Efail: can email be saved?

Originally published at: https://boingboing.net/2018/05/21/mime-considered-harmful.html


Interesting theory. Email works fine for me and is an important tool. Maybe I am fooling myself.



I think a better title would be “Can Encrypted email be saved?”


Yeah, the headline is bad even by Cory Doctorow standards.

Email works well and there’s nothing wrong with it unless you need your communications to be private and secure. In which case, given the loose nature of the spec and the vast number of clients that exist, it’s probably a bad idea to be using email to communicate.

PGP over email has never been anything more than a nasty hack that is hard for the non-technical 95% of the population to use and is essentially impossible to debug properly because it has so many moving parts that have to interoperate securely. Maybe if a company that actually understands usability had ever cared to implement a simple, non-technical secure email client, but AFAIK none of them ever did and now that 90% of email users just settle for webmail, it’s far too late.


The path goes through Signal and WhatsApp and Wire and Wickr to someone doing a corporate product with email-like interface features.

No. Email’s been around longer already than any of those systems will be, and plenty of people still use it for a lot of things.

I would point out that “for a long time” your email address was identity. It came with your internet access and you weren’t sharing that account. When it was university or business, the administrator who set up your account might meet you, might require ID. That lessened when “commercial” ISPs came along, though in 1996 I had to fill out a form, and did it in person, at the Montreal freenet, and when that failed at the end of November, I had to fill out a form at the next ISP and did that in person. I can’t remember if that was a requirement or just easiest. When I switched to another ISP in 2006, someone dropped by with the form. I didn’t have to show ID, but I wasn’t some random guy filling in a web form. Even around 2003, when I joined the Ottawa freenet to get usenet access, they required a photocopy of ID.

What changed is that internet access is now often shared, and email may not come with that access. You get high speed internet and it’s shared by a few people. You get “free” email from a place that is third party, and has no interest in making sure it’s you when you sign up.

Facebook has taken over as identity, hence all those places that require it for signing in to make comments. But I don’t think they ask for ID, and there’s not much opportunity to meet someone at facebook when you sign on. I have three gmail accounts, and didn’t have to prove my identity for any of them

So for a long time, a person was vetted by whoever created their account. You were probably running your email and usenet programs at your ISP, which limited what you could configure at home. That all gave a level of security to your identity and your email account.


I definitely agree about feature creep. I do wish that the business I work in did not so heavily rely on email for things that a proper file share service or an instant messager were capable of accomplishing.

We are getting there but the majority of the processes and notices I get don’t really fit into what an email should necessarily be but are email because that’s what we all use.

Email has become the Jack of all trades but master of none tidal wave.

1 Like

Well…email development is 60% of the coding work I do. Paper communication is expensive as hell, so most companies want e-communications. Turning off html emails is a horrid idea; we do not even compose text versions anymore. So god only knows what the version of the communication you’re getting looks like.

Additionally…there are serious limitations on what types of nasty things you can do within email html. While you may use gmail or some other web based app that can run scripts and therefore create many security issues…the majority of people are still receiving the bulk in Outlook using an employer provided email address and as such being filtered through a corporate security layer.


Phishing and nasty attachments are a bigger problem than the failure of encryption in my opinion. I suspect only a tiny majority of email users actively seek to encrypt their messages.

Phishing and malware however potentially put entire organizations at risk, often by the actions of the least sophisticated members of the organization (who have email access). Yes, that risk can be mitigated with technology and proper network management but that’s an arms race where you’re at a disadvantage.

I’m glad I never became a full-time IT person.

1 Like

HTML email is useful for fooling naive users into trusting the claimed source. “It has a Microsoft logo and looks official. It must be genuine! click

Also HTML email makes webbugs possible.

I too disable HTML in Outlook and if a message gets damaged beyond readability as a result then it gets deleted unless I know for certain it’s important.


Except that this is an open standard as well (iCal). Isn’t that the way to security? Agree on a standard, and then that’s the only content that can be included. I don’t mean to make it sound simple, but it’s not like calendar invites are some mysterious commercial interloper into the email standard.

I think limiting what HTML can do in your emails is a good thing, but no HTML layout? that seems like a standard-killer. Also, HTML is definitely not that powerful. If you’re talking about HTML5, you’re actually talking about Javascript and CSS, which yea severe limits on the Javascript side, and no funny business allowed on the CSS side.

This is really about internet clients sucking, not email itself. The clients evolved in the environment of the standards. So why exactly is it too late to tell clients to stop sucking by adding it to the standard now? If that doesn’t happen, pull a GDPR and make it law, then watch the clients fall in line. Just make the rules of the game clear, and let the players sort out implementation. If we have one company rebuild email, then it just becomes one giant monopolistic shitty client instead of a range of shitty-good clients…


Except they work really poorly and don’t necessarily integrate well with everyone’s workflow. Just send the time/date in the body text as well.


I had an idea for securing some of email functionality a long time ago. Maybe I don’t understand what’s going on. Can someone explain to me why this wouldn’t work? —

  1. Each website or person to whom you initially provide your email address also needs to use a temporary password.

  2. The website or person sends a confirmation email to you that includes your personal email protocol and the temporary password.

  3. The password flags your email provider to scan your email with extra security screening (looking for man-in-the-middle attacks that don’t match your provider’s online encryption protocols).

