Here is a comparison on how a few web-mail providers handle incorporating the PGP e-mail signing and encrypting feature in their services.
I’ve been using KMail as my e-mail client for many years, now. I find it to be one of the best applications you can use to manage multiple e-mail accounts. Add with it the integration of KGpg, the GUI front end to GPG for TDE (and KDE before that), and you have a very easy way of digitally signing and encrypting your e-mails.
But, I know, there aren’t many people out there who use KMail, or other desktop e-mail applications anymore. Today, I’m sure most people use their web browser and web-mail service providers for e-mail (like GMail, Yahoo!, and others). However, if you want to take advantage of the extra security and trust with those you share e-mail that PGP or GPG offers, you most likely need to go through the extra steps of installing and configuring extra plug-ins to your web browser for many of these “free” web-mail services.
Because of these extra steps you need to take when using services like GMail, most people don’t really bother with, or care about, using PGP to digitally signing or encrypting their e-mails. So, I thought I’d take a look at some web-mail providers that make it easy to use PGP to digitally sign their e-mails and to receive/validate digitally signed e-mails they may receive. Maybe if using digital signatures were easier to use, more people would be inclined to use them and make the entire e-mail messaging system more trustworthy.
Anyway, here we go…
As I mentioned above, KMail is my e-mail client of choice. I’ll be using it to compose and send my e-mails to the other web-mail services that I use. I will then go into each of the individual web-mail accounts, using my web browser, to see how each service interprets a digitally signed e-mail and how easy they make it to verify their authentication. The providers I’m including are: Vivaldi.net, Disroot.org, ProtonMail.com, and GMX.com.
To digitally sign an e-mail using KMail (and KGPG), you simply click on the “Sign” icon in the toolbar and then enter your passphrase to unlock your keyring to authenticate your signature. KMail then “signs” your e-mail and indicates so with a yellow border at the top of the message.
KMail allows you to create and assign a digital key-ring for each of the e-mail identities you have set up within the application. Once you have a key-ring for each account, it’s a simple click of the “signing” or “encrypt” icon to do either task.
In the following examples, it is assumed that each of the web-mail accounts already have my public PGP key in their databases, so they will be able to authenticate my e-mails on arrival.
Disroot requires digital signatures and encryption to be “inline”; that is, the public PGP key is appended to the bottom of the message in plain text. This is what the resulting e-mail looks like:
As you can see, Disroot clearly identifies that the message has been digitally signed. When you hover your mouse pointer over the lock icon and you have a key-set for that e-mail in your key-ring, Disroot will give you the opportunity to verify the message by clicking on it. If you don’t have an associated key-set, Disroot with then simply say that it cannot verify the message.
Sending a signed message is quite easy. First, Disroot will only encrypt or sign text messages; no HTML or “rich text” messages. But to encrypt or sign, all you need to do is choose the function from the drop-down menu.
Vivaldi’s authentication is a little more sophisticated than Disroot and has no problem identifying my e-mail authenticity (with the appropriate key-set configure in my account).
Vivaldi also has no problem with handling either Inline or MIME formatted key sets. The only problem I had was with my GMX account, which is what I used to send out the emails. For what ever reason, Vivaldi decided to start blocking e-mails from GMX. So, I had to use an alternate e-mail address.
Sending a signed or encrypted message is just as easy to do as Disroot. Just select the signing option in the menu on the right margin:
The way ProtonMail handles PGP authentication is a little disappointing. Like Disroot, ProtonMail will indicate a signed e-mail with a lock icon. The problem is, I found no way of authenticating the message against a key-ring. It just says that the message has been signed and it’s up to you decide if it’s legitimate, I guess.
I think, the reason for this lack-luster effort in PGP integration is because ProntoMail wants you to use their own digital signature system. The problem with that is, although they say it’s more secure, it only works with ProtonMail accounts (at least from what I can tell). And, I really don’t like “vendor lock-in” tactics like this. They could implement PGP authentication, as the other web-mail providers have done, but they choose no to; strong arming you to use just their services. This is why I don’t use Microsoft or Apple products…. and I’m not all that inclined to use ProtonMail, either.
Sending is not as flexible as the other web-mail services. First of all, I can’t seem to find any signing option, just encryption. To encrypt is easy enough; click on the lock icon then enter a password to “lock” your message. However, when you send, you’re not really sending your message. Rather, your recipients get a message saying that there’s a secure message waiting for them and they have to click on the link provided to read it.
Again, this is ProtonMail’s attempt of making the message more secure, but you have to play in their arena. Your recipients then taken to ProtonMail’s “walled garden” and enter the password to unlock the message. The process kind of goes against everything you’re taught about clicking on links sent to you in an e-mail. I suppose, if you’re expecting the encrypted message from the sender, it’s not too bad. But, you, as the sender, should probably first warn all of your e-mail recipients that an encrypted message from you is on it’s way.
GMX supports PGP signatures and encryption by way of a third party app that you need to install on your web browser. This is the way Google’s GMail does it, too (from what I understand). They do not have anything integrated into their web-mail services. And if there is no digital encryption plugin available for your browser, for example SeaMonkey, then your pretty much S.O.L.
Here is what my digitally signed e-mail looks like in GMX:
It shows that the e-mail is digitally signed, but like ProtonMail, there’s no way of verifying it’s authenticity.
As for sending a signed or encrypted message, once again, GMX relies on the plug-in installed on your web browser.
Thankfully, for services like this, I can use KMail to send and receive my e-mails through these accounts, giving me much better authentication capabilities than what these kind of services provide. Here’s the same message, sent to my GMX account, seen through KMail:
Using KMail/KGpg and the IMAP connection to my GMX account, I can get much better e-mail authentication services than what I can get from the web-mail account itself; not to mention it being easier, as well. It’s also a great way of giving the middle finger to vendor lock-in shenanigans. I understand that ProtonMail is trying to provide a more secure model for digital signing. But how secure do you really feel when they control the entire process, from beginning to end and can change it any time they wish? I’ve always preferred freedom over security.