Send in your ideas. Deadline December 1, 2024
logo
hex
Resources
Source code :
https://invent.kde.org/pim/kmail
Website
More info available :
https://kontact.kde.org/components/kmail/
Grant
Theme fund: NGI0 PET
Period: 2019-12 — 2022-10

Improve Email Encryption in KMail

Adopt improvements in Email Encryption in KMail

The goal of this project is to make it more simple for inexperienced users to just use encrypted mails, at the click of a button. Autocrypt is a new method for email encryption, that needs nearly no user interaction. It performs the needed key exchange transparently in the background, and does key management automatically. Encrypted Headers is a protocol to send mail headers in the encrypted mail part. Traditional encryption methods leaked meta-data, which could be used for mass surveillance purposes. The result will be part of the KDEPIM codebase, so you don't have to install anything else than KMail to use these improvements.

Why does this actually matter to end users?

Email was designed without privacy or security in mind, which is amazing for such a popular service. When you send an email, anyone that can gain access to your mail server or the mail server of the recipient can read your mail, from top to bottom. And copy it, for later usage. It is often compared to sending a post card, and of course in many cases there may be little harm in others reading what the weather is like in Paris. But what if you want to use email to send something confidential, something you do not want to share with others? Like a love letter, a political rant or an important contract? And what if you can't actually trust the mail man, for instance because the other party is using a free email service known to search through everything? Or what if you don' t like the fact that your writings are stored in a country you have never been, with different laws that may not be compatible with your thoughts about the world? Or what if you live in a country that has an unhealthy interest in bringing down certain political voices, or are part of a cultural minority that is at risk?

Computer specialists have been protecting their email with encryption for decades. This is the equivalent of putting your message very carefully in the blender, pressing the button before anyone else has read your mesage, shredding it up and sending a packet of shreds over to the other end. The amazing thing about cryptography is that you can magically (or rather mathematically) make it possible for your secret love - and not anyone else - to recreate the message from the shreds, and know it was you - and not anyone else - that sent it. For the rest of the world, the message would be meaningless garble pretty much forever.

However, the solution they came up with is not easy for normal people to work with. You need a lot of patience and technical skill to make use of it. Many people have tried, and could not get it to work or gave up because it hindered them. It was in fact too hard to turn it on by default. This means that most people are probably not even aware that it is possible to protect the contents of their email with cryptography. And so, unfortunately, normal citizens and business have been left behind - exposed to people reading their email messages, and (in the absence of other security measures) potentially also receiving fake or manipulated messages.

Autocrypt is a major contribution to make it far more convenient for people to use cryptography with email. It provides a specification for software to do most of the hard work (hence the portmanteau Autocrypt, which comes from Automatically Encrypt), and thus help also normal users protect the privacy and security of their mail. This project will implement Autocrypt into the open-source and widely used email client Kmail, along with the MemoryHole-software which will further encrypt your email by hiding your email headers. This way every user of Kmail automatically uses secure and trustworthy email, without leaking any personal or sensitive information.

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.