With the recent and ongoing disclosures of what appear to be widespread Internet surveillance programs, the public is becoming increasingly aware of the privacy risks in sending plaintext email. Even connecting to one’s email service provider using a cryptographically secure protocol like HTTPS provides a false sense of security, because one cannot ensure the trust or privacy of any intermediary servers/connections used to route the message to its recipient. As such, there are many excellent tutorials—and even entire web campaigns—that empower average users to protect their online communications via free tools like OpenPGP.
Since day one, Digital Operatives has employed strong cryptography to protect all of its internal email communications. This works extremely well, and, for all intents and purposes, is currently very secure. There are some downsides, however. The number one complaint about using public key cryptography to secure all email communications is that there really isn’t a good way to search through the bodies of the emails in your inbox (since the message bodies are encrypted, a simple search for a term like “cat” or “meeting” won’t match any of the emails it otherwise should have). In fact, the second bug ever reported for the popular EnigMail GPG plugin for the Thunderbird mail client was a feature request asking for the ability to search through encrypted email bodies. That bug was opened in 2003 … and it is still open today.
The trouble is that the decryption step is too computationally expensive to decrypt all of the message bodies on the fly during the search. The alternative would be to temporarily decrypt the message bodies of new emails as they arrive and add them to a search index. The trouble is that this invites a security vulnerability, since sensitive message data would therefore be included in the search index.
Given that over 90% of the email in our inboxes at Digital Operatives is encrypted, we decided to scratch our own itch and develop a solution to this problem. We took the second approach mentioned above: we incrementally build a search index to search across the encrypted message bodies. To mitigate the aforementioned security risk with this approach, we encrypt the entire search index using the same private key used to decrypt one’s emails. Therefore, the only risk would be if an adversary got access to one’s private key, but that of course would have even worse security implications since he or she could then read all of the original emails anyway.
Our proof-of-concept solution is a tool called Magiic. Magiic Allows for GPG Indexing of IMAP on the Command-line. It is a Python script that uses GnuPG for encryption/decryption and Whoosh for full-text indexing. It acts as a standalone mail application, connecting directly to an IMAP server and creating a local index off of the contents. It has a simple ncurses interface so all interaction can take place on the command line. We are releasing the code using a version of the Creative Commons BY-NC-SA 3.0 license that has been modified slightly to be more applicable for software licensing. It is free for non-commercial use.
The code is available here.