
Interesting
Does this mean that if everybody opens a mail account on a German email provider, and uses HTTPS to communicate with that provider, then everybody's mail will be private?
…Apart from the German government, that is…
Deutsche Telekom and United Internet have launched a super-secure German email service that they claim defeats the data-sniffing shenanigans of the likes of the NSA. The partners announced that they were starting an initiative for "secure email communication across Germany". "Germans are deeply unsettled by the latest reports …
"And what kind of free democratic nation would do that ?"
I don't think that word means what you think it means. As I understand it, "Democratic" - as in "The Democratic People's Republic of Korea" or "The German Democratic Republic" - means something like "a nation governed in such a way is to give its citizenry the illusion that they have a say in how the country is run." You seem to have misunderstood the "the illusion that they have" part in that definition. Also, "free" is the standard word used by dictators from Napoleon to Obama to describe the conditions in the countries they preside over.
So, in actual fact, pretty much every "free democratic " nation would indeed do what you say, in keeping with what they really are...
Well apart from the German government and just about any other government that wants to get it.
Ohh... and did I mention that Deutsche Telekom actually had a "spying on journalists" scandal a few years ago... and that they have a current one in which they spy on many of their customers for "fraud detection" purposes?
> However, given the in-depth development time of three-four weeks
As I recall, United Internet have been offering a secure email service for years.
And as for the disadvantage of it being limited to participating providers, and disclosure being possible to authorised parties with the appropriate mandate under German law, that's fine insofar as I suspect this is more intended to be used as an industrial counter-espionage measure than by private citizens going about their normal business.
Aside from this, United Internet have always had pretty decent privacy clauses in their contracts. E.g., according to their T&C they will tell anyone without a valid court order to fuck off, and for those with a valid court order, you will be informed and given an opportunity to challenge it.
I wonder how Big Dave would spin that - a clear demonstration of people not trusting the uk.gov ?
Dave, the pathetic politically incompetent puppet, will spin it with platitudinous reactionary comment to try and hide the evermore obvious truth and fact, that both he and they who support him and his ilk in both male and female phorms in the sham and scam that is supposed to be Parliamentary democracy, are nothing but expendable, easily replaceable pawns to a Knightly Round Table of Dervishes and Plethora of Mass Media Controllers and Alternate Reality Gamers, and in the Free Spirited Virtual Domain with Dominion and AIR&dD* Traffic Flight Control of CyberSpace, HyperRadioProActive IT Players of Great Means and Alien Memes ...... QuITe** Magic Genes
Just in case you are new here, and have been missing all of the fun in Registered developments .... *Advanced IntelAIgent Research and digital Development/**Quantum Internet Technologies
Don't underestimate the both real and virtual possibility, and therefore eventual inevitable probability available to all who can/would think deeper both vertically and laterally, that you are become much smarter than of late and do not accept as true all the tales you be told and programmed with for the reality of others with an exclusive self-centred power control agenda, James 51, which you may discover is essentially and exclusively catastrophically predicated on the flow control, to Aspiring Sources Conspiring with Informed Intelligence Services, of flash fiat currency/QE cash transfers/magic paper trails to partnering Ponzi participants,
Further development in the field and in Quantum Communication delivers NEUKlearer HyperRadioProActive IT Assets which be more than just a tad dangerous and extremely explosive to both seek to ignore and deny and destroy.
However, .... it should be said and particularly well noted and accepted, and is shared as a fit and proper fair warning to all that would mull on doing negative individual harm for leading personalised rather than collective AIdDVenturer and ARGonaut advantage, that Intelligence and IntelAIgent Persons of Interest Exploring and Exploiting/MetaDataMining and Core Fuel Enriching the Virtual Team Terrain with Stealthy Active Provision of Cyber Command and Control Systems are not without Absolute Key Protection and IMPeccable Security Arrangements, which suffer not the sad actions nor tolerate the mad thoughts of Fooled Intelligent Beings/Status Quo Systems Rogue and Renegade Bots.
