Analysis A security startup founded by a former NSA bod has launched an encrypted email and privacy service, aimed initially at ordinary folks.
The ongoing revelations of PRISM and other US-led internet dragnets, fueled by leaks from whistleblower Edward Snowden, may render the premise of upstart Virtru laughable. However, that would be unfair to Virtru, which is trying to make encryption and decryption of email, plus the revocation of messages and other privacy controls, easy to use.
Its execs told El Reg that Virtru aims to do for secure email what Dropbox has done for sync-and-share. Crypto-protected email will be offered for free, and more advanced features, such as finding out where sent emails are forwarded, will carry a price tag. There are also plans in the works to license Virtru's encryption technology to businesses.
The startup has developed plugins that, in theory, let users control how emails and attachments sent to others are shared and viewed. The technology – today in beta – is compatible with Gmail, Yahoo!, Outlook mail providers, and Chrome, Firefox and iOS 7 Mail software (wider platform support is in the works).
Just tell us which cipher they're using
Virtru uses the tough AES-256 algorithm to encrypt every message with perfect forward secrecy before it leaves a computer or device, which is a good start. It wraps each missive in a container that requires permission from Virtru's servers to unlock it. This way, the startup can claim it never holds the actual data sent – just the encryption keys needed to decrypt a message. If you don't like the idea of Virtru's cloud holding your keys, you can set about creating your own one if you ask nicely.
So, having received an encrypted mail via your email provider, your mail client needs to contact the Virtru key store to get the unlock key and decrypt the message on your device or computer. Each message has its own unique key.
Thus, in theory, this mechanism can be used to revoke emails at any time, by refusing to hand over the decryption key and rendering the message and any attachments unreadable. The sender can also, again in theory, restrict the forwarding of a message because whoever ends up with the email may not have permission to download the unlock key from the key store. Similarly, you can finely control who exactly can open a Virtru-encrypted memo by restricting access to the decryption key. There's also the ability to give emails an expiration date.
The technology uses the Trusted Data Format (TDF PDF), an open-source security wrapper created by Virtru co-founder Will Ackerly. It's used by the intelligence community to secure sensitive data, we're told. Ackerly served for eight years at the NSA as a cloud security architect prior to founding Virtru in 2012.
Virtru complements the TDF technology with patented encryption-key management that, the company claims, makes it possible to control the fate of an email and its attachments even after it has left the sender's outbox. You can use OpenID and OAuth protocols to verify your identity to the key store via your email provider – whether that's Gmail, Yahoo! or Microsoft.
Recipients view encrypted emails in Virtru's Secure Reader web plugin, which handles the cryptography and access controls, as demonstrated in this brief video:
So, say Alice uses Virtru to send an encrypted message with attachments to Bob, with settings in place to prevent Bob from forwarding the missive and ultimately revoking access to it in 24 hours. What is stopping Bob from cut'n'pasting the contents of the email before the expiry deadline, or saving the attached decrypted files to disk, and then giving the supposedly protected data to his friend, Eve?
We put this to Virtru, which told us in a statement that, at the moment, there's nothing stopping Bob from dumping the plain text out of the Virtru system:
In short, today we are not guaranteeing that a user won't have persistent access to plain text once they authenticate and are granted access to a TDF key. However, we will be rolling out persistent protection options in the coming weeks, As such, we explicitly allow copy and paste and unwrapping of all attachments, until we release these additional features.
We are in the midst of testing 'persistent protections' across our platforms. Given the importance of assuring that these features cannot be subverted, we are waiting to release them until we have such assurances across the spectrum of platforms.
Even if Virtru is able to disable control-C, control-V in the browser, the decrypted plain text will be in memory on the device, and a user will be able to extract that – there are many programming tools that can freeze the browser application and root out the unencrypted goods.
Virtru told us it will consider using anti-piracy tech in modern browsers to keep TDF data away from prying debuggers, or simply watermark the message so that any leaks can be traced:
For the browser we are pursuing the use of emerging technologies such as Encrypted Media Extensions (EME) to help ensure such protections even in an open source client, and in the mean time leveraging HTML5 features like Canvas to flatten and watermark content before it is injected into the webpage.
Our next thought was: bypass the browser plugin, and just download the keys from Virtru to decrypt the TDF package using your own software and save the plain text to disk. Or hijack the key-fetching code in the plugin using debugging tools.
Virtru reckons it can thwart that by only handing decryption keys to trusted applications – which presumably are programs that can cryptographically prove their authenticity to the server. The reader may have to be digitally signed to prove it hasn't been compromised to leak plain texts and keys. A spokeswoman for the startup told us:
For TDF, any file or message without persistent protection obligations may be opened by any app that supports TDF, even one you write on your own. Where there are obligations such as copy/print and unwrap protection, we must ensure that we are delivering keys to an application we can trust, and there are some techniques that may be leveraged that have varying levels of assurance.
Gaining this trust will vary per application and per platform. Some of the strongest mechanisms are available in modern mobile devices, but are weaker on older desktop environments. In many cases it will require signed code, and we may be able to rely on delivering EME extensions when the technology matures.
Essentially, Virtru will have to play a game of whack-a-mole with anyone attempting to break its system. There are many avenues of attack, each of which the startup will have to secure, if that's even possible given the available software interfaces: only one slip up will blow the thing out of the water.
Its developers will have to trust so many layers of code, from the browser down to the operating system, to enforce its touted message access system. At least revoking a message sent in error will work as expected, provided it's revoked before the decryption key is fetched.
Alice should just trust Bob, and hope he doesn't betray her or get hacked, because, ultimately, Bob could use a camera, or a screenshot tool, to leak the information to Eve, or simply share his Gmail password. Virtru, or its users, could use watermarking, or the old-fashioned technique of slightly altering each document, to trace and identify leakers. Simple steps that could render the aforementioned elaborate defences redundant.
And this is assuming the online decryption key store is hacker-proof.
That aside, and with millions of dollars in funding, Virtru is serious about secure email – even vowing to fight government demands for folks' decryption keys.