Security → Re: Lavaboom?

Leaving the technical issues aside, including those related to trust and privacy, this still:
1) Requires both the sender and the receiver to take extra explicit steps. Again - forget about the tehnology. There are dozens of technical solutions that have never gained any popularity since they all miss this all too important point.
2) This isn't transparent and integrated with user's existing email solution.

Note I am not criticizing this solution (or any other), but rather pointing out that it doesn't address the primary issue with getting general acceptance to secure message exchange.

Note that I keep stating this is not a technology problem - since it absolutely is not. There are many solutions out there largely because the technical problem is extremely easy to solve, and in fact had been initially solved decades ago.

I see repeated questions asking why in this day and age don't we have secure private email. The answer is that we do, in many different forms and via many different solutions. These have existed in some cases for over 25 years. The issue is not whether such a solution exists but rather whether the public will leverage such a solution.

The problem is getting the general public to use such a solution. It has already been shown time and time again that if an end-user needs to take any extra steps at all such a solution likely has very little chance to succeed.

Now, if two specific individuals specifically want or need to exchange a message privately there are many ways to do so. In order for messaging to default to being private and secure it requires the industry to collaborate and make that happen.

For instance, take primary messaging providers such as Apple, Google, and Microsoft. In all three cases, users must have a login (account) with said provider in order to send and receive email. There is no reason why each provider could not provide, by default, a secure email certificate for each user. This would take no further action on the part of the end-user as the email cert only validates and secures the specific email address. No other identity or other confirmation is required. The only piece then missing would be a centralized directory used to share the public half of user email certs. Such a directory would need to be queried and used by email clients transparently.

Such a scheme would facilitate default secure and private messaging and not require one single additional step on the part of the end-user.

Note I offered just one solution implemented through technology, but this is not a technology problem and is not really a technology solution. There are many other possible solutions but all require collaboration on the part of the industry as a whole.

The third party in that example is your client's website. Perhaps an entirely trustworthy third party.

I'm one party, the client is another party, so that adds up to hmm, two.
Who is considered the third party?

The decrypt is done on the website, then transmitted back to the other party. Anyone with the right access on that website can decrypt it. And maybe that's fine.

That's an example of a system that a company might like. In that employee X can email employee Y securely from outside eyes. But if need be, the company itself can decrypt it without prying the keys out of X and Y's hands.

That is a good thing, IMO.
The only place where the encrypted mail is at risk is on their servers which they have absolute control over.

The app isn't their go to encryption solution.
PGP has always been their preferred encryption app but my contact went on a 3 week vacation that didn't have access to his PGP software. An issue developed that required a flurry of emails - they introduced this app as a temporary fix.
That it didn't pose any challenge to my already challenged key management was much appreciated.

This speaks volumes, and is the heart of contemporary resistance to proper privacy and security.

Until encryption becomes truly transparent it will never be widely embraced. If it becomes something that "just is" then it will happen.

Even for those that understand the risks and are willing to make the extra effort, true privacy and security is a challenge. It should not be, and it does not need to be.

In the end that party is still able to decrypt the content stored on their servers.

Many have concerns that such a provider could be forced to decrypt and provide such decrypted content to our government (or other entity). This is where zero-knowledge solutions have grown in popularity, as such a provider does not hold and has never been provided with the needed details to decrypt the content it hosts.

Their a Russian based IT security company so it would have to 'other entity' LOL

Voltage Security is owned by HP, an American company.

Voltage is the software vendor that sold them the system.

HP acquired Voltage Security (the company), not just the technology.

Voltage Security is part of HP. In fact »www.voltage.com identifies itself as part of HP.

The HP company is what provides the security email service you referenced, and the HP pages reference this service as part of their offerings.

Irregardless, this shows that simply counting on a particular company being completely outside of the reach of US government (or other global national entity) is false "security". Even if such a corporation were completely out of reach today does not mean that this would be the case tomorrow.

I'm not saying this is a specific particular problem, but rather ensuring that it is clear as part of full disclosure for those that do have such concerns.

I'm glad you got that cleared up with yourself
The client I referenced is a customer of Voltage Security (HP), more specifically a SecureMail customer.HP provided the software, my client does not use the HP cloud though.
They host the HP software on their own server, serving up the decrypted messages from »smail.companywebsite

I'm not sure what you mean by your "client". You referenced Voltage SecureMail Cloud as another option/alternative to pre-sharing a secret. This is a solution hosted by HP, a US company. Is this your "client"?

Or is your "client" another company also offering such a service to the public using the same technology? If so, could you share their site and details?

It should be noted that even HP is aware of this concern and provides a Warrant Canary for notification to its users, as other related providers have started to do.

This is starting to get into the weeds with repeated discussions of yet another technological solution. That only strengthens the position that the technology part of secure message exchange is very easy. It is the non-technical part that has been the barrier, in that if it takes end-users an extra effort to explicitly have to use they will not do so as a general practice.

Yes, 'client', particularly when also using the word 'email' might lead to some confusion.
Client as in customer is what I meant.
This link is the 'customer'.
»www.group-ib.com/

EDIT:Really?

I think there is some confusion since in the context of general email encryption for public use, you referenced a public cloud-based email solution for such use. You referenced 'a client' generically which could be interpreted as a client of that solution. I, as well as others, replied in that context of the public cloud-based email solution.

You did not mention it was a specific client of yours, that such client is not actually using the public cloud solution you referenced (until later), that "their" [sic] referenced this private company and not HP, or that this is about a private company's private solution that is really not relevant to this thread. That may have been how you intended but was not how it was presented.

It is not clear how a private solution implemented internal to a private company for use internal to that company is relevant to the general topic here. That is where the confusion came in. Within many companies today messaging is often exchanged securely. There are also many solutions that also allow those companies to securely exchange messages with their external clients.

There are many such private solutions in use already. What is done within a company to protect their intellectual property is not particularly relevant to the general public each individually protecting their own privacy.

Lavaboom is promoted as a zero-knowledge solution. This is important for individuals looking to maintain their privacy, but is contrary to the needs of many corporations. A solution such as Voltage SecureMail Cloud is not zero-knowledge (as was noted earlier). This remains the case even if privately implemented within a private company.

With that since this thread has gone way off the original topic I'm done with this part of the discussion.

Here is an example of that confusion.
I've mentioned more than once that the encrypted emails are sent to my Gmail webmail account.
Despite that, you continue to use words such as "private solution, internal to a private company, for internal use..."That's out in left field.
You completely fabricated that out of thin air because nothing posted in this thread even suggests the app is limited to the local network.
Of course I could be wrong (as unlikely as that may sound)
I welcome you to point out what gave you the impression I was talking about a local app because I believe it does not exist.That's probably a good idea.