The Best Open-Source Email Service
Why is CTemplar Using OpenPGP Encryption?
In the technology community, that we at CTemplar are a proud member of, many new technologies are made through a collaboration between programmers, developers, engineers, and other experts. This ensures that knowledge gets shared and that the entire community (and not just one player) get to reap the benefits.
This is why non-profit open-source was introduced as a response to for-profit proprietary licensing.
Today, we are seeing more and more examples of using open-source in many areas of IT, including open-source email encryption, of course. However, before we can get deeper into why open-source email encryption is important, we need to understand just what is open source technology in general.
What is Open-Source Technology and Open-Source Software?
Open-source refers to something that has a publicly accessible design and that can be modified and shared by people.
When it comes to software, in which context the term “open-source” first saw use, this refers to any software whose source code can be inspected, modified and improved by anyone and not just the person, team or company who created that software. Some examples of open-source software include LibreOffice and GNU Image Manipulation Program.
Contrary to “open-source software” is the “proprietary software”. This is a software in which the source code can only be accessed and modified by the person, team, or organization who created and/or owns that software. For instance, Gmail is proprietary software.
What is Open-Source Email Encryption?
Now that you hopefully have a better understanding of what open-source in general is, let’s talk about how it relates to email encryption.
You can never be 100% sure who might be spying on your email conversations. To ensure that your email data is safe from theft or corruption, email providers employ different types of encryption.
For instance, Gmail uses TLS (Transport Layer Security), which encrypts communication in transit (between sender and recipient), provided that both users have TLS.
On the other hand, many encrypted email providers, including CTemplar, ProtonMail, Tutanota and others, use PGP encryption.
PGP, or Pretty Good Privacy encryption, was developed in 1991 by Phil Zimmerman to encrypt/decrypt email and text messages. The basic premise of PGP is to encrypt a message or a file that you want to send to someone with a random key. That encrypted key (public key) can only be decrypted using the recipient’s private key.
However, due to some patent issues, PGP itself is not open-source and it is instead a proprietary software used by Symantec. In response to this, Zimmerman released the PGP source-code, which allowed anyone to create their own version of email encryption software based on PGP.
This allowed the Internet Engineering Task Force (IETF) to form the OpenPGP Working Group and consequently, many email providers to use it.
How Does PGP/OpenPGP Work?
Technically, PGP and OpenPGP are no different, other than the fact that one is proprietary and the other open-source.
Symmetric/Asymmetric Key Cryptography
That said, PGP is a hybrid cryptosystem, meaning that it uses a combination of symmetric and public key encryption.
More specifically, PGP uses symmetric key encryption to create a one-off session key, which is used to encrypt the message.
The problem with this, however, is that you can’t share the session key safely via email. If you do that, someone intercepting the email will be able to access its contents.
In response to this, PGP uses asymmetric, or public key encryption. This is a combination of public and private keys. The sender encrypts the message using the public key, but the same key cannot be used to decrypt the message. Instead, the recipient must have a private key to decrypt it.
However, key cryptography isn’t the only element of OpenPGP mail.
Another element worth mentioning are the digital signatures. This is what verifies and authenticates that the sender is who they say they are and not someone else (like an impostor).
To prevent being tampered with, digital signatures use public-key cryptography to verify that the source the data claims to come from is legitimate. As a result, there is almost no chance to forge a digital signature, unless the private key itself has been compromised.
Once you receive an email signed with a digital signature, your PGP software will automatically verify the integrity and authenticity of that signature using the sender’s public-key.
It does this in four steps:
- The received message is first hashed. A hash function essentially digests the email message in its current form.
- Next, this digest is calculated from the digital signature by using the sender’s public key for decryption.
- The PGP software then compares the message digest from the email they received, with the message digest it got from the digital signature.
- If the two don’t match in even one character, the message could be fake or the sender may not be authentic.
Open-source isn’t just important for programmers and engineers. Non-tech-savvy users also benefit from open-source secure email encryption.
In general, open-source software is:
- More secure since it enables anyone to take a look and fix potential security flaws.
- Available to all, meaning that no single entity owns it.
- Reliable. Open-source apps are built on languages such as Java or Ruby, proven to be reliable.
- Flexible and customizable. You can modify it to your software’s needs.
Despite all the benefits of OpenPGP email, however, not that many providers employ it. PGP itself can be very complicated for someone who is not tech-savvy, so a lot of providers avoid it.
We at CTemplar don’t think this to be an excuse to not provide our users with the most secure and anonymous encrypted email possible. That’s why we use the audited and trusted OpenPGP.js library maintained by Proton Technologies.
Our source-code is audited by our community and users and we are also the first email provider to allow loading websites directly from the open-source repository code at gh.ctemplar.com.