Tutanota releases iOS encrypted email app after notifying NSA

The German encrypted email service Tutanota has released its iOS app, weeks after its Android app came out. The delay in the release of the iOS app was apparently due to the need for those publishing open-source apps of this kind to first notify the NSA and the U.S. Commerce Department of their existence — it seems Apple is more strict about making sure this measure has been taken.

Tutanota, already available as a free webmail service and paid-for Outlook plugin, uses encryption based on open-source implementations of algorithms using 128-bit AES and 2048-bit RSA, though PGP compatibility should also be introduced somewhere down the line.

It automatically encrypts and decrypts the emails that users send to other Tutanota users. If a Tutanota user sends an email to someone not using the system, it can also be sent encrypted (the email is encrypted in the sender’s client and she has the only key) but the password will need to be shared with the recipient via phone, in person or using some other method. Unencrypted emails sent to a Tutanota user are also encrypted with the recipient’s public key once they reach the company’s German servers.

Currently, the downside is that users have to use a “tutanota.de” email address, which isn’t necessarily an attractive option for everyone, but company founder Matthias Pfau told me the firm will soon add other domain options. Those wanting to use their own domains will also get to do so at some point, but that will be a paid-for premium feature.

Pfau said the iOS and Android apps had been submitted to their respective app stores at the same time, but [company]Apple[/company] requires suppliers of open-source security software using cryptographic functions with asymmetric algorithms to — as U.S. export regulations dictate — notify the Commerce Department’s Bureau of Industry and Security (BIS) and the NSA’s ENC Encryption Request Coordinator of what they’re putting out there. This seems to be about notification only, rather than seeking approval from these agencies as such.

I wasn’t previously aware of this requirement, but here’s what the rules say (PDF) about “publicly available encryption source code”:

You must notify BIS and the ENC Encryption Request Coordinator via e-mail of the Internet location (e.g., URL or Internet address) of the publicly available encryption source code or provide each of them a copy of the publicly available encryption source code. If you update or modify the source code, you must also provide additional copies to each of them each time the cryptographic functionality of the source code is updated or modified. In addition, if you posted the source code on the Internet, you must notify BIS and the ENC Encryption Request Coordinator each time the Internet location is changed, but you are not required to notify them of updates or modifications made to the encryption source code at the previously notified location.

Anyhow, should you use Tutanota? Well, the fact that you need a special email address is in itself a limiting factor: chances are people know your existing email address and will default to using that. There are several encryption systems out there that rely on pre-shared passwords (such as OX Guard) and, while they do avoid the difficulties of dealing with the PGP key system, unless you can exchange passwords in person you’re arguably less secure than if you were using PGP – it really depends on whether you’re under heavy targeted surveillance.

In theory, you don’t need to trust Tutanota to use its system, as you would hold your key (and the company wouldn’t be able to remind you of it if you lose it). The company has had a security scare in the past, with a researcher finding a cross-site scripting vulnerability, but that flaw was patched up and Tutanota subsequently went open-source and published its code. That means it can be freely audited, though it doesn’t necessarily mean that it has been thoroughly audited. Pfau told me a couple bugs had been flagged this way, but they had nothing to do with the service’s security.

Google’s alpha-stage email encryption plugin lands on GitHub

Google has updated its experimental End-to-End email encryption plugin for Chrome and moved the project to GitHub. The firm said in a Tuesday blog post that it had “always believed strongly that End-To-End must be an open source project.” The alpha-stage, OpenPGP-based extension now includes the first contributions from Yahoo’s chief security officer, Alex Stamos. Google will also make its new crypto library available to several other projects that have expressed interest. However, product manager Stephan Somogyi said the plugin still wasn’t ready for the Chrome Web Store, and won’t be widely released until Google is happy with the usability of its key distribution and management mechanisms.

Pro tip: If you use cloud storage, bring your own security

If you weren’t already worried about the security of your company’s internal memos and other documents, the recent Sony hack probably fixed that (and reinforced the message that if you don’t want egg on your face, you shouldn’t write embarrassing emails).

Here’s the thing: Security is hard, and as we’ve heard over and over, it requires a mix of technologies from different providers, constant vigilance and good end-user practices to safeguard a company’s crown jewels.

Thanks to widely publicized breaches at Target, Home Depot and — yes — [company]Sony[/company], companies are reconsidering their security practices, according to a new research note from Nomura Securities analyst Frederick Grieb. That means more budget will flow to security next year and also that top-notch Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs) with expertise in both relevant technologies and their company’s business and regulatory requirements are in short supply.

Lesson: Add your own security

In that vein, the director of security for a Fortune 100 healthcare provider recently told me that keeping company data and documents secure, requires that companies layer additional security atop whatever cloud storage and file share service is used. These storage vendors may have good marketing statements, but when you drill down, not very good security stories, he said.

Speaking on the condition that neither his or his company’s name be disclosed, he said the issue for a highly regulated company like his is to ensure that a document — whether it’s a PDF file of a doctor’s report or a digital X-ray of a broken arm — is protected not only at both ends (“at rest”) but also in transit (“in motion”).

That’s because the basic problem of the internet is that traffic goes through any number of third parties. “You don’t know and you can’t trust that your file is private — it’s like sending a postcard in the mail — anyone can read it,” he noted.

To address this, his company is deploying fan-favorite Dropbox but is also using a third-party product, nCrypted Cloud, to encrypt files before they’re sent, which leaves the encryption keys in the hands of the customer. The cloud storage provider, whether it’s [company]Dropbox[/company] or Box or Google Drive or Microsoft OneDrive does not hold those keys and cannot access the files or disclose them to third parties. (Neither does nCrypted Cloud, which competes with WatchDox and Sookasa, for that matter),

Shutterstock/deepspacedave

He’ s also trying out a new nCrypted Cloud product, Infinite Mail, that strips out attachments embedded in messages, and replaces them with secure links that the intended recipient can open as set up by an IT administrator. It supports popular [company]Microsoft[/company] and [company]Google[/company] email products.

If the problem of secure mail can be solved, this security exec sees possibly huge perks down the road. Currently, the cost of printing and mailing reports and benefits documentation is humongous — it can cost a company like his up to $100 million a year. If there is a way to guarantee secure digital delivery of such documents to the right end users, the cost savings could be huge.

If email is dead, why so many new email products?

For years we’ve been hearing that email is circling the drain. Too much noise. Too much spam. Too distracting. Young people text. Blah blah blah. Given all that, many of us (ahem) still spend a ton of time on email — at least at work.

Facebook says more email providers are now using extension that encrypts emails

Facebook announced Tuesday that 95 percent of the notification emails it sends out are now being encrypted using STARTTLS — the extension used to encrypt insecure network connections between mail providers. Facebook singled out Microsoft and Yahoo as being major email providers who have since backed the extension, which requires compliance from both the email clients that send emails and those that receive them. Back in May, Facebook released a study on whether or not mail providers were using the extension and found that only 28.6 percent of the company’s outbound notification emails were being encrypted, meaning not very many services were correctly using STARTTLS.