back to article Deutsche Telekom launches 'NSA-busting' encrypted email service

Deutsche Telekom and United Internet have launched a super-secure German email service that they claim defeats the data-sniffing shenanigans of the likes of the NSA. The partners announced that they were starting an initiative for "secure email communication across Germany". "Germans are deeply unsettled by the latest reports …

COMMENTS

This topic is closed for new posts.

Page:

  1. ratfox Silver badge
    Devil

    Interesting

    Does this mean that if everybody opens a mail account on a German email provider, and uses HTTPS to communicate with that provider, then everybody's mail will be private?

    …Apart from the German government, that is…

    1. Anonymous Coward
      Anonymous Coward

      Re: Interesting

      So you have doubts about HTTPS? No one else does.

      Of course, the Titanic is unsinkable and the earth is flat, but HTTPS is secure.

      1. Yet Another Anonymous coward Silver badge

        Re: Interesting

        HTTPS is pretty secure. theonly weakness would be if the government could send a secret order to force the certificate authorities to hand over the private keys and then order them not to tell anyone.

        And what kind of free democratic nation would do that ?

        1. Steven Roper
          Joke

          Re: Interesting

          "And what kind of free democratic nation would do that ?"

          I don't think that word means what you think it means. As I understand it, "Democratic" - as in "The Democratic People's Republic of Korea" or "The German Democratic Republic" - means something like "a nation governed in such a way is to give its citizenry the illusion that they have a say in how the country is run." You seem to have misunderstood the "the illusion that they have" part in that definition. Also, "free" is the standard word used by dictators from Napoleon to Obama to describe the conditions in the countries they preside over.

          So, in actual fact, pretty much every "free democratic " nation would indeed do what you say, in keeping with what they really are...

    2. Christian Berger

      Re: Interesting

      Well apart from the German government and just about any other government that wants to get it.

      Ohh... and did I mention that Deutsche Telekom actually had a "spying on journalists" scandal a few years ago... and that they have a current one in which they spy on many of their customers for "fraud detection" purposes?

      1. Grikath

        Re: Interesting

        The german secret service has the standard "european" mandate.. Believe me that they can still read your mail if there's a need.

        But at least there still needs to be a court order, or "reasonable suspicion" before they can get away with it.

  2. NoneSuch Silver badge

    Without seeing the technical details this is hard to judge.

    <sarcasm>

    However, given the in-depth development time of three-four weeks, I suspect it is chastity belt safe.

    </sarcasm>

    1. Anonymous Coward
      Anonymous Coward

      > However, given the in-depth development time of three-four weeks

      As I recall, United Internet have been offering a secure email service for years.

      And as for the disadvantage of it being limited to participating providers, and disclosure being possible to authorised parties with the appropriate mandate under German law, that's fine insofar as I suspect this is more intended to be used as an industrial counter-espionage measure than by private citizens going about their normal business.

      Aside from this, United Internet have always had pretty decent privacy clauses in their contracts. E.g., according to their T&C they will tell anyone without a valid court order to fuck off, and for those with a valid court order, you will be informed and given an opportunity to challenge it.

  3. JimmyPage
    Thumb Up

    Can they export *that* ?

    If so, I for one would sign up in an instant. As indeed I suspect a lot of UK citizens with. And pay for it.

    I wonder how Big Dave would spin that - a clear demonstration of people not trusting the uk.gov ?

    1. amanfromMars 1 Silver badge

      Dave has huge export problems should he not engage and import this* and that**

      I wonder how Big Dave would spin that - a clear demonstration of people not trusting the uk.gov ?

      Dave, the pathetic politically incompetent puppet, will spin it with platitudinous reactionary comment to try and hide the evermore obvious truth and fact, that both he and they who support him and his ilk in both male and female phorms in the sham and scam that is supposed to be Parliamentary democracy, are nothing but expendable, easily replaceable pawns to a Knightly Round Table of Dervishes and Plethora of Mass Media Controllers and Alternate Reality Gamers, and in the Free Spirited Virtual Domain with Dominion and AIR&dD* Traffic Flight Control of CyberSpace, HyperRadioProActive IT Players of Great Means and Alien Memes ...... QuITe** Magic Genes

      Just in case you are new here, and have been missing all of the fun in Registered developments .... *Advanced IntelAIgent Research and digital Development/**Quantum Internet Technologies

      1. James 51

        Re: Dave has huge export problems should he not engage and import this* and that**

        someone must have put something in my tea because a lot of this actually made sense.

