this post was submitted on 20 Aug 2023
64 points (95.7% liked)
Technology
59201 readers
3184 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
There is, it's called OpenPGP. GnuPG (GPG) is a popular implementation of the standard and many email clients integrate with GPG or implement OpenPGP directly.
To achieve E2E encryption you need to generate a public/private key pair, exchange public keys with the recipient, and then you can encrypt a message that can only be decrypted and read by them.
To simplify the exchange of keys there are keyservers such as keys.openpgp.org where people can publish their public keys in advance. There are many keyservers and they usually replicate keys among themselves. So when you want to email someone and use E2E your email client can look at the closest keyserver and see if there's a key for that address already there.
This approach to E2E is called OTG (On-The-Go). An OTG method can be applied to any insecure channel not just email. For example the OpenPGP keyservers are being used by programmers who work on open source projects to sign their code so their collaborators are sure it came from them, or by Linux distributions to sign the software packages in their "app stores".
This is very different from what Proton or Tutanota are doing. They encrypt email at rest while on their server and force you to use non-email protocols when you talk to their servers (instead of standard IMAP/POP/SMTP), but they have no control over messages while in transit to/from other mail servers. Their connections to other servers may or may not be encrypted but if they are it's only point-to-point for each hop, not E2E. And most other servers do not encrypt email while at rest there. So while email can be called reasonably secure between you and Proton/Tutanota servers, it stops being secure if you actually want to talk to someone who's not on them.
To achieve secure email, pick your poison: you can try to convince other people to use an open standard & open tool & open keyservers, or you can try to convince them to use a proprietary server & proprietary tools.
Protonmail lets you use PGP