In the wake of the mass NSA surveillance scandal sparked by whistleblower Edward Snowden, all sorts of hackers, academics, startups, and major corporations are working to build tools that let us more easily secure our email messages and other online communications.
Dozens of projects have emerged in recent months, ranging from the email client Mailpile to the offline messaging app Briar to the Skype replacement Tox. But although many succeed in streamlining the traditionally onerous task of encrypting personal communications, they all come with one caveat: They depend on both the sender and the recipient adopting the same technology to exchange messages.
Now, a German company called Open-Xchange wants to change this using a tool it calls OX Guard, a new addition to the company’s existing open source email server, software that individuals and businesses can use to operate their own email services. Using OX Guard, you can send an encrypted email to anyone—even if they don’t use Open-Xchange.
Open-Xchange offers an alternative to cloud-based communication and collaboration suites like Microsoft’s Office 365 and Google Apps for Work (formerly known as Google Apps). In addition to an email server, Open-Xchange provides a Dropbox alternative called OX Drive, for sharing files online, and a Google-Docs-style office suite called OX Docs. This software is mostly used by businesses, but because it’s free and open source, anyone can install a copy on their own computer server.
How It All Works
With OX Guard, people using the same Open-Xchange email server will be able to easily send each other encrypted email with the check of a box, without having to install new software. All encryption keys are created, stored, and managed on the server. In some cases, this approach can be insecure. If you’re tapping into a server run by an outside company, it’s always possible for the company to install backdoors for the government, or for a rogue employee to modify the software’s code to capture a user’s passwords. But with the open source Open-Xchange, you can take control of your email server, ensuring that it’s run by someone you trust.
The server software can be hosted anywhere—on your own machine, by a friend, or by one of the company’s OX Guard partners. And because it’s open source, the code can be inspected for backdoors or bugs that could expose data to the outside world. “Users can decide who they trust,” says CEO Rafael Laguna. “If they trust no one, they can run it themselves.”
But you can also send an encrypted message to someone who isn’t using OX Guard or a compatible encryption system. This kind of message gets stored in an encrypted state on your Open-Xchange server. The recipient is then sent two messages: one with a web address for accessing the message, and a separate message containing a one-time password for logging to the appropriate Open-Xchange server. After logging in, the person must change the password. That way, if both the URL and the password are intercepted and a hacker reads the message, the intended recipient will know that the password has been changed and that the message has been compromised.
This idea isn’t unique to OX Guard. It’s also used by companies like Tutanota, as well as by banks to communicate securely with customers. But it does offer an intriguing alternative to existing encryption apps.
‘Pretty Good Safety’
OX Guard uses the same encryption algorithms as PGP, short for Pretty Good Privacy, a venerable standard for protecting email. But it uses a custom implementation of the software to make it possible to protect each message sent with a different key. That means that if someone is able to decrypt a single message, they won’t be able to use that knowledge to decrypt other messages sent to the same person.
The downside, Laguna says, is that it means that users won’t be able to send messages through OX Guard using traditional PGP keys. That makes the web-based login system all the more important.
Of course, this isn’t a solution for everyone. You need to either manage your own email server, or have someone you trust do so. It’s also in early stages, and it will take time for the security community to evaluate this newcomer. Laguna admits that the system isn’t perfect. But he says it’s an important step forward for Open-Xchange users who aren’t using any sort of encryption at all.
“It’s like driving without a seat belt or airbags, because they’re too complicated,” he says. “So we decided by starting with just seat belts, because they provide pretty good safety.”
No comments:
Post a Comment