Download presentation
Presentation is loading. Please wait.
Published byTracy Atkinson Modified over 7 years ago
1
SmallMail, protect your email from nosey Big Brothers Peter Roozemaal http://www.smallsister.org/
2
The Plan (for today) LANG=en_NL Quick introduction Goals for SmallMail (Why hide communication) SmallMail implementation Demo Limitations in Smallmail's approach (quick) Conclusion and Q&A
3
Introduction Smallsister Group of concerned citizens (Dutch, others are welcome) Provide information on computer and online privacy Some politics Fill some of the holes in available privacy solutions The speaker A developer on an interesting project
4
The state of online privacy USA warrantless wiretaps The EU asks all ISPs and Telcos to collect and keep communication data Advertisement agencies like to track your browsing RIAA and MPAA want your ISP to track downloads Leaks of entire databases Criminal hacking (trojaning) of PCs
5
Where can we change the world? Choose achievable goals Pick something that fits your capabilities Don't reinvent wheels
6
Where can we change the world? Choose achievable goals Pick something that fits your capabilities Don't reinvent wheels Our target: EU Data Retention Directive Hide (email) communication from third parties
7
Privacy in Communication There are legitimate reasons for people to communicate without being tracked: Whistleblowers Political dissidents And even Intelligence agencies
8
SmallMail Design Goals Weak Anonymity Parties in communication can (optionally) reveal true identities Strong Privacy Keep content of communication secret from third parties Hide the existence of communication as far as feasible KISS
9
Making email private Client – Server model Drop SMTP Use Tor to hide communication origin from traffic analysis Encourage non-ISP servers Anonymous mailbox creation is possible Use encryption to hide message content
10
Unsolvable? An anonymous messaging system is a spammer's paradise
11
Introducing Tor
12
Tor as proxy
13
Tor hidden service (1)
14
Tor hidden service (2)
15
Tor hidden service (3)
16
Tor hidden service (4)
17
Tor hidden service (5)
18
The SmallMail Server Tor Hidden Service Use SSL/TLS for additional end-to-end encryption Will do TLS authentication in next protocol version Simple protocol Allow for anonymous mailbox creation No message forwarding: the Internet is connected No interpretation of messages
19
Please, Can you run a server for me?
20
The client Graphical client in wxPython Current version is 0.2.1 Developed on Linux Looking for Windows and OSX porters Useful beta, expect monthly updates Goal: My/your mother can use it http://smallsister.org/downloads/
21
DEMO
22
User visible Peculiarities Some common email habits are bad (for privacy)
23
User visible Peculiarities Some common email habits are bad (for privacy) Enforcing encryption Key management Presentation of message lists Message ”sent” time is unknown Open Issue: How to handle CC's
24
Client Implementation Use GnuPG for encryption and key management Messages are stored encrypted Contact information is not Connect via Tor (SOCKS4a or SOCKS5) Hidden servers are in the.onion domain
25
We tried to make it safe But did we succeed?
26
SmallMail attacks Tor attacks Traffic correlation attack
27
Tor hidden service
28
SmallMail attacks Tor attacks Traffic correlation attack
29
SmallMail attacks Tor attacks Traffic correlation attack Correlation attacks by server operator ➔ Advice: use mailboxes on different servers
30
SmallMail attacks Tor attacks Traffic correlation attack Correlation attacks by server operator ➔ Advice: use mailboxes on different servers Message insertion attacks
31
SmallMail attacks Tor attacks Traffic correlation attack Correlation attacks by server operator ➔ Advice: use mailboxes on different servers Message insertion attacks Significantly more work than ”Hand me the data” And less reliable results
32
Client attacks Messages are encrypted Fix: decryption keys are not protected by a passphrase
33
Client attacks Messages are encrypted Fix: decryption keys are not protected by a passphrase Mailbox name, message ID, size and date leak some information
34
Client attacks Messages are encrypted Fix: decryption keys are not protected by a passphrase Mailbox name, message ID, size and date leak some information Fix: Encrypt addressbook But what about the GnuPG keyring?
35
Client attacks Messages are encrypted Fix: decryption keys are not protected by a passphrase Mailbox name, message ID, size and date leak some information Fix: Encrypt addressbook But what about the GnuPG keyring? Little defence against runtime and memory attacks
36
Conclusions We can evade government email surveillance It's so easy I expect terrorists already have the tools Private email requires unlearning of some habits Tracking SmallMail communication may be possible, but is much harder than SMTP
37
Closing words Thanks to NLnet foundation Try our software (GPLv3 or later) Improve it and its documentation Help to keep the world a safe and sane place Help to protect your and our privacy
38
Closing words Thanks to NLnet foundation Try our software (GPLv3 or later) Improve it and its documentation Help to keep the world a safe and sane place Help to protect your and our privacy Your questions
39
URLs Website: http://smallsister.org/ Download: http://smallsister.org/download/ Old releases: http://smallsister.org/files/ Git repository: http://old.smallsister.org/git/SmallMail.git Bugzilla: https://dewinter.com/cgi-bin/bugzilla/ Email Peter: smallmail@xs4all.nl B056A00376113324@cemwana5zuid4oq5.onion
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.