Chaos Computer Club, Others Scoff At German Email Security Move As "Marketing" 135
The move on the part of three large German ISPs to provide more secure email, marketed as "Email made in Germany" (Deutsche Telekom's part specifically was mentioned here yesterday), has drawn sharp criticism from security experts, according to a report at Ars. Among those experts are members of the Chaos Computing Club, and GPGMail lead Lukas Pitschl, who responded to the move from Deutsche Telekom, GMX, and Web.de to encrypt all email in transmission with SMTP TLS : "'If you really want to protect your e-mails from prying eyes, use OpenPGP or S/MIME on your own desktop and don't let a third-party provider have your data,' he told Ars. 'No one of the "E-Mail made in Germany" initiative would say if they encrypt the data on their servers so they don't have access to it, which they probably don't and thus the government could force them to let them access it.'"
Re:So what ever became of public key escrows? (Score:4, Insightful)
Stop using a web browser for a mail interface.
Well yeah but web mail is used by many people for its convenience. People rely on it for cloud storage. Telling people to stop using it won't make them stop, not easily.
Re:Its a start (Score:2, Insightful)
No, it's not a start, it's a backwards step. This gives people a false sense of security, when in reality they have none.
Re:Its a start (Score:5, Insightful)
It's a recurring problem in the IT industry. Anything that isn't 100% secure gets dismissed.
SMTP TLS goes a long way towards making email more secure. So long as the providers aren't pretending they are unable to hand it over to law enforcement (encrypted on the server) then it isn't a problem. User education is the key.
Re:Its a start (Score:4, Insightful)
A start, yes. Whether it is in the right direction is debatable.
The problem is that things today are marketed as absolutes. Just like in this case. IT IS SECURE is bull. And the ones providing it know it. It's a better choice than many alternatives, yes, but you know how people will react to it. Just like they did to antivirus and firewalls. I have antivirus, so I needn't be wary of infections anymore, the antivirus will take care of that!
Sadly, that's not the case. And people will react in similar ways here. Because they don't want to deal with security, they want someone else to do it for them. If there is not somebody like this, they will, at least maybe, be vigilant. If there's someone promising them privacy and security, they'll rely on it.
Re:Its a start (Score:5, Insightful)
SMTP TLS does absolutely nothing for security if even one provider in the chain doesn't use it.
Nobody has claimed otherwise.
SMTP TLS is for securing traffic between servers, no one has said that it will prevent your provider from being complicit in handing over your personal data or that it will protect you if NOT used. Not sure why you felt the need to point out the obvious, BTW did you know an empty Fire Extinguisher won't help you to fight fires?
SMTP TLS does protect email the fact that it doesn't provide 100% anti-james-bond security doesn't make it useless. Is the lock on my front door useless, since it won't stop a sledgehammer, crowbar, chainsaw or law enforcement?
Of course it does become a problem if someone touts it as offering more secure than it really does, but this is also a problem that exists with physical security. Yet we don't so readily dismiss our wooden doors, glass windows and cheap residential locks.