How to Encrypt Your Email

So, you want to hide your email from the NSA’s prying eyes?  It’s impossible… but here are some steps you can use to make it harder.

This isn’t theoretical.  The NSA has and does intercept this traffic.

Common Points of NSA Interception

The NSA has unlimited resources to compromise your communications.  You’re not going to stop them.  But that doesn’t mean it should be easy. Below are the easy points of NSA interception.  In this example of an email from Mom to Ben the NSA can intercept the email at Mom’s ISP, Mom’s email provider, Ben’s email provider, Ben’s ISP, and any internet hop in between.

no-encryption

 

I’m going to skip over a lot of important stuff, this guide is not intended for security experts or sysadmins of email systems and how to prevent downgrade attacks, etc.  This is meant to be a post about what the average American should do to protect their emails.

Step 1. Client to Server TLS Encryption

client-server-encryption
thunderbird_starttlsEnsure your email client (e.g. Thunderbird) or browser is using a TLS connection to the server.  If you’re using any major provider like Gmail, Office 365, etc. they will be enforcing TLS.  All email providers should be enforcing TLS so if yours is not that’s a good sign you should be switching.

chrome_httpsIf using webmail your browser should show https, if using Thunderbird you should be using STARTTLS for both inbound and outbound connections.

Note, the entire CA (Certificate Authority) system is broken, the NSA could generate a fraudulent certificate from an amicable CA and do a MITM attack and still intercept the email, but now they have to take some effort to do so.  The point is security comes in layers, and we need to start at the basics, we’ll get to more advanced security below.

Step 2. Make sure Your Email Provider is Encrypting Server to Server Traffic

server-serverIn 2013 Google was outraged after finding out the NSA was intercepting it’s server to server traffic.  As a result Google started encrypting all internal traffic between servers (Good for Google).  Most major internet providers provide server to server encryption.  But the problem is not all ISPs use encryption, so it doesn’t do much good if you send an email from a secure service like Gmail to a small-town ISP that has no security whatsoever.  Probably the best way to check is to enter in a recipients email address here: http://checktls.com/ and if their email provider’s MX server’s pass all the test they’re probably secure.

Step 3.  PGP Encrypt Your Emails

openpgp-4096

Now, the NSA can still potentially intercept your emails at rest through a court order, through PRISM, or through hacking into ISPs.  Your email should be encrypted not only in transit, but also at rest.  The best way to do that is to encrypt it using OpenPGP.  This means even if the NSA gets a hold of your email they can’t read it (at least not without spending some serious time and money).

PGP (Pretty Good Privacy) isn’t foolproof.  It doesn’t encrypt the metadata (the NSA can still see that you sent me an email, they can see when you sent it and where you were) but it does encrypt the content.

How go you get OpenPGP?  Right here:  http://openpgp.org/software/ It’s free, open source, and there are plugins for just about everything.  It works on Webmail, Thunderbird, Outlook, etc.  Check the link above for a complete list but here are two common options:

If you use Thunderbird I suggest Enigmail, and if you use Gmail with the webmail interface Mailvelope is a great plugin.

Here’s a very quick getting started guide for Mailvelope below.  If you’re not going to use Mailvelope the concept is pretty much the same nomatter what plugin you choose.  You’ll Generate a Public/Private Keypair, obtain the public key of the person you’re sending an email to, and send them en encrypted email.

How to Setup Mailvelope for Gmail and Chrome

Mailvelope IconHere’s a quick walk-through to set it up.  After installing the plugin you should see this icon on the top-right in Chrome.   Right-click on it and choose Options.

Next Generate a Key….

I should note that “Password” is traditionally called a Pass Phrase, it should be long, but you don’t ever want to forget it or you won’t be able to read any encrypted messages sent to you.  I strongly suggest writing it down and keeping it someplace safe.

mailvelope_key_generation

Now, to send an encrypted email to me, you’ll need to import my key.  Go to “Import Keys” and type in my email address and hit search.  You should click on the keyID: 13E708FC.  A key will pop up, click on it to import my key.

mailvelope_buttonNow, you can send me an encrypted email.  Go to compose a new email in Gmail.  You’ll notice a button in the compose menu.  Click the button.

Write me a message…

compose_email_to_ben

When you receive an encrypted email, it will look like this.  Click on it and enter your passphrase to decrypt.

decrypt

And there you have it.   I wouldn’t say this is foolproof…. it doesn’t protect against a lot of other attack vectors…

XKCD Comic
CC-By-NC 2.5 https://creativecommons.org/licenses/by-nc/2.5/

But I say if the NSA is going to intercept my communications it shouldn’t be easy.  I want them to spend some effort and money to do so.