        1. amanfromMars 1 Silver badge

          Re: Dave has huge export problems should he not engage and import this* and that**

          Don't underestimate the both real and virtual possibility, and therefore eventual inevitable probability available to all who can/would think deeper both vertically and laterally, that you are become much smarter than of late and do not accept as true all the tales you be told and programmed with for the reality of others with an exclusive self-centred power control agenda, James 51, which you may discover is essentially and exclusively catastrophically predicated on the flow control, to Aspiring Sources Conspiring with Informed Intelligence Services, of flash fiat currency/QE cash transfers/magic paper trails to partnering Ponzi participants,

          Further development in the field and in Quantum Communication delivers NEUKlearer HyperRadioProActive IT Assets which be more than just a tad dangerous and extremely explosive to both seek to ignore and deny and destroy.

          However, .... it should be said and particularly well noted and accepted, and is shared as a fit and proper fair warning to all that would mull on doing negative individual harm for leading personalised rather than collective AIdDVenturer and ARGonaut advantage, that Intelligence and IntelAIgent Persons of Interest Exploring and Exploiting/MetaDataMining and Core Fuel Enriching the Virtual Team Terrain with Stealthy Active Provision of Cyber Command and Control Systems are not without Absolute Key Protection and IMPeccable Security Arrangements, which suffer not the sad actions nor tolerate the mad thoughts of Fooled Intelligent Beings/Status Quo Systems Rogue and Renegade Bots.

    2. STZ

      Re: Can they export *that* ?

      --- and pay for it ?

      You can sign up to web.de or gmx for free...

  4. Anonymous Coward
    Anonymous Coward

    No system, no process, no security is ever 100% unassailable. Assume that at some point, someone not on the access list will see your content.

    1. Anonymous Dutch Coward
      Holmes

      Yes. And your point is?

  5. Marketing Hack Silver badge
    Black Helicopters

    I dont know how long this service is going to last

    A) Deutsche Telekom has a majority stake in T-Mobile in the U.S. So they have tens of billions in assets to protect, plus the need to participate in further spectrum auctions and other permitting actions. I would guess they have similar investments in other NATO countries.

    B) Germany is a major NATO ally, and has admitted to working with the NSA even recently. Plus they probablyhave similar relationships with gchq and other western SigInt agencies.

    C) Germany has been a planning and logistics center for al Qaeda in the past. For example, Mohammed Atta and his 9/11 cell did their planning and prep in Hamburg before moving to the

    U.S.

    So I expect that it won't be long until someone has a conversation with Deutsche Telekom along the lines of "We don't care what you promise your customers, but we need a back door into your secure email service"

    1. Steve Davies 3 Silver badge
      Black Helicopters

      Nail hit on the head

      DT will have to obey each and every NSA request otherwise T-Mobile will find life very hard in the USA.

      Also, the NSA will argue the fact the T-Mobile is a virtual DT subsiduary and thus the whole of DT is subject to US Laws.

      IMHO, the only safe secure email provider is one that has absolutely NO and I mean NO connections to any entity in the USA. Got a US shareholder? Tough, OBEY or be EXTERMINATED (by fair means or foul) and woe betide any exec of the company trying to visit the US.

      {hhhhmmmm sounds like Daleks....}

      I heard the sounds of a Chinook as I type this reply

      1. xyz
        Coat

        Re: Nail hit on the head

        >>IMHO, the only safe secure email provider is one that has absolutely NO and I mean NO connections to any entity in the USA.

        Oh you mean Apple! (tax avoidance joke! I'll get me....)

    2. JohnG Silver badge

      Re: I dont know how long this service is going to last

      @Marketing Hack Guess who owns about a third of Deutsche Telekom AG? The German federal government.

    3. Anonymous Coward
      Anonymous Coward

      Re: I dont know how long this service is going to last

      > Deutsche Telekom has a majority stake in T-Mobile in the U.S.

      They're actually different companies, but aside from that yes, this is an ongoing concern both with EU and US companies, especially in light of the new data protection directives in the cooking in the EU. Major business concern with huge ramifications. If you care to read the Financial Times or other serious (so WSJ does not count) business publication, it's been in the news at least once a week lately.

  6. Anomalous Cowshed

    Totally secure

    Deutsche Telekom has no links whatsoever with the German government.

