Recent searches
Search options
Have you ever wondered what it means when you get an email that is encrypted but not signed? At the very least, it's better than being completely unencrypted, isn't it?
It turns out that's not necessarily the case. I've looked at S/MIME and found that it is possible to construct messages that, when sent to multiple recipients, are decrypted into completely different messages:
I presented my findings yesterday at #BSidesMunich2024. The talk has been recorded and I'll post a link as soon as it's online.
Thanks to @sophieschmieg for giving me the idea to look into this.
the recording of my talk on #KoboldLetters and #SalamanderMIME is now on YouTube: https://www.youtube.com/watch?v=ko9cwRM3BZU
@weddige We tried setting up S/MIME encryption and signing in preparation of GDPR. While we did get it to work, it was so user-unfriendly, we never even tried to get our clients to use that.
@jernej__s the usability of S/MIME (or email encryption in general) is terrible.
I believe that if we want to ever see widespread adoption, we need something like "Let's Encrypt" for email: A free service that provides certificates with basic email verification and automation to deploy it.
With the prevalence of web mailers, a (good!) certificate manager in the browser with a standardised web API for websites to use the certificates probably would also help.
@weddige Getting the certificates was probably the easiest part of procedure.
@jernej__s @weddige We‘re using S/MIME since very early on in our team @pixolus and it is mostly working seamlessly - on macOS, iOS and Android. However, over 10 years of our existence, a single external party used S/MIME as well - and they had a broken implementation. No external party used GPG. It‘s a bit frustrating.
@weddige just a heads up your images are cut off horizontally on mobile
@sdubinsky thanks, I'll try to fix that tonight.