A) Deutsche Telekom has a majority stake in T-Mobile in the U.S. So they have tens of billions in assets to protect, plus the need to participate in further spectrum auctions and other permitting actions. I would guess they have similar investments in other NATO countries.
B) Germany is a major NATO ally, and has admitted to working with the NSA even recently. Plus they probablyhave similar relationships with gchq and other western SigInt agencies.
C) Germany has been a planning and logistics center for al Qaeda in the past. For example, Mohammed Atta and his 9/11 cell did their planning and prep in Hamburg before moving to the
U.S.
So I expect that it won't be long until someone has a conversation with Deutsche Telekom along the lines of "We don't care what you promise your customers, but we need a back door into your secure email service"
DT will have to obey each and every NSA request otherwise T-Mobile will find life very hard in the USA.
Also, the NSA will argue the fact the T-Mobile is a virtual DT subsiduary and thus the whole of DT is subject to US Laws.
IMHO, the only safe secure email provider is one that has absolutely NO and I mean NO connections to any entity in the USA. Got a US shareholder? Tough, OBEY or be EXTERMINATED (by fair means or foul) and woe betide any exec of the company trying to visit the US.
{hhhhmmmm sounds like Daleks....}
I heard the sounds of a Chinook as I type this reply
> Deutsche Telekom has a majority stake in T-Mobile in the U.S.
They're actually different companies, but aside from that yes, this is an ongoing concern both with EU and US companies, especially in light of the new data protection directives in the cooking in the EU. Major business concern with huge ramifications. If you care to read the Financial Times or other serious (so WSJ does not count) business publication, it's been in the news at least once a week lately.
>Deutsche Telekom has no links whatsoever with the German government.
Other than having to obey any (secret) laws the German govt decides. And being a large company it has to plat nicely with any little "special requests" if it wants any govt contracts and doesn't want to be auditted into bankruptcy
>Which has no links whatsoever with the US Government.
Other than being USA's 2nd special little friend.
Possibly rising to 1st now that all the enemies are out of aircraft range of the UK or Canada
German broadcaster Deutsche Welle reports (in English) that email traffic sent via the new system will “be encrypted while in transit between the sender and receiver”. Access to third parties “is to be granted only in compliance with German law”.
So in other words it's not really encrypted end-to-end. Or maybe there's a second key that people are just supposed to trust will not be used for mass surveillance. Either way it seems like alot of effort for nothing.
I think they're talking about mandatory TLS sessions between SMTP servers. An easy thing to do for a lot of protection, if you're of the view that US-style seizures and gag orders doesn't happen to one in one's own country. Also beneficial to the privacy agenda (and, if necessary, the "Responsible" assistance of local law enforcement).
And it's about time really. If only DNSSEC were deployed, we could start publishing keys there, and get much more reception towards the idea of mandatory server-to-server TLS that could be set up by anyone, with the only caveat being trust of ICANN and the registries who are, presumably, too big to fail.
Cheers,
Sabahattin
Does it actually matter if it's 100% reliable or not?
The point is, by signing up with one of these providers, you're taking a stand, making a gesture, whatever.
It may well be a futile gesture, but it's relatively easy and relatively low cost.
It may even encourage similarly minded providers in other countries (AAISP and Zen, are you receiving me? Paresh ex Metronet ex DoD (no not that one), where are you when we need ewe? And the rest.).
The Man already knows what you're up to, so what's to lose?
Be realistic if you dont want the NSA to be able to view your mail you probably need to do the following :-
Not use SSL - US companies control most of the root CAs.
Not use US manufactured equipment and software - Think about that for a while, how many equipment manufacturers of chipsets and CPUs are there. How many BIOS chip designers are there world wide? How many server companies with no US links? Take it to the next step find an OS that's not made by a US company. Bar compiling linux from source I cant think of many. Then look at networks no cisco or juniper or any of the other US companies that manufacture(Huwaei so you can be snooped on by the Chinese instead).
