Deutsch (Active: English)


“E-Mail Made in Germany”: A Summer’s Tale of Secure E-Mail

2013-08-09 14:12:00, 46halbe

While the public debate about PRISM, Tempora and XKeyScore is continuing, webmail service providers seem to be finally waking up: Two of the largest e-mail providers in Germany have announced plans to enable encryption on all connections from 2014.

According to the mail providers, they will use SSL/TLS encrypted connections between their servers and their users in the future. It remains unclear whether other providers – such as self-operated mail servers – will also be able to use these encrypted connections.

The Chaos Computer Club (CCC) appreciates these companies’ intention to encrypt their customers’ mail traffic in the future. However, what they haven't said is why the underlying technology, available since the late 1990s, has not been previously enabled by default. A standard feature of competitors’ services – enforced encryption for accessing an e-mail account – is now being sold as a technological advance and an innovation.

Advertising these changes under the label “E-Mail Made in Germany” [1] seems like a desperate effort to bring the already failed project "De-Mail" back into the spotlight. Indeed, these providers are claiming that De-Mail would even improve upon the new practice “in features”.

The supposed improvement is in effect only a shameless game with the users’ increasing problem awareness precipitated by the NSA scandal. It is comical at best if providers are now selling a well-aged technology as a groundbreaking innovation.

What users of these mail services are not being told is that encrypting traffic between mail providers does not mean that the e-mails themselves will also be stored encrypted. Rather, the NSA scandal has shown that centralised services can not be regarded as trustworthy with regard to access from intelligence agencies. Ultimately, the technologies employed are not capable of preventing the installation of wiretapping infrastructure within the system. The provider and intelligence agencies still have complete access to the contents of e-mails and, consequently, will be able to fully analyze them.

The CCC stands by its recommendation of end-to-end encryption using GnuPG/PGP or S/MIME as a sensible instrument to prevent unauthorised access to e-mail.

Instead of true security, the providers use cute little German flag icons to mark supposedly secure mails, spreading feel-good message reminiscent of the German “summer fairytale” of the football World Cup a few years back. Let us hope that the subject of mail encryption will be longer-lived.