Yes, if the server is compromised before a recipient reads a particular email, that can allow the attacker to read that email. However, all emails that are read are deleted from the server and unread emails are automatically deleted after a certain number of days. So, if someone was to compromise the GhostMail server, he/she would only be able to read a paltry amount of messages.
If GhostMail was compromised, the attacker would be able to read messages as they are being sent. Sending messages as images does not stop them from being copied or held for an indefinite amount of time.
In the unlikely scenario that the app was compromised and stayed compromised, you would be correct. However, if it was compromised and the situation was quickly rectified, only sent but unread messages would be able to be read. If a service like WhatsApp was compromised, however, a much larger amount of messages would be able to be read.
What about the interception of the email as it travels through the ISPs? Won't the NSA still grab a copy as it's sent? I thought that was the whole idea of PRISM.
If anything; I think this gives people an impression that they can NSA proof their email-- when in fact they cannot.
The NSA is capturing, and archiving, the data directly from AT&T and Verizon's network. The fact it's set to expire on the OPs servers is of little relevance on theirs (NSA).
Cryptography is the only way to "NSA proof" anything; and only if you do it right.
Exactly, they're allowed to store the email, even if ostensibly they're not allowed to read it. But if it ever becomes relevant, they'll simply go back to their copy of the email.
When the email is sent, there is no record of the message. There is only an image URI that points to the image that contains the message. So, the NSA won't be able to grab a copy as it's sent. However, if an organization has the ability to intercept all images that are loaded in the browser (through the ISPs, for instance), it can grab a copy of the image containing the message. In that case, some OCR would have to be done in order to extract the message (which, agreed, is not hard to do if you are explicitly looking for messages contained within images).
That is correct. If the NSA or any other organization really wants to read your message, it will be able to. There are several ways to accomplish this (including what you just mentioned as well as the image sifting and OCR method I included above), but some of them just involve more work/modification-of-strategy than others.
If the recipient's email client automatically downloads the image the first time and makes it always-available to the user, wouldn't that break GhostMail's promise? While Gmail/Hotmail/etc. may not do this now, is there any technical (even an extension) reason they can't? I simply don't see how, even using a 3rd party, you can prevent somebody from holding on to the message forever. In addition, you cannot assume the content is the most important part of the message; all the email headers will exist in perpetuity, and they'll always know you sent them something (if, in the future, GhostMail wanted to do an Undo Send type feature).
Why do people opt to talk on the phone or use off-the-record gchat instead of send something over email? In both cases, the conversation can still be stored, but the point is to use a communication method for which there is no automatic storage mechanism. You trust your recipient not to record all your phone calls or copy and paste all of your off-the-record gchats, but you just don't want a copy of your messages sitting in their inbox.
As far as your comment on the headers, you're absolutely right. There will always be a record that you sent some message to your recipient at a particular time with a particular subject. However, the details of the message itself are never contained within the headers.
Also, with GhostMail, you already have the ability to "undo send". You can just go into your "sent" folder and view your message before your recipient views it, rendering the message unreadable.
I'd agree that there are use cases where it works. For example: if I wanted to send my roommate a password over email, this would be great because the message content would be gone, and I don't care about headers and timestamps. But if I'm sending some secrets, I wouldn't want any record that it was even communicated.
As people have said, there is always a way from someone to intercept a message. An organization can, at the ISP level, intercept all images that you access in your browser and then perform OCR on the images you receive to extract the message. So there is no foolproof solution here. However, this is simply a service that allows you to send "read only once" emails, with no SMTP records of the message on any servers. It has a certain level of protection that I feel some people will find useful, in the same way that some people really value off-the-record gchat.
Well, the image containing the message is only ever served once. If the recipient navigates away from the email and then opens the email again, the image containing the message will be replaced with a different image (the message will be gone). I recommend reading the full FAQ and trying it out.
This is laughable from a privacy perspective. So you delete the emails immediately after they're viewed? We're expected to take your word for this? Are you saying you don't back up your data at all? How do you handle secure removal from backups? How do you perform the deletion? Do your servers use journalling filesystems? Do you expect us to trust (say) Gmail not to prefetch image data embedded in HTML emails? What happens if you get raided?
21 comments
[ 4.4 ms ] story [ 60.4 ms ] threadIf anything; I think this gives people an impression that they can NSA proof their email-- when in fact they cannot.
The NSA is capturing, and archiving, the data directly from AT&T and Verizon's network. The fact it's set to expire on the OPs servers is of little relevance on theirs (NSA).
Cryptography is the only way to "NSA proof" anything; and only if you do it right.
As far as your comment on the headers, you're absolutely right. There will always be a record that you sent some message to your recipient at a particular time with a particular subject. However, the details of the message itself are never contained within the headers.
Also, with GhostMail, you already have the ability to "undo send". You can just go into your "sent" folder and view your message before your recipient views it, rendering the message unreadable.
'allows you to send "read only once" emails'
The more you advertise it the faster that will happen.