Next consider encryption, I've no proof that the US can crack 256bit AES or triple DES quickly however the same department thats tasked with signals intelligence suggests to US companies publicly that they use AES-256 wouldn't you be a little bit suspicious? That doesnt count other parts of your encryption software is there problems with keys not being secure enough?
Ultimately I think it comes down to the most important thing though, do I think the NSA is bothering to read my comms? Nope, I'm just a normal bloke who lives in the UK. I've got no links to anyone interesting. Given that I am literally one of 5+ billion people if the relevant apparatus wasn't properly targeted it would be a monumental waste of time and resources.
Most of the governments/states under discussion here will simply do whatever they consider expedient - if the chinese state thought it could gain advantage in a trade involving data (eg) siphoned from Huwaei products it would do so. And in any case, who says that such data isn't going to be stolen and/or leak?
So no, I would not "rather be spied on" by the Chinese. I'd rather be spied on by nobody, seeing as that very little that I do should amuse and/or interest even the most bored spy or policeman.
Unless the web server integrates with client side encryption such as an open sourced browser plugin using GPG (for example), it CANNOT be secure. You have to trust the server to encrypt your email and not peek at it, to use a secure form of transmission and a secure form of storage.
Basically none of these things are possible. While it's possible that hosting email in Germany makes it harder for US security to lay their mitts on it, it doesn't mean German security can't lay their mitts on it. And who knows, if you're suspected of being a paedo, or a terrorist or having links to either then Germany may well cooperate or share intelligence with the US any way.
The only way proper secure webmail will happen is if an aforementioned plugin appears and webmail supports it, or vastly better if Mozilla / Microsoft / Google / Apple et al knock their collective heads together and produce some secure extensions for HTML. For example, if there was a secure text area HTML element which was a black box to the web mail client it could encipher or decipher content without telling the webmail JS what that content was.
Or, perhaps, if HTML were upgraded a bit to support client-side key generation, enrolment and export in a sensible fashion, we might have S/MIME for the masses. That has to be a hell of a lot better than the nothing we have today; at least as good (bad) as the TLS sessions used on the web.
I think PGP would be better to be honest. The major problem with S/MIME which caused it to die a death is its very hard to create a key - production keys have to be signed by a CA and that usually costs money and *always* involves hassle since it expires and there is a rigmarole associated with obtaining or renewing one.
It would be largely academic which crypto was used if it was blackboxed though. When you composed an email the recipients list would be fed into the secure text area and how they were used to encrypt the message would be left to the implementation. Could be PGP, could be something else. As long as it was standard across all browsers.
As an aside I often wonder if the web would be secure by default if a PGP style web of trust had been used instead. i.e. a random website could roll a key, and instantly enjoy encrypted traffic. But if they wished they could have their keys signed by their suppliers, notaries, business associations, CAs etc to establish higher trust.
As an aside I often wonder if the web would be secure by default if a PGP style web of trust had been used instead. i.e. a random website could roll a key, and instantly enjoy encrypted traffic. But if they wished they could have their keys signed by their suppliers, notaries, business associations, CAs etc to establish higher trust.
It would be better done lower down in the stack, dynamic session/encryption keys created between systems as part of the SYN-SYN-ACK handshake... except of course that wouldn't work for stateless connections....
What we need is a new stack, a new protocol, which dynmically exchanges keys on every connection, each connection/session using a unique key... it'd add overhead to communications processing though... oh and not controlled by Americans.
That would fix encryption in flight, then you need to address the storage protocols, so everything stored is encrypted when stored, with a key which is only ever held in volitile memory, entered by the user when they require data access. That still doesn't stop law enforcement (at least in the UK) where they can compel encryption key disclosure with the threat of jail time... There is no easy way to beat that.
... IN NAME ONLY! Give me a break .There's so much underlying interest in capturing our personal data from advertisers to spying agencies to governments. All in the interest of efficiency of course, and all with weasel clauses, double speak and outright lies.
Does anyone remember when George W stated he never used email or electronic means for decision note taking. What he as dumb as he looked or very astute? I for one am feeling a need to return to pen and paper for ultra-private matters and local business dealings where its possible.....