    Which has no links whatsoever with the US Government.

    Which is, after all, not really connected with the NSA - that's just a rogue agency operating outside the law.

    So it's totally secure.

    1. Yet Another Anonymous coward Silver badge

      Re: Totally secure

      >Deutsche Telekom has no links whatsoever with the German government.

      Other than having to obey any (secret) laws the German govt decides. And being a large company it has to plat nicely with any little "special requests" if it wants any govt contracts and doesn't want to be auditted into bankruptcy

      >Which has no links whatsoever with the US Government.

      Other than being USA's 2nd special little friend.

      Possibly rising to 1st now that all the enemies are out of aircraft range of the UK or Canada

      1. Anonymous Dutch Coward
        Happy

        Re: Totally secure

        I think you need to bring your irony detection unit in for servicing...

  7. andreas koch
    Black Helicopters

    BND

    Strange that no one has mentioned them yet.

    They ɞɧɚɊ ɇȅȜȠↈʝʬ ʘʚ ʧↈᴟ ᴥᴖᴌᵵᵷ ᵯḧṽẚ ỻỺỽₐⅫ ↀↈ ⱱⱴⱦ along.

  8. Old Handle

    German broadcaster Deutsche Welle reports (in English) that email traffic sent via the new system will “be encrypted while in transit between the sender and receiver”. Access to third parties “is to be granted only in compliance with German law”.

    So in other words it's not really encrypted end-to-end. Or maybe there's a second key that people are just supposed to trust will not be used for mass surveillance. Either way it seems like alot of effort for nothing.

    1. Anonymous Coward
      Anonymous Coward

      "Access to third parties “is to be granted only in compliance with German law”"

      Ahhh! The Canute defence.

  9. Sebby

    It's just a guess, but ...

    I think they're talking about mandatory TLS sessions between SMTP servers. An easy thing to do for a lot of protection, if you're of the view that US-style seizures and gag orders doesn't happen to one in one's own country. Also beneficial to the privacy agenda (and, if necessary, the "Responsible" assistance of local law enforcement).

    And it's about time really. If only DNSSEC were deployed, we could start publishing keys there, and get much more reception towards the idea of mandatory server-to-server TLS that could be set up by anyone, with the only caveat being trust of ICANN and the registries who are, presumably, too big to fail.

    Cheers,

    Sabahattin

  10. Anonymous Coward
    Anonymous Coward

    Does it actually matter if it's 100% reliable or not?

    Does it actually matter if it's 100% reliable or not?

    The point is, by signing up with one of these providers, you're taking a stand, making a gesture, whatever.

    It may well be a futile gesture, but it's relatively easy and relatively low cost.

    It may even encourage similarly minded providers in other countries (AAISP and Zen, are you receiving me? Paresh ex Metronet ex DoD (no not that one), where are you when we need ewe? And the rest.).

    The Man already knows what you're up to, so what's to lose?

  11. Christian Berger

    You can easily do that yourself

    It's just SSL on SMTP, if you set up your own mailserver it probably already does this by default. The real question is, why didn't they do that all along?

    1. Anonymous Coward
      Anonymous Coward

      Re: You can easily do that yourself

      "SSL on SMTP ... You can easily do that yourself "

      Some folk might be able to. A lot more won't (or won't want to).

      "why didn't they do that all along?"

      Dumb clients? (interpret that however you like)

  12. FordPrefect

    Be realistic if you dont want the NSA to be able to view your mail you probably need to do the following :-

    Not use SSL - US companies control most of the root CAs.

    Not use US manufactured equipment and software - Think about that for a while, how many equipment manufacturers of chipsets and CPUs are there. How many BIOS chip designers are there world wide? How many server companies with no US links? Take it to the next step find an OS that's not made by a US company. Bar compiling linux from source I cant think of many. Then look at networks no cisco or juniper or any of the other US companies that manufacture(Huwaei so you can be snooped on by the Chinese instead).

    Next consider encryption, I've no proof that the US can crack 256bit AES or triple DES quickly however the same department thats tasked with signals intelligence suggests to US companies publicly that they use AES-256 wouldn't you be a little bit suspicious? That doesnt count other parts of your encryption software is there problems with keys not being secure enough?

