Randomization is a powerful concept for security and privacy. The core idea is that some parts of our digital life, incl. traces and computations are randomized. For instance, one can randomize all our DNS requests over different servers. Randomization provides unpredictability and avoids single points of attacks.
Threat model
We consider email. There are different attack points for email:
- The server: If the email server or service provider is compromised, all your emails are accessible by black hats and by big brother. This has already happened to Yahoo. For a minute, imagine what it means if GMail is compromised (or has already been).
- Your password: If the attacker has your password, she can obviously read your email.
- Your machine: if the attacker has access to your client machine (your laptop, your phone), she can likely read your email too.
There is also a network man-in-the-middle threat, but I consider it solved with proper encryption.
Randomization for email
The idea is to dissociate the public email address from the final email storage. One could have the main email address (public facing one), and the final storage ones. Example:
marielledupont92@domain.com
(public email)- would then randomly redirects to
marielledupont92@posteo.net
marielledupont92@gmail.com
marielledupont92@gmx.com
,marielledupont92@yahoo.com
, etc. (storage emails spread over different providers)
The randomization service would then work as follows. On the server of domain.com
, there would be a service which randomly redirects too another email service. For each received email:
- it selects a final address at random
- it forwards the received email to this address chosen at random.
Security Analysis
This setup mitigates the server and password attacks. Let us assume that you have N storage email accounts. If the attacker compromises one, she has only access to 1/N of your emails. Same thing if she gets one of your passwords (obviously, you want to have unique passwords).
Of course, if the attacker compromises the email randomizer, she can read everything. But the nice thing is that the email randomizer is relatively simple and fully stateless. It is easier to minimize the number of security vulnerabilities in simple code and it is straightforward to check the integrity of a stateless system (automated reboot in an immutable setup à la docker makes most of the job).
Usability Analysis
For the user, this requires to open N+1 email accounts and to configure them in her email client. Once this done, since most email clients offer an “unified view” over multiple mailboxes, the integration is rather seamless.
Open-questions
Do you know a piece of software implementing this idea? What other pros and cons do you see?
Interested?
Drop a comment or subscribed to this issue.