In the technology community that we at Mautic are a proud member of, many new technologies are made through a collaboration between programmers, developers, engineers, and other experts. This ensures that knowledge gets shared and that the entire community (not just one player) reap the benefits.
This is why non-profit open-source was introduced as a response to for-profit proprietary licensing.
Today, we are seeing more and more examples of using open-source in many areas of IT, including open-source email encryption. However, before we can get deeper into why open-source email encryption is important, we need to understand what open-source technology is.
What are Open-Source Technology and Open-Source Software?
Open-source refers to something that has a publicly accessible design and that can be modified and shared by people.
When it comes to software, in which context the term “open-source” first saw use, this refers to any software whose source code can be inspected, modified, and improved by anyone, not just the person, team, or company who created that software. Some examples of open-source software include LibreOffice and the GNU Image Manipulation Program.
Contrary to “open-source software” is the “proprietary software.” This is software in which the source code can only be accessed and modified by the person, team, or organization who created and/or owns that software. For instance, Gmail is proprietary software.
What is Open-Source Email Encryption?
Now that you hopefully have a better understanding of what open-source is, let’s talk about how it relates to email encryption.
You can never be 100% sure who might be spying on your email conversations. Email providers employ different types of encryption to ensure that your email data is safe from theft or corruption.
For instance, Gmail uses TLS (Transport Layer Security), which encrypts communication in transit (between sender and recipient), provided both users have TLS.
On the other hand, many encrypted email providers, including Mautic, ProtonMail, Tutanota, and others, use PGP encryption.
PGP, or Pretty Good Privacy encryption, was developed in 1991 by Phil Zimmerman to encrypt/decrypt email and text messages. The basic premise of PGP is to encrypt a message or file you want to send someone with a random key. That encrypted key (public key) can only be decrypted using the recipient’s private key.
However, due to some patent issues, PGP itself is not open-source and is a proprietary software used by Symantec. In response, Zimmerman released the PGP source code, allowing anyone to create their version of email encryption software based on PGP.
This allowed the Internet Engineering Task Force (IETF) to form the OpenPGP Working Group and, consequently, many email providers to use it.
How Does PGP/OpenPGP Work?
Technically, PGP and OpenPGP are no different, except that one is proprietary and the other open-source.
Symmetric/Asymmetric Key Cryptography
That said, PGP is a hybrid cryptosystem that uses a combination of symmetric and public key encryption.
More specifically, PGP uses symmetric key encryption to create a one-off session key, which is used to encrypt the message.
The problem with this, however, is that you can’t share the session key safely via email. If you do that, someone intercepting the email can access its contents.
In response to this, PGP uses asymmetric or public key encryption. This is a combination of public and private keys. The sender encrypts the message using the public key, but the same key cannot be used to decrypt the message. Instead, the recipient must have a private key to decrypt it.
Digital Signature
However, key cryptography isn’t the only element of OpenPGP mail.
Another element worth mentioning is the digital signatures. This verifies and authenticates that the sender is who they say they are, not someone else (like an impostor).
To prevent being tampered with, digital signatures use public-key cryptography to verify that the source the data claims to come from is legitimate. As a result, there is almost no chance to forge a digital signature unless the private key itself has been compromised.
Once you receive an email signed with a digital signature, your PGP software will automatically verify the integrity and authenticity of that signature using the sender’s public key.
It does this in four steps:
- The received message is first hashed. A hash function essentially digests the email message in its current form.
- Next, this digest is calculated from the digital signature using the sender’s public key for decryption.
- The PGP software then compares the message digest from the email they received with the message digest it got from the digital signature.
- If the two don’t match in even one character, the message could be fake, or the sender may not be authentic.
Conclusion
Open-source isn’t just important for programmers and engineers. Non-tech-savvy users also benefit from open-source secure email encryption.
In general, open-source software is:
- It is more secure since it lets anyone look at and fix potential security flaws.
- Available to all, meaning that no single entity owns it.
- Reliable. Open-source apps are built on languages such as Java or Ruby, proven reliable.
- Flexible and customizable. You can modify it to your software’s needs.
Despite all the benefits of OpenPGP email, however, few providers employ it. PGP can be very complicated for someone who is not tech-savvy, so many providers avoid it.
We at Mautic don’t think this to be an excuse not to provide our users with the most secure and anonymous encrypted email possible. That’s why we use the audited and trusted OpenPGP.js library maintained by Proton Technologies.
Our community and users audit our source code, and we are also the first email provider to allow loading websites directly from the open-source repository code at gh.Mautic.com.