What we need is something spanning Europe. Surely theres a demand for this now, if not for personal use for the masses then there are a lot of companies out there interested.
I think at this point the current protocols used for communication are obviously insecure almost as if by design. Whomever comes up with a secure easy method for communication stands to make an awful lot of money. All the recent NSA press attention will hopefully spur someone and we may see something fit for 21st century use.
It's useless. The proposed German system would also turn over the unencrypted data to the authorities. This may mean the NSA would not snoop on you (or have to work harder at it, i.e. by asking the German government nicely), but our own "democratic" governments would still be able to do so...
I'll get my coat with the GPG man page printout now...
"DT will have to obey each and every NSA request otherwise T-Mobile will find life very hard in the USA."
On the contrary, reportedly T-Mobile (due to being part-owned by Duetsche Telekom) and Verizon Wireless (part owned by Vodafone) were exempt from certain of the NSA's illegal spying programs that AT&T Wireless and Sprint gleefully participated in, because they (the NSA) figured DT and Vodafone would feel free to leak about these illegal programs (and indeed, under European privacy laws may have been compelled to reveal their knowledge of them). AT&T and Sprint on the other hand stayed mute.
No matter how effectively a message is encrypted, it can be intercepted and saved indefinitely in its encrypted form and then decoded at leisure. And with the computing power available to the three-letter agencies "at leisure" isn't very long at all in the scheme of things.
Better security would be achieved by breaking the encrypted file into pieces and routing each piece separately through a different random path each time, interspersed with rubbish pieces to further obfuscate the real ones. This way, no one system can capture the entire message and piece it back together. The internet is already set up to operate on this basic principle; all that's needed is software to ensure that no two packets go by the same route.
The weak point in this system would of course be the sender's and receiver's ISPs; of necessity, both ISPs would have every piece pass through them. A possible workaround would be an open network of interconnected wireless routers, linked between neighbouring homes and offices. This way, part of my message could go through my ISP, part through my neighbour's ISP, part through the guy down the road's ISP. The recipient could receive the message the same way. This way, even if all of us were on the same ISP (as in some areas where one big company has a monopoly), the ISP sees packets from multiple customers and has no way to tie any group of packets back together into a single file.
At present, this is conjecture, as in my area people aren't yet amenable to interconnecting their wireless routers, but I've heard of districts where this is being done already, and as governments and companies continue to encroach on our freedoms, I'm sure people will in time come to see the necessity of doing this.
and have been told quite rightly we are not included in their constitution(for what that's worth these days), then at least by using European services we can.
1. Financial give a little poke in the eye to the US
2. At least have a legal framework of some description that we are covered by and some is better than none
"Other than having to obey any (s*cret) laws the German govt decides."
Germany is far from a perfect democracy but it is not the US of A. If Police or intelligence services misbehave then they also violate German laws as well. That this usually doesn't lead to serious consequences for those involved is another topic though. There are no s*cret laws or s*cret courts, and considering Germany's history and the fact that a large part of the population has lived in an environment of s*crecy and lack of privacy, there is no way that a similar system could be established.
">Which has no links whatsoever with the US Government.
Other than being USA's 2nd special little friend."
Not really. The USA's 'special' little friends are Israel, the UK, NZ and Australia. Germany is certainly cooperative in many areas, but it should not be forgotten that after the war certain cooperation requirements (especially in intelligence) have been forced down it's throat.
I'm glad to see a backlash against the NSA's actions - despite what you think of Deutsche. But I will never trust the NSA or underestimate their ability to 'persuade' any organisation in the world to give them what they want. So, best cut out the intermediate organisations as far as possible.
see https://gnunet.org
It's impossible to make everything totally secure, but anything would be better than the leaky sieve it is now.
If the upshot of the NSA scandal is that more people PGP encrypt their emails and use https whenever they can, then at least something good has come out of it. I hope new services appear on the back of this. 'EU Secure DropBox', more ISPs offering VPN opt-in etc.
Most people really don't have much to hide, but that's no reason why we can't all make it just a little bit harder for authorities to find that out.