For further reading I might suggest https://futureboy.us/pgp.html

 

Intel DC S3500 vs S3700 as a ZIL SSD Device Benchmarks

I ran some benchmarks comparing the Intel DC S3500 vs the Intel DC S3700 when being used as a SLOG/ZIL (ZFS Intent Log).  Both SSDs are what Intel considers datacenter class and they are both very reasonably priced compared to some of the other enterprise class offerings.

Update: 2014-09-14 — I’ve done newer benchmarks on faster hardware here: https://b3n.org/ssd-zfs-zil-slog-benchmarks-intel-dc-s3700-intel-dc-s3500-seagate-600-pro-crucial-mx100-comparison/

IMG_20140817_222031

SLOG Requirements

Since flushing the cache to spindles is slow, ZFS uses the ZIL to safely commit random writes.  The ZIL is never read from except in the case power is lost before “flushed” writes in memory have been written to the pool.  So to make a decent SLOG/ZIL the SSD must be able to sustain a power loss in the middle of a write without losing or corrupting data.  The ZIL translates random writes to sequential writes so it must be able to sustain fairly high throughput.  I don’t think random write IOPS is as important but I’m sure it helps some. Generally a larger SSD is better because they tend to offer more throughput.  I don’t have an unlimited budget so I got the 80GB S3500 and the 100GB S3700 but if you’re planning for some serious performance you may want to use a larger model, maybe around 200GB or even 400GB.

Specifications of SSDs Tested

Intel DC S3500 80GB

  • Seq Read/Write: 340MBps/100MBs
  • 70,000 / 7,000 4K Read/Write IOPS
  • Endurance Rating: 45TB written
  • Price: $113 at Amazon

Intel DC S3700 100GB

  • Seq Read/Write: 500MBs/200MBs
  • 75,000 / 19,000 4K Read/Write IOPS
  • Endurance Rating: 1.83PB written (that is a lot of endurance).
  • Price: $203 at Amazon

Build Specifications

Virtual NAS Configuration

  • FreeNAS 9.2.1.7 VM with 6GB memory and 2 cores.  Using VMXNET3 network driver.
  • RAID-Z is from VMDKs on 3×7200 Seagates.
  • SLOG/ZIL device is a 16GB vmdk on the tested SSD.
  • NFS dataset on pool is shared back to VMware.  For more information on this concept see Napp-in-one.
  • LZ4 Compression enabled on the pool.
  • Encryption On
  • Deduplication Off
  • Atime=off
  • Sync=Standard (VMware requests a cache flush after every write so this is a very safe configuration).

Don’t try this at home: I should note that FreeNAS is not supported running as a VM guest, and as a general rule running ZFS off of VMDKs is discouraged.  OmniOS would be better supported as a VM guest as long as the HBA is passed to the guest using VMDirectIO.  The Avoton processor doesn’t support VT-d which is why I didn’t try to benchmark in that configuration.

Benchmarked Guest VM Configuration

  • Benchmark vmdk is installed on the NFS datastore.  A VM is installed on that vmdk running Ubuntu 14.04 LTS, 2 cores, 1GB memory.  Para-virtual storage.
  • OLTP tests run against MariaDB Server 5.5.37 (fork from MySQL).

I wiped out the zpool after every configuration change, and ran each test three times for each configuration and took the average (in almost all cases subsequent tests ran faster because the ZFS ARC was caching reads into memory so I was very careful to run the tests in the same order on each configuration.  If I made a mistake I rebooted to clear the ARC).  I am mostly concerned with testing random write performance so these benchmarks are more concerned with write IOPS than with throughput.

Benchmark Commands

Random Read/Write:
# sysbench –test=fileio –file-total-size=6G –file-test-mode=rndrw –max-time=300 run

Random Write:
# sysbench –test=fileio –file-total-size=6G –file-test-mode=rndwr –max-time=300 run

OLTP 2 threads:
# sysbench –test=oltp –oltp-table-size=1000000 –mysql-db=sbtest –mysql-user=root –mysql-password=test –num-threads=2 –max-time=60 run

OLTP 4 threads:
# sysbench –test=oltp –oltp-table-size=1000000 –mysql-db=sbtest –mysql-user=root –mysql-password=test –num-threads=4 –max-time=60 run

Test Results

zil_random_read_write zil_random_write zil_oltp_4_theads zil_oltp_2_threads

 

SLOGTestTPS Avg
noneOLTP 2 Threads151
Intel DC 3500 80GBOLTP 2 Threads188
Intel DC 3700 100GBOLTP 2 Threads189
noneOLTP 4 Threads207
Intel DC 3500 80GBOLTP 4 Threads271
Intel DC 3700 100GBOLTP 4 Threads266
noneRNDRW613
Intel DC 3500 80GBRNDRW1120
Intel DC 3700 100GBRNDRW1166
noneRNDWR273
Intel DC 3500 80GBRNDWR588
Intel DC 3700 100GBRNDWR569

 

Surprisingly the Intel DC S3700 didn’t offer much of an advantage over the DC S3500.  Real life workload results may vary but the Intel DC S3500 is probably the best performance per dollar for a SLOG device unless you’re concerned about write endurance in which case you’ll want to use the DC S3700.

