (possibly encrypted). This, of course, bears a couple of problems:
- If you don’t know which OS your “target” computer has, you need to have this “tandem” in at least three different binary versions, Mac OS X, Linux and Windows. While this doesn’t sound too hard (three partitions on the same drive), it’ll probably harder to encrypt all three and have something like “plug-and-mail-ready” for the target OS.
- If you use a non-standard webmailer (i.e. no public service, but an own setup, like I have with roundCube Webmail), you won’t have a really good integration with FireGPG (i.e. no interface buttons, auto-decryption and other stuff) unless the webmail software plans support for FireGPG. (roundCube targeted it for “later“.)
- And maybe the greatest show-stopper is the question: Is it really secure in untrusted environments? After all, GnuPG needs to load your private key into RAM to decrypt your message, and if it resides unprotected there (does it?), it could be, at any time, be read out by some hidden daemon and boom, your private key would be compromised…
How would you solve this dilemma? A VPN to a trusted PC from which you send and receive emails?
If there are no other good solutions then I guess people will have to choose between accessibility from everywhere and email security. And I bet they don’t choose security…
“A VPN to a trusted PC from which you send and receive emails?”
That’s what I do with a slight twist: I have an account on fastmail.fm which buffers and filters all my incoming mail as well as a secure freebsd box which holds my long term stuff. Most of the time I use fastmail but if I’m at a PC I don’t trust then I just ssh to the secure box and use imap (via fetchmail) and read stuff there.
Hrm… right, ssh’ing into an (secure) email server and starting mutt / fetchmail/ whatever would be an option, granted that you take an usb stick with yourself with puTTY for all the Windows PCs. But this all sounds so old-school – I mean, come on, we’ve had these possibilities 20 years ago already.
I actually use SSH and mutt. It might be old school, but it’s reliable, fast and as secure as possible in an untrusted environment.