  4. When the email arrives in your account, it attempts to establish variable sandboxing tied to your offline AV and malware programs, which scan the email prior to approving it.

  5. Your email software screens for the password, and if it matches, then the email is accepted.

  6. Otherwise, the email is dumped without response. After a certain number of re-sent confirmation emails, the email is flagged as potential spam.

  7. Accepted messages could also use encryption keys that are exchanged between email accounts themselves (not users), but are processed using one-time encryption “software pads” (refer to OTAC or PGP).

  8. The “software pads” can be occasionally re-subscribed with 3-factor authentication (email providers contact each other, individual users reapprove themselves, and users contact each other).

‘There is no such thing as “ASCII email.” There is only “email,” and “emailed web pages.”’ (https://twitter.com/mwlauthor/status/981172507720998912)

What was that company that sort of offered that but had to shutdown overnight because NSA letter or some such ?

You realize Microsoft is also trying to …ya know…send you a legitimate email.

Like I said. It’s cheaper. A lot cheaper for a business to communicate via email rather than print. And having you click on something is part of the communication process.

Full disclosure: I’ve run large multiuser email servers since the early 1980s, sometimes several different orgs at a time. I do not currently actually run any, but I have oversight over three.

Sort of true, sort of false.

The Internet was created by connecting all the existing networks (Janet, wren-net, NSFnet, the ARPA net, NSINET and ESNET, BITnet and CSnet, NORDUNET, etc.) through gateways and protocol transmungers. Each of these networks already had a means of identifying users - and they were all incompatible.

For example, the mainframers were typing everything in ALL CAPS and were mostly not case sensitive, the DEC folks were using mixed case proper English and were entirely case insensitive, the unix folks were in all lower case and were extremely case sensitive (Microsoft didn’t matter) and everybody had differing syntactica for in-address mailbox specification and routing directions.

By far the most powerful and capable email software was coming from the Berkeley unix guys, primarily Eric Allman. You could mail a BITnet mainframe from a host connected to Janet over a dial-up uunet link thanks to sendmail, and never even know that every byte had been swapped twice!

Now, unix had lost the host name case sensitivity argument and Berkeley had lost the broadcast address argument (although they continued to use the all-zeroes broadcast, rather than all-ones like everyone else, in-house). It seems to me that at the time this made the Berkeley unix guys pretty scrappy, particularly when they were absolutely in the right, as they were, in the email address argument.

Anyway, Allman made some very cogent observations about namespaces - particularly about the unsuitability of human names for email addresses (which modern corporations don’t seem to fathom today) - and of course mandating email addresses from a central authority was not only technically impossible at the time, it was antithetical to the peer-to-peer architecture of the Internet. Networks needed to be able to deliver messages to existing users, and existing users had identities already. So that’s why there’s no global email user identification system, and there was never any intent to make one.

At this point all was well. By design, sending email was the equivalent of sending a postcard because any number of postmen could read it, and might even need to, in order to troubleshoot and maintain the system. If you used postcards to send truly confidential information, it wasn’t the fault of the system, it was because you were either ignorant (curable through education) or stupid (sadly not curable) or incredibly arrogant and aggressively, purposely stupid. A scalpel is not a hammer.

So everything was fine… but then came Clinton’s opening of the Internet to commercial exploitation. And then came the September that never ended.

Remember, the Internet is not a system made of wires and computers. You can do TCP/IP by skywriting, with pencil and paper, or even over carrier pigeons, no wires or computers need be involved at all. The Internet is a system of rules. The rules govern how two or more Internet peers interact to enable communication.

Before commercialization, if you did not follow the rules, your upstream disconnected you until you fixed your problem, and that was that. But after commercialization, corruption of the rules enforcement processes almost instantly exploded across the Internet.

Today, Microsoft, google, AOL, AT&T, Comcast, and many other “800 pound gorillas” do not follow the rules that define email. And nobody has the guts to cut them out of the system for being rule-breaking bullies; I have at various times blocked all noncompliant systems and in every case I have been ordered by a CEO or equivalent to remove the blocks.

Because corporate leaders don’t respect technical expertise or subject matter experts if they contradict what some infantile loudmouth in a suit wants right now. And political leaders don’t respect technical expertise or subject matter experts if they contradict what the polls and marketing gurus say the message should be. Screw all your rules, Poindexter, rules are for little people!

Fast forward to today. Email is still not secure and will never be secure as long as malicious humans exist, but that shouldn’t really matter since you can send secure attachments easily, TLS provides transport encryption, DNS SPF and MX records identify mail sources and sinks, and DKIM provides both user validation and message integrity assurance.

But whoops - remember those 800 pound gorillas? They aren’t going to let you off so easily! They make a lot of money and exercise a lot of commercial control by preventing DKIM and SPF from becoming required standards, and since they’ve comprehensively destroyed all enforcement of email rules anyway, everyone loses.


The hyperbole is strong with this post…


I have no idea what this means.

Or this, and what does it do if it finds a “man-in-the-middle attack” that does “match your provider’s online encryption protocols”?
And if this extra scanning is possible why is it not done on all incoming mail?

What? I know of a few generic sandboxing technologies, but non I would consider user friendly enough for general users.