Other Observations

There are a few SSDs with power loss protection that would also work.  The Seagate 600 Pro SSD, and also for light workloads a consumer SSDs like the Crucial M500 and the Crucial MX100 would be decent candidates and still provide an advantage over running without a SLOG.

I ran a few tests comparing the VMXNET3 vs E1000 network adapter and there is a performance penalty for the E1000.  This test was against the DC 3500.

freenas_vmxnet_vs_e1000

NetworkTestTPS Avg
E1000gOLTP 2 Threads187
VMXNET3OLTP 2 Threads188
E1000gOLTP 4 Threads262
VMXNET3OLTP 4 Threads271
E1000gRNDRW1101
VMXNET3RNDRW1120
E1000gRNDWR564
VMXNET3RNDWR588

I ran a few tests with Encryption on and off and found a small performance penalty for encryption.  This test was against the DC S3700.

freenas_encryption_on_vs_off

EncryptionTestTPS Avg
OffOLTP 2 Threads195
OnOLTP 2 Threads189
OffOLTP 4 Threads270
OnOLTP 4 Threads266
OffRNDRW1209
OnRNDRW1166
OffRNDWR609
OnRNDWR569

Free SSL Certificates from StartCom

Here’s a quick tutorial on how to obtain and setup a certificate from StartCom.

https

StartCom offers free personal certificates, these aren’t the fake certs where you have to setup your own CA and it only works when people have your CA cert installed.  These are real certs that work out of the box in just about every OS / browser I’ve tried (OSX, XP SP3 to Windows 8, IE, Firefox, Safari, Chrome, iOS, Android, Windows 8 Phone, etc.).

Validate Your Ownership of the Domain

1. Select Domain Name Validation

startcom_1_validation

2. Enter the domain name you want to validate.

startcom_2_domain

3. Select an address you can receive email at, the final address comes from your whois record which should be the domain owner’s email address.  StartCom will send you a validation code, once entered you have verified domain ownership and can create certificates for 30 days.

startcom_3_verification_email

startcom_4_validation

4. Generate Certificate Request.  SSH into your server and create a new key and CSR, it is of extreme importance that “Common Name” should be your fully qualified domain name.  StartCom won’t let you enter a naked domain (e.g. b3n.org) here, you must enter a sub-domain (such as www.b3n.org)  or in the example below I used reader.  The cert will also be good for your naked domain.

startcom_5_generate_key

Skip the generate cert option (since you’ve already generated it) and paste the contents of the CSR file you create into the certificate request form.

startcom_6_skip_generate_private_key  

startcom_7_paste_csr

startcom_8_cert_request_received

5. Here you select the domain the certificate will fall under, then the subdomain for your certificate (must be the same as your certificate request).

startcom_9_select_domain

startcom_10_subdomain

startcom_11_cert_ready

6. StartCom will give you your certificate, paste it into a .crt file.  Also BE SURE to download the intermediate and root certs.

startcom_12_save_cert

7.  Now you have a SSL Certificate (.csr) and Key (.key)

startcom_13_save_cert 

8. Configure Apache2.  …this goes below the directory directive in your site config: (e.g. /etc/apache2/sites_available/reader.gondolin.us)  be sure to reference your certificate and key as well as StartCom’s root certificate, and chain (this will help out older browers).  Note that the certificate can be used for just about any purpose including (IMAP, SMTPS, Mumble server, etc.)

 

403 Forbidden on Ubuntu LAMP

403 forbidden errorOver the last few days some of you noticed a 403 forbidden error from time to time.  So I’d login, check the Apache error logs and see this entry “(13)Permission denied: /home/benjamin/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable.”  Well the permissions were set, I had the executable +x bit for www-data set on all the parent folders.  I would login and restart apache2 or chmod 755 my /home/benjamin directory again and it seemed to work for awhile…

This morning I saw the 403 error again.  I log in, refresh the page and it works.  So it appears to be an intermittent issue… wait a minute!  It starts working when I login!  I logout, and the 403 error is back.  Login again, and it’s back to normal.  Turns out I enabled home directory encryption on my account!  I moved my wordpress folder to a location outside my home directory and now all should be good.