If you don't already know this… your email is sent over the Internet unencrypted. It's the digital equivalent of sending a letter through the mail without an envelope. Anybody who comes across it can read it. The Darkmail Technical Alliance, which is composed of some heavy hitters like Lavabit founder Ladar Levison and PGP designer Phil Zimmermann, aim to change all of email with drop-in SMTP and IMAP replacements that will wrap messages in layers of encryption.
"Conceptually, DIME applies multiple layers of encryption to an e-mail to make sure that the actors at each stage of the e-mail’s journey from sender to receiver can only see the information about the e-mail that they need to see. The e-mail’s author and recipient both know who sent the message and where it was bound, but the author’s e-mail server doesn’t—it can only decrypt the part of the message containing the recipient’s e-mail server. The recipient e-mail server knows the destination server and the recipient, but it doesn’t know the sender. So if you arrange the four steps in a line from left to right—author, origin server, destination server, and recipient—each step in the line is only aware of the identity of the entity directly to its left or right."
This could be huge and it certainly has the right people in place to make it happen. They'll be submitting all of it to the IETF as a formal set of RFCs and there is even a pre-alpha GitHub repository.
Check out the rest of the article on Ars… it's really worth a read if you're at all curious about the subjects of security and/or email.
Src: http://arstechnica.com/security/2015/01/lavabit-founder-wants-to-make-dark-e-mail-secure-by-default/
love that art
LIKE LIKE LIKE. Hopefully they'll fix other email issues while they're at it.
That's nice, but does it solve spam? ie anonymous SMTP – part of the security problem is not being able to tell who actually sent the email.
+Jason Honingford There is a lively discussion on the +Ars Technica post about this very thing:
"This actually helps solve the spam problem. The recipient can verify any sender, and (once widely deployed) senders will be verifiable by default, since the message will be signed.
The From: line is the private key of the sender. The final receiving server will also know the initial sender's IP address. If each MTA has it's own public and private keys, and the sending MTA's IP address does not match it's key, it is spam. This would make blacklisting much easier and spamming much harder. "
A good patch. Id still rather see a federated replacement for email completely though. Theres some really daft limits on most severs/set-ups still. Like every 70 characters you need a new line.
Nice. Not that anyone (say the government) would systematically read our e-mails……right? Nice to have though, just in case. 😛