Blue Ghost

Disroot has implemented Lacre.

Lacre encrypts incoming email on a mail server: https://mastodon.online/@blueghost/112002287859408747

The current rollout stage is open to the public for testing, see blog posts referenced below for details on participating.

16.10.2024: https://disroot.org/blog/disnews-24.10
13.12.2024: https://disroot.org/blog/disnews-24.11

Website: https://disroot.org
Mastodon: @disroot

#Disroot #Lacre #Encryption #Privacy #InfoSec #OpenPGP #PGP #GnuPG #GPG #OpenSource #FreeSoftware #Security #DataProtection #CyberSecurity #FOSS

Blue Ghost (@[email protected])

Attached: 1 image Lacre is a Postfix filter, it ensures incoming email is encrypted at rest on a mail server via the OpenPGP (PGP) standard. Plaintext email is encrypted server-side. Private PGP keys are not stored on the server. Encrypted email is delivered immediately. Plaintext email is encrypted and then delivered. A brief moment exists between a plaintext email arriving to the server and encryption completion. Website: https://lacre.io #Lacre #Email #Encryption #OpenPGP #PGP #OpenSource #InfoSec

Mastodon
Dec 16, 2024 at 8:55amWeb
Show threadNeal WalfieldDec 16, 2024
@blueghost @disroot This is great, thanks for working on it! That said, it is not end-to-end encryption, and we need to be careful about watering down the term as otherwise less well intentioned actors will more easily abuse it. See also:
https://www.ietf.org/archive/id/draft-knodel-e2ee-definition-11.html
Definition of End-to-end Encryption

This document provides a definition of end-to-end encryption (E2EE) from both the perspective of a regular internet user as well as from the perspective of required properties for implementers.

Show threadBlue GhostDec 17, 2024

@nwalfield @disroot
I understand your point of view.

This is how Lacre/Disroot describe the application they
developed/implemented.

A link was provided to the Lacre website that states "Lacre software provides end-to-end encryption...".

Links were provided to Disroot blog posts using "end-to-end encryption" terminology.

Please ask them to revise the terminology used in their documentation.

Please update me when they revise the documentation and I will edit the post to reflect the changes.

Show threadmuppethDec 17, 2024

@blueghost @nwalfield @disroot I think it depends how you look at things. Sure GnuPG does not provide forward secrecy but I think it is still end to end encryption. We do say it’s mailbox encryption meaning emails at rest. Of course there is a time when plaintext email hitting the server could be intercepted (hance why it’s email at rest encryption). Private key of the user is never uploaded to the server which is also the reason we decided to call it end to end.

However if there is a better way to name things I’m sure we are open to it. Our intention is not buzzword-marketing.

Show threadNeal WalfieldDec 17, 2024
@muppeth @blueghost @disroot I don't think you need PFS for end-to-end encryption. What's important in end-to-end encryption is that only the end points have access to the plaintext, which is not the case here. I do not know of any special term for what lacre is doing, but talking about providing encryption at rest is accurate and a big benefit relative to what most services provide.
Show threadmuppethDec 17, 2024
@nwalfield @blueghost @disroot Perhaps indeed stressing more that it is end-to-end encryption of email at rest is a good idea. We do provide explanation about this in our faq though https://lacre.io/faq but perhaps making it more prominent wouldn’t hurt. Thanks.
Lacre | Lacre.io

Open source end-to-end mailbox encryption for your postfix server.

Show threadNeal WalfieldDec 17, 2024
@muppeth @blueghost @disroot It's not end-to-end encrypted as the server sees the plain text.
Show threadNeal WalfieldDec 17, 2024
@muppeth @blueghost @disroot end-to-end means that only the ends (the original sender and the intended recipient) see the plaintext.
Show threadmuppethDec 17, 2024
@nwalfield @blueghost @disroot Well it depends how you look at it again. IMO if you are talking about email at rest, your ends are imap server and client.
Show threadNeal WalfieldDec 17, 2024
@muppeth @blueghost @disroot That's not how the RFC defines it and it waters down the term.
Show threadmuppethDec 17, 2024
@nwalfield @blueghost @disroot I guess you’re right. It does become tricky if you need to add explanation and indeed might get people think it is something it isn’t (when they think about transit as well). I will work on better wording.
Show threadNeal WalfieldDec 17, 2024
@muppeth @blueghost @disroot Thanks for working on this. It's important that us digital defenders are careful so that when the fakes come along we can call them out with authority.
Show threadBlue GhostDec 17, 2024

@muppeth @nwalfield @disroot
Consider "zero-access encryption": https://proton.me/blog/zero-access-encryption

Since this terminology is used by Proton for a similar process it may be recognizable and easily understood by a high percentage of people interested in email encryption.

What is zero-access encryption and why is it important for security? | Proton

Some of your most sensitive data sit on the cloud, on the servers of Internet service providers. Zero-access encryption gives you control over your data online.

Proton
Show threadNeal WalfieldDec 17, 2024
@blueghost @muppeth @disroot Good suggestion!
Show threadavg_joeDec 17, 2024
@nwalfield @blueghost @muppeth @disroot imo zero access is wrong the same way as e2e if an email is received plain at the sever. "pgp encryption at rest" boring but correct ¯\_(ツ)_/¯
Show threadBlue GhostDec 18, 2024
@muppeth @nwalfield @disroot
I removed the "end-to-end encryption" terminology from the post and will revise again once advised of the new terminology.
Show threadFilene TaylorDec 22, 2024

@blueghost @disroot ooh ooh ooh ooh
Yes, yes, yes, yes!

(I had just heard of Stalwart so I am excited to learn about Lacre and Disroot!!)