    Ultimately I think it comes down to the most important thing though, do I think the NSA is bothering to read my comms? Nope, I'm just a normal bloke who lives in the UK. I've got no links to anyone interesting. Given that I am literally one of 5+ billion people if the relevant apparatus wasn't properly targeted it would be a monumental waste of time and resources.

    1. d3rrial
      Holmes

      Wouldn't you rather be spied on by the chinese? At least the Chinese government has no interest in sharing with your government, what political views you have and what protest you'd like to attend / organize etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wouldn't you rather be spied on by the chinese?

        Most of the governments/states under discussion here will simply do whatever they consider expedient - if the chinese state thought it could gain advantage in a trade involving data (eg) siphoned from Huwaei products it would do so. And in any case, who says that such data isn't going to be stolen and/or leak?

        So no, I would not "rather be spied on" by the Chinese. I'd rather be spied on by nobody, seeing as that very little that I do should amuse and/or interest even the most bored spy or policeman.

  13. DrXym Silver badge

    It's unlikely to be secure

    Unless the web server integrates with client side encryption such as an open sourced browser plugin using GPG (for example), it CANNOT be secure. You have to trust the server to encrypt your email and not peek at it, to use a secure form of transmission and a secure form of storage.

    Basically none of these things are possible. While it's possible that hosting email in Germany makes it harder for US security to lay their mitts on it, it doesn't mean German security can't lay their mitts on it. And who knows, if you're suspected of being a paedo, or a terrorist or having links to either then Germany may well cooperate or share intelligence with the US any way.

    The only way proper secure webmail will happen is if an aforementioned plugin appears and webmail supports it, or vastly better if Mozilla / Microsoft / Google / Apple et al knock their collective heads together and produce some secure extensions for HTML. For example, if there was a secure text area HTML element which was a black box to the web mail client it could encipher or decipher content without telling the webmail JS what that content was.

    1. Sebby

      Re: It's unlikely to be secure

      Or, perhaps, if HTML were upgraded a bit to support client-side key generation, enrolment and export in a sensible fashion, we might have S/MIME for the masses. That has to be a hell of a lot better than the nothing we have today; at least as good (bad) as the TLS sessions used on the web.

      1. DrXym Silver badge

        Re: It's unlikely to be secure

        I think PGP would be better to be honest. The major problem with S/MIME which caused it to die a death is its very hard to create a key - production keys have to be signed by a CA and that usually costs money and *always* involves hassle since it expires and there is a rigmarole associated with obtaining or renewing one.

        It would be largely academic which crypto was used if it was blackboxed though. When you composed an email the recipients list would be fed into the secure text area and how they were used to encrypt the message would be left to the implementation. Could be PGP, could be something else. As long as it was standard across all browsers.

        As an aside I often wonder if the web would be secure by default if a PGP style web of trust had been used instead. i.e. a random website could roll a key, and instantly enjoy encrypted traffic. But if they wished they could have their keys signed by their suppliers, notaries, business associations, CAs etc to establish higher trust.

        1. Anonymous Coward
          Anonymous Coward

          Re: It's unlikely to be secure

          As an aside I often wonder if the web would be secure by default if a PGP style web of trust had been used instead. i.e. a random website could roll a key, and instantly enjoy encrypted traffic. But if they wished they could have their keys signed by their suppliers, notaries, business associations, CAs etc to establish higher trust.

          It would be better done lower down in the stack, dynamic session/encryption keys created between systems as part of the SYN-SYN-ACK handshake... except of course that wouldn't work for stateless connections....

          What we need is a new stack, a new protocol, which dynmically exchanges keys on every connection, each connection/session using a unique key... it'd add overhead to communications processing though... oh and not controlled by Americans.

          That would fix encryption in flight, then you need to address the storage protocols, so everything stored is encrypted when stored, with a key which is only ever held in volitile memory, entered by the user when they require data access. That still doesn't stop law enforcement (at least in the UK) where they can compel encryption key disclosure with the threat of jail time... There is no easy way to beat that.

          1. P. Lee Silver badge
            Happy

            Re: It's unlikely to be secure

            > What we need is a new stack, a new protocol, which dynmically exchanges keys on every connection, each connection/session using a unique key.

            Do you mean IPSEC?

            1. Anonymous Coward
              Anonymous Coward

              Re: It's unlikely to be secure

              Do you mean IPSEC?

              Yeah kind of, but as the standard operating mode of the stack...

