Frequently asked questions
Where and how does the crypto happen? Where is my private key stored?
We run the encryption and decryption routines on the Pixelated server. To be able to do this the keys must be available on the server. Many technical folks out there will tell you that this is bad, and in certain cases they may be right. However, in the end it all boils down to the threat model. In the next answer we explain why using a server-based approach is actually a reasonable idea in our case.
My friends say that my private key should stay on my trusted device, why do you store it on the server?
Tools to encrypt email have been around for years, one of the most-used technologies today is PGP, which was first released in 1991. Email itself is such a central part of the Internet and has such a rich ecosystem that it is near impossible to replace with something else. (Remember Google Wave?) Despite all that, encrypted email has never taken off at a large scale because it is too difficult to use.
Having been at many crypto parties we have experienced bewildered looks when users are confronted with questions about key sizes expressed in bits, when seeing prompts to move the mouse to create entropy, when they are asked to read out key fingerprints to each other to verify that they really have the right key. We have also seen countless examples of private keys being lost, of course, in many cases by users who have no idea what a revocation certificate is, never mind having created one. Then there is the issue of using multiple devices... All of this is so intimidating that most people chose convenience over privacy, convincing themselves that they have nothing to hide and nobody is interested in them anyway.
The Pixelated team has made considered choices surrounding cryptography so you don't have to. It provides a solid setup without bothering the users. And, yes, it is correct that whoever operates the Pixelated server you use can intercept your mail if they are willing to put in some work. However, consider the alternatives: would you rather trust the people who operate the server, people who can actively choose, or would you, because you're reverting to unencrypted email, want to trust any number of parties that you can't chose and don't even know about? We feel that trusting one group of people is vastly preferrable. If you feel you can't trust anyone then your friends are right and you should keep the private keys only on devices you have complete control over and can be sure nobody can tamper with, and make backups, encrypted of course.
How much do I need to trust my Pixelated provider? Can an attacker read my mails? Is there a difference to Lavabit?
In order to answer this, let's take a step-by-step look at what happens from the time you log into Pixelated and when an email reaches the server to when you see it in your browser.
- When you create your Pixelated account for the first time, Pixelated creates an encryption key on your behalf. This encryption key itself is locked with the password you choose.
- When an incoming email reaches the server, it is encrypted with your key (metadata and all) and stored in the server's database
- When you login to Pixelated, your encryption key is unlocked with the password you supply.
- When you view the email, it is being decrypted on-the-fly and displayed your browser.
So now let's think about what that does and does not protect you against:
- Your emails are encrypted at rest on the provider's server. If your provider is being hacked, the attacker can't get to the contents of your inbox.
- Your emails are sent encrypted, so if somebody listens to traffic on the wire, they won't see the content of your email, but they will see who the email is for, the subject, and other information about the message. (This is a flaw of the protocol, not ours. Sorry.)
- Your encryption happens on the server, so if an attacker manipulates the server to record everything happening on it, they could see the contents of your inbox. This attack could be conducted mostly by resourceful adversaries like intelligence services
and other nation-states-level attackers. It is an attack on a much greater time scale, which makes it harder to pull off without being detected, and requires more funds and sophistication.
Pixelated has similarities to Lavabit's design and also its shortcomings. In detail here, an email provider has three main adversaries:
- An administrator with access to the server.
- An attacker who can get access to the server.
- An attacker who can intercept the communication to the server.
Pixelated shares these vulnerabilities, just like a conventional (unencrypted) email service, despite the use of cryptography. The security is anchored to the user-supplied password. And if the operator of the server or an attacker manages to modify the code for Pixelated they could gain access to the password.
So there is a legitimate question: Is it this worth the trouble at all? Yes, it is, for two reasons:
Reason #1: Just because something does not give you perfect security, that doesn't mean there's no value to it. Email is a distributed system. You can use your Pixelated account to exchange encrypted emails with somebody who uses other email encryption based on PGP, e.g. using Apple Mail with the GPG Suite, or Thunderbird with Enigmail. In this use case you know you don't have to trust anyone other than the operator of your Pixelated server.
Reason #2: If you don't want to trust any email provider, Pixelated makes it easy to set up your own email service!
What about activists and activist organisations?
Privacy, mass surveillance, and activism are often considered together. Activists have a need for strong privacy (see Tim Bray's article on privacy levels for a good discussion of strong vs common privacy) but those who have been specifically targeted have needs that go far beyond what is needed to counter mass surveillance. Thus, a solution that can help an activist defend himself/herself against sustained, targeted surveillance is likely to be so involved that it would be unusable for the majority of email users. We do not think it is possible to build a solution that can be widely used as a regular email solution while also providing the features necessary to counter targeted surveillance. Having said that, Pixelated is built in a way that should allow to derive activist-oriented products from it.