Sunday, February 22, 2015

Virtru email encryption does not protect your emails

The security firm Virtru, co-founded by ex-NSA employee Will Ackerly, recently launched free email encryption for the major webmail providers with plugins for Chrome and Firefox. Native apps for Android and iOS is available, and a plugin for Microsoft Outlook is available as well.

There is a paid version as well, that allows further control over your emails, like recalling/revoking access to send messages, control over forwarding and email expiration.

The promises

Virtru is using strong client-side encryption of emails and attachments. It's really easy to use the plugins and apps - there's no hassle with creating and exchanging encryption keys (my alarms are starting to sound).
The recipients can even access the encrypted information without installing any software, which is really helpful for adoption.
Basically Virtru promises, that by using their software, you can keep you private information private.

The problem

In order to make Virtru easy to use, they have chosen not to implement a full public/private key solution, where the private key is kept by the sender. Instead, the recipient simply authenticates him or herself by receiving an "activation email". And this is the key problem!
If you encrypt your email, it is because you don't want anyone to read your email. Then it doesn't help that the key to access this information is, that you have access to read those exact emails that you try to protect.

Or put in other words: if another party has access to the recipients mails, he can easily get both the encrypted information and the key to unlock those.

Virtru work this way:
If Alice sends an email to Bob, Bob will receive an encrypted message and a link to a web based "Secure Reader", which he can use if he doesn't have the Virtru software installed:
When this link is followed, Bob can type in his email address, and ask for a confirmation mail with an activation link, which is used to prove, that he owns this address:
But if Evil Charlie has access to Bob's mailbox, or is in a position to capture Bob's emails in transit - there is nothing that prevents Charlie from using the first link, key in Bob's email address, then snatch the email with the activation link and use that to validate himself and decrypt the message.

If Charlie only has access to read Bob's emails, he can't delete the activation email, and Bob would suspect foul play, when he receives an already used activation link. But if Charlie has access to Bob's mailbox, or is capable of intercepting and deleting the activation email, Bob would never suspect anything.

In any case, Alice would be in the dark.

Virtru's solution

I've confronted Virtru with the problem. Their suggestion is to secure your mailbox with 2-factor authentication.

Yubico Yubikey Neo
2-factor ID is a great idea - and it really helps protecting access to your mailbox in general. Highly recommended! I use a Yubikey Neo from Yubico to secure my Google and Lastpass accounts.
But it doesn't help if the emails are captured en route to the mailbox, or if someone has compromised the mailserver hosting the mailbox.

So 2-factor will help protect your emails - whether they are encrypted or not. But if someone has managed to get around that fence, Virtru will not give you any additional protection.

No separation of keys and data

Virtru will handle the encryption keys, but writes on their web page, that it will give you an extra level of privacy, that your email provider stores the data.

If we take a closer look at the transmitted email, we'll, as promised, find the encrypted data inside the mail message:
--- START PROTECTED MESSAGE TDF 0 ---PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pgo=8dGRmOlRydXN0ZWREYXRhT2JqZWN0IHhtbG5zOnRkZj0ndXJuOnZpcnRydTp0ZGYnIHhtbG5zOn=hzaT0naHR0cDomI3gyRjsmI3gyRjt3d3cudzMub3JnJiN4MkY7MjAwMSYjeDJGO1hNTFNjaGVtY=S1pbnN0YW5jZScgeHNpOnNjaGVtYUxvY2F0aW9uPSd1cm46dXM6Z292OmljOnRkZiBodHRwczom=I3gyRjsmI3gyRjthY20udmlydHJ1LmNvbSYjeDJGO3RkZi1jb3JlLnhzZCcgdGRmOnZlcnNpb24=9JzEuMScgdGRmOmlkZW50aWZpZXI9Jzk4YWEyZTU5LWQ3NDgtNDIyNy1iZDEyLTE3NmY5NjMyZG=JmNSc+PHRkZjpFbmNyeXB0aW9uSW5mb3JtYXRpb24+PHRkZjpLZXlBY2Nlc3M+PHRkZjpSZW1vd=GVTdG9yZWRLZXkgdGRmOnVyaT0naHR0cHM6JiN4MkY7JiN4MkY7YWNtLnZpcnRydS5jb20mI3gy=RjthcGkmI3gyRjtwb2xpY2llcyYjeDJGOzNmMTk1NjgxLTRkYTMtNDI3Ni1hNWUyLTM2MmJiZTY=1YjkzOCYjeDJGO2NvbnRyYWN0JyB0ZGY6cHJvdG9jb2w9J3ZpcnRydS1wcm90b2NvbCcvPjwvdG=RmOktleUFjY2Vzcz48dGRmOkVuY3J5cHRpb25NZXRob2QgdGRmOmFsZ29yaXRobT0naHR0cDomI=3gyRjsmI3gyRjt3d3cudzMub3JnJiN4MkY7MjAwMSYjeDJGOzA0JiN4MkY7eG1sZW5jI2FlczI1=Ni1jYmMnPjx0ZGY6SVY+d3UyNXF0YlVXQlcwSzVRZnNVeU8zUT09PC90ZGY6SVY+PC90ZGY6RW5=jcnlwdGlvbk1ldGhvZD48L3RkZjpFbmNyeXB0aW9uSW5mb3JtYXRpb24+PHRkZjpCYXNlNjRCaW=5hcnlQYXlsb2FkIHRkZjplbmNyeXB0ZWQ9J3RydWUnPjM2R0NEeGo3NVFaaUNCTUQyVEZpRW9xV=Fk0MXRuTG5UUCthUVp1ZUJrRkZ6MXN6dXRFM3UwZWVWS3BLN1NhYUtlalhTYWlvNk5nNmc2UGRn=TWY3bzd0T2ZYRWN4M1l3aWgzTSYjeDJGO2RwS1FEd0VINjNZMzRoS1RvTSYjeDJGO2tDem9DQ1l=BVVNYd3U0UkNBYW5yM3lSakNaSTlIcHc9PTwvdGRmOkJhc2U2NEJpbmFyeVBheWxvYWQ+PC90ZG=Y6VHJ1c3RlZERhdGFPYmplY3Q+--- END PROTECTED MESSAGE ---
But if we use the web-based reader, by using the two links, we'll get access to the exact same data (including any attached files). Meaning Virtru must ALSO keep the data accessible online somewhere.

So Virtru has both your encrypted data and the keys to open and read it - I've no reason to believe that they would exploit this position, but if their systems should get compromised, the attacker gains access to everything that is ever encrypted with Virtru (unless you actively delete the old mails from your Virtru account). Scary.

Nice try...

Virtru does not give any security against any focused attacker. People are led to believe that their communication is safe, which might make them send thing, that they would not otherwise do in an open email. False security is worse than no security.

I'll keep looking for a system, which is easy to use for non-technical people, and which actually protects the communication.....