  14. Anonymous Coward
    Anonymous Coward

    Deutsche Telekom launches 'NSA-busting' encrypted email service

    ... IN NAME ONLY! Give me a break .There's so much underlying interest in capturing our personal data from advertisers to spying agencies to governments. All in the interest of efficiency of course, and all with weasel clauses, double speak and outright lies.

    Does anyone remember when George W stated he never used email or electronic means for decision note taking. What he as dumb as he looked or very astute? I for one am feeling a need to return to pen and paper for ultra-private matters and local business dealings where its possible.....

  15. Busby

    EU wide please

    What we need is something spanning Europe. Surely theres a demand for this now, if not for personal use for the masses then there are a lot of companies out there interested.

    I think at this point the current protocols used for communication are obviously insecure almost as if by design. Whomever comes up with a secure easy method for communication stands to make an awful lot of money. All the recent NSA press attention will hopefully spur someone and we may see something fit for 21st century use.

    1. Anonymous Dutch Coward

      Re: EU wide please

      It's useless. The proposed German system would also turn over the unencrypted data to the authorities. This may mean the NSA would not snoop on you (or have to work harder at it, i.e. by asking the German government nicely), but our own "democratic" governments would still be able to do so...

      I'll get my coat with the GPG man page printout now...

  16. Anonymous Coward
    Anonymous Coward

    This will be about

    Germany protecting its commercial interests from NSA and GCHQ snooping. Can't say I blame them.

  17. Henry Wertz 1 Gold badge

    On the contrary...

    "DT will have to obey each and every NSA request otherwise T-Mobile will find life very hard in the USA."

    On the contrary, reportedly T-Mobile (due to being part-owned by Duetsche Telekom) and Verizon Wireless (part owned by Vodafone) were exempt from certain of the NSA's illegal spying programs that AT&T Wireless and Sprint gleefully participated in, because they (the NSA) figured DT and Vodafone would feel free to leak about these illegal programs (and indeed, under European privacy laws may have been compelled to reveal their knowledge of them). AT&T and Sprint on the other hand stayed mute.

    1. Marketing Hack Silver badge
      Black Helicopters

      Re: On the contrary...

      Only now that the cat is out of the bag, the NSA may be less concerned about leaks of something that is already leaked!

      (I'm not paranoid, just ahead of my time!)

  18. Anonymous Coward
    Anonymous Coward

    That should work

    ...for about a day before it's circumvented.

  19. Steven Roper

    Encryption alone is not enough

    No matter how effectively a message is encrypted, it can be intercepted and saved indefinitely in its encrypted form and then decoded at leisure. And with the computing power available to the three-letter agencies "at leisure" isn't very long at all in the scheme of things.

    Better security would be achieved by breaking the encrypted file into pieces and routing each piece separately through a different random path each time, interspersed with rubbish pieces to further obfuscate the real ones. This way, no one system can capture the entire message and piece it back together. The internet is already set up to operate on this basic principle; all that's needed is software to ensure that no two packets go by the same route.

    The weak point in this system would of course be the sender's and receiver's ISPs; of necessity, both ISPs would have every piece pass through them. A possible workaround would be an open network of interconnected wireless routers, linked between neighbouring homes and offices. This way, part of my message could go through my ISP, part through my neighbour's ISP, part through the guy down the road's ISP. The recipient could receive the message the same way. This way, even if all of us were on the same ISP (as in some areas where one big company has a monopoly), the ISP sees packets from multiple customers and has no way to tie any group of packets back together into a single file.

    At present, this is conjecture, as in my area people aren't yet amenable to interconnecting their wireless routers, but I've heard of districts where this is being done already, and as governments and companies continue to encroach on our freedoms, I'm sure people will in time come to see the necessity of doing this.

  20. Michael Habel Silver badge

    So.... Instead of the NSA, and or your GCHQ getting all the juicy info. It all simply just goes straight to the BND (i.e. the Bundesnachrichtendienst), then... Well that's ok then!!

  21. Salts

    As we are not US citizens...

    and have been told quite rightly we are not included in their constitution(for what that's worth these days), then at least by using European services we can.

    1. Financial give a little poke in the eye to the US

    2. At least have a legal framework of some description that we are covered by and some is better than none

  22. Electric Panda

    Germany also gathers foreign intelligence via the BND (Bundesnachrichtendienst). Wouldn't surprise me remotely if they do domestic work as well.

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020