Can Kim Dotcom rescue secure email?

The exit last week of Lavabit and Silent Circle from the secure email realmÃ'Â has left some secret sharers looking for alternatives. Mega, the "privacy company" of online rogue Kim Dotcom, is one firm preparing to fill the void.

The service, founded by Dotcom after his previous online storage endeavor, Megaupload, was shutdown for fostering online piracy, is reported to be preparing some "hugely cutting edge stuff" in cryptography that it hopes to incorporate to secure email.

That won't be an easy task. Providing functionality that people expect and need, such as searching, fully on the client side could be a major challenge if the mail server can only see encrypted files, said Mega CEO Vikram Kumar.

Another challenge: "Dealing with other email providers which don't support Mega's encryption system," Kumar said in an email.

Key management can also be a snag for someone building a secure email service, said Agari's Vice President of Engineering, Ingrum Putz.

"It's a huge issue," Putz said in an interview. "You have to make sure users have the keys to encrypt messages to other people and decrypt your own messages."

Where the keys are stored can be an issue, too. Some systems -- like the now defunct Lavabit used by whistleblower Edward Snowden -- store keys on their servers and allow users to access them via password. The actual decryption took place on Lavabit's servers.

"The big concern is that if the government goes to a company like Lavabits and wants to look at the email on its servers, it can do so because all the information needed to decrypt that information is on its servers," said Matthew Green, a professor specializing in cryptography at Johns Hopkins University.

That host model of securing data requires trust from a user. "Since the host is doing the actual securing, customers have to trust the host to do it right, and do it consistently, and not to 'break their word' by turning over unencrypted data to third parties, like the NSA," said a source from Cryptocloud Secure Networking who wished to remain anonymous to "minimize extra-legal harassment."

[Also see: After 40 years, email security still elusive]

"Since trust is always imperfect, the idea is that host-based security is a Bad Idea," the source said by email.

Currently, Mega is designed to store only encrypted data. All data is encrypted at the user's computer. That way, Mega doesn't know what's in the files and can't find out what's in them because the encryption keys remain on the user's machine.

"I would assume that's how Mega wants to build its email system," Green said. "Getting that to work right is really hard. There's a lot of challenges there. A lot can go wrong."

For example, Mega uses Javascript to encrypt and decrypt data. That can be problematic with email. In 2007, for instance, Hushmail, which was supposed to be a secure email system, at the behest of law enforcement, used javascript to scrape their customers' password so plaintext versions of their email could scrutinized.

"That essentially turned an assumed endpoint-security service model into a host-based model, which was then exploited by law enforcement organizations to break the system," the source from Cryptocloud said.

"So everyone is very leery of served javascript because it can be intentionally poisoned, or even intercepted mid-stream via BEAST toolkits and whatnot," the source said.

Even if encryption problems are solved, there's always the problem of metadata, which can't be encrypted and can be very useful for any kind of snoop. It includes the subject of a message, who the email is addressed to, who sent it and when it was sent.

"That information is extremely valuable," Green noted. "When the NSA was collecting data from Verizon, all it wanted was metadata. It didn't care about the phone calls themselves."

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags megauploadapplicationsKim DotcomLavabitsoftwaredata protectioncryptographyData Protection | Data PrivacySilent Circle

More about NSAVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts