Wed 15 Feb 2012
Enlocked – simple email security
Posted by Slavik under email, enlocked, security
[7] Comments
Earlier today, a company I recently joined as a board member (and in the interests of full disclosure, an investor as well) announced their first product. The company is called ‘enlocked’ and they are addressing a problem that I’ve felt has been unnecessarily ignored for many years. That is:
While we almost all use email as our primary communications vehicle today, there are still some things that we must reserve for voice (by phone or in person), hardcopy, or even fax.
Being a security minded person, I cringe whenever my accountant, banker or co-worker asks for some sensitive information over email. I usually break my routine, pick up the phone, and pass the information verbally if I can. Since I’m in the security industry (and running Linux), I have had PGP keys for a long time now and Thunderbird supports PGP nicely using Enigmail. But, most people I communicate with use Windows, don’t have PGP keys and don’t know how to install and generate any of the above. Even if I find someone with a PGP key, the exchange is cumbersome and I cannot read their secure emails on my iPhone, iPad and Kindle Fire.
We all understand the security issues with email. Usually, it is sent entirely in the clear as it goes from your server to the recipients server, open for anyone to read along the way. Another issue is that when an email account is compromised or a device is lost, all emails in the account can be read and your sensitive information is exposed. Never mind that the administrators on those servers could be reading any inbound or outbound message, without you knowing it.
Now, some of you are probably thinking: hey, if I really wanted to use email to send this private information, I could just buy some encryption software, exchange keys with the recipient, and I’m all set. As I said earlier, for those of us who deal with a lot of sensitive data, the complexity (and cost) of doing this is worth it. But, for the average user out there who just wants to send someone a quick message, there is a huge adoption hurdle. These tools aren’t getting used, and people are either interrupting their normal email channel and calling with these details, or they are relying on ‘security by obscurity’ in the hope that their message doesn’t get eavesdropped.
The magic of enlocked is that they’ve figured out how to do this in a truly simple way for the sender, without needing to even contact the recipient in advance, let alone install compatible software. By building simple plug-ins and mobile apps, they can leverage your existing authentication to your email server, connect to a cloud service they’ve built, and take care of all the ugliness. You just hit a “send secured” button. The receiver gets their first enlocked message, and is directed to the enlocked.com site to get a plug in for their device / browser. They authenticate themselves to their email server, and the message is readable. Now that they’ve installed it, future messages (from you or anyone else) require no special handling, they just display automatically. And they can send their own secure email as well.
The best way to really see how well this has been done, is just to try it. The downloads and the service are completely free, so head on over to enlocked and send someone a secret message.
Sounds interesting but what about security of data being in their cloud?Not sure I like sending confidential data off to some “start-up’s” server somewhere else.
Good point, Simon – but you have to remember that you’re already sending your data somewhere and it is mined and processed by the likes of Google.
As an investor and a technical person I had the advantage of reviewing the code and I validated both the security of the infrastructure as well as the fact that nothing is kept on Enlocked servers immediately after encryption / decryption is performed.
I know they went through 2 separate external security audits as well.
But – it all revolves around trust, I guess. Who do you trust more – Google/Yahoo/your ISP/your admin or a startup that its sole purpose is to secure your emails and they state specifically they will not use them or keep them in any shape or form.
Encrypted email storage would be nice, something like the one provided by CryptoHeaven
http://cryptoheaven.com
Source code should also be available for review by the community to ensure security without relying on what the company promises.
Email certificates provide the strongest levels of confidentiality and security for your electronic communications by allowing you to digitally sign and encrypt your mail and attachments. I am using the COMODO email certificates.It is really good.
@Henry
The idea behind enlocked is to provide ease-of-use with your current tools (mobile, browser and clients) using standard encryption.
Regarding source code, I tend to agree. At least the clients should be open sourced and this would be my advice to the company. Regarding the server code, there is a balance that the company needs to strike between open and secure so I do not expect them to release the source code for that.
BTW – they have an open API so anyone can create their own clients to use it. Also, the encryption is standard PGP so you can use existing clients like GPG to decrypt.
@watson
Indeed, using S/MIME is a good way to secure your emails. But, the fact is that it is not available across all your devices and you still need to share your public certificate with someone for him to be able to send you a secure email.
Also, I do not think this is for the faint of heart – most non-technical consumers will not be able to set this up.
I’ve used S/MIME and PGP extensively in Thunderbird but I guess I’m not your average user
Enlocked generates and stores PGP private key?
How can the recipient of a message decode it when they signup AFTER I send the message?
Isn’t this why we don’t trust RSA?