Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Proposal safer email.
1 point by Ihmahr on June 8, 2013 | hide | past | favorite | 2 comments
I am (have been for two months) thinking of starting an email service that is compatible with the current email system, but adds features.

-If server is seized by authorities they got nothing;

-RSA/public key encryption on every email. Every user has a public key and incoming mail is encrypted on the server right away. Public key is available for every email upon request, then other party encrypts and not the server. (this to integrate with other providers who can adopt this protocol)

-Probably need downloadable apps (can be simple javascript) to prevent 'man in the middle' attacks.

-Private key is generated via a standard procedure, client side, on every login. User password (such as 'correct horse battery staple') will be the 'seed' for the procedure to generate private keys.

I need help for this project. Please respond for any suggestions.



Rather than using RSA/public key encryption, I would rather suggest using OpenPGP so that others can encrypt email before it even arrives on the server. Instead of generating the private key on each login, it might be better to either a) store it on the server with the password acting as a passphrase or b) store it somehow in the browser/app. It will be interesting to figure out how to transfer it from one device to another, then.


Yes, encryption before sending it to the server is possible as follows: Ask server for public key associated with email address, encrypt, send. But if other people do not have this feature for their mail, the mail is encrypted on the server.

The server should never directly store the private keys. Maybe more efficient than generating every time again is to use symmetric encryption on the client side to store the assymetric keys on the server in encrypted form.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: