Encrypting Email Sent to Automated Services (non-PGP?)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Encrypting Email Sent to Automated Services (non-PGP?)
I use a blogging service that allows me to post to my blog by emailing text to the website. I'm concerned that my email provider can read these emails (the provider is a random person offering a small amount of server space, not a company). There's nothing important in the blog posts; I just want to maintain some privacy.
I'm not even sure that the post-by-email function will work with encryption, but I'm guessing it definitely won't work with PGP because, as I understand it, the receiver needs to be a sentient being who will use some sort of key to decrypt my emails. Post-by-email is automated.
So is there a way to protect the email content (and hopefully subject line) from being read by my email provider?
Do I have this right?
You use an email provider run by “a random person” to send messages to a bot that then posts the content of those messages to your blog. The “random person” doesn’t provide the bot or the blog, only the email service. Correct?
As I am/have been such a “random person” I have to ask:
Why you would do business with someone you don’t trust to behave ethically and not snoop in your sent mail?
What MTA is being used by Random Person?
What protocol are you using to connect to their mail server (IMAP/POP3)?
Do encryption schemes encrypt messages while saved on the server?
And ultimately…can’t Random Person simply read the blog?
(Aside: I am in the process of getting out of the business of providing email services. I no longer have any paying customers and just need to decide what to do about my remaining comped accounts…family members)
Do I have this right?
You use an email provider run by “a random person” to send messages to a bot that then posts the content of those messages to your blog. The “random person” doesn’t provide the bot or the blog, only the email service. Correct?
Correct. But the "bot" and the blog are not exactly separate; the blogging site provides the post-by-email service.
Quote:
As I am/have been such a “random person” I have to ask:
Why you would do business with someone you don’t trust to behave ethically and not snoop in your sent mail?
Well it's more like charity than business since the email account is totally free. I don't fully trust any email provider, professional or otherwise, but I don't have good alternatives at this point (running my own email server or not sending email at all).
I use this account only for unimportant anonymous Internet activities, I access it only via Tor or a VPN, so I'm not really trusting this person with very much.
Quote:
What MTA is being used by Random Person?
I have no idea.
Quote:
What protocol are you using to connect to their mail server (IMAP/POP3)?
POP3
Quote:
Do encryption schemes encrypt messages while saved on the server?
I have no idea.
Quote:
And ultimately…can’t Random Person simply read the blog?
Yes. But I'm not worried about random people reading the blog. I'm worried about someone knowing what I'm sending via email.
Yes. But I'm not worried about random people reading the blog. I'm worried about someone knowing what I'm sending via email.
The confusing part is that what you're sending via email is getting posted on your blog for the whole world to know? Is that not right?
For your original question, I guess you have to ask the blogging service provider, it depends what they support, and that's where any decryption would have to happen.
So far as I know, at the end of the day the blog providerhas to, itself, be able to decrypt and/or digitally verify the email. This requires software support on their end, and you must then send a compatible message.
While "posting to a blog via email" seems rather unusual to me, versus simply using a secure web page, in that scenario I could see great value in the provider insisting that the incoming messages be at-least digitally signed. So that it (and you ...) could then be confident that the incoming post to "your" blog was in fact sent by you, and is exactly what you intended to send. (In fact, if I did care to use such a service at all, I would insist on that.)
It is usually "trivially easy" to send and receive either GPG/PGP® or S/MIME secure emails, by means of a simple plug-in that also automatically handles verifying signatures and keys of incoming messages. It's as easy and transparent as (this ...) "secure web site." The messages simply appear to you "in the clear," with a notice confirming that they had been verified and/or decrypted. A "red flag" appears next to any incoming message that should have been signed or encrypted, warning you that it might well be fake.
Among my friends, we use such a facility quite routinely, and like any good crypto, "it just works." (Why doesn't everybody?)
Last edited by sundialsvcs; 01-15-2024 at 08:29 AM.
The confusing part is that what you're sending via email is getting posted on your blog for the whole world to know? Is that not right?
Yes but the whole world cannot connect the blog content to my email address. They can see only the blog posts. Just like the whole world can read my posts on this forum without knowing the email address I signed up with. The less people know, the greater my privacy. The public can access the online content but not my email address, and, ideally, the email provider knows my email address but not the online content.
The email provider might stumble across my blog, but that's not enough to connect it to my email address (nor is it likely to happen). The email provider might follow the recipient address of my emails to the blogging site, but people can mail in text other than blog posts, and the email provider is not likely to know anything about what people can or might email to a blogging site, so that's still not enough to definitely connect the blog content to my email address.
Originally Posted by sundialsvcs;6476880
I could see great value in the provider [u
insisting[/u] that the incoming messages be at-least digitally signed. So that it (and you ...) could then be confident that the incoming post to "your" blog was in fact sent by you, and is exactly what you intended to send. (In fact, if I did care to use such a service at all, I would insist on that.)
The website owners have their own ways to ensure that security. Having the general public try to figure out digital signatures would not be a great idea.
Quote:
It is usually "trivially easy" to send and receive either GPG/PGP® or S/MIME secure emails, by means of a simple plug-in that also automatically handles verifying signatures and keys of incoming messages. It's as easy and transparent as (this ...) "secure web site."
If you mean that it's "trivially easy" after figuring out how to create a pgp identity, then finding the documentation for how to use/enable encryption in relatively obscure open source email software, then finding the names of the plugins specific to one's platform/distro, installing them, loading them in the email software...and then figuring out why the encryption options are still greyed out in the software's menu after all that, ok, maybe you're right. Otherwise, I can't agree.
The essential problem is that "POP/SMTP email" was never designed to provide means to verify the messages that were being sent. There was no thought given to: (1) "is this message actually coming from the stated user?" nor (2) "is this message byte-for-byte actually what the sender intended to send?"
These considerations were "grafted onto" the original protocol in upward-compatible ways. The two survivors are "S/MIME" and "PGP®/GPG." Each of these offer ways to send a "email-compatible message" with additional security content.
And, it still amazes me that neither of these have ever become "standard." Even though the most-important "web email client" provider, GMail, easily could have done so and very-briefly did.
Therefore, "still today," you must use a "plug-in."
At least – if you are still using "old-fashioned email." If you are, instead, using "Microsoft Exchange," or another similar proprietary message-handling service, these security considerations have been addressed. The problem, of course, is that "old-fashioned email" is still out there and cannot be excluded.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.