Abstract

Despite being one of the most basic and popular Internet applications, email still largely lacks user-to-user cryptographic protections. From a research perspective, designing privacy-preserving techniques for email services is complicated by the requirement of balancing security and ease-of-use needs of everyday users. For example, users cannot be expected to manage long-term keys (e.g., PGP key-pair), or understand crypto primitives. To enable intuitive email protections for a large number of users, we design FriendlyMail by leveraging existing relationships between a sender and receiver on an online social networking (OSN) site. FriendlyMail can pro- vide integrity, authentication and confidentiality guarantees for user-selected messages among OSN friends. A confidentiality-protected email is encrypted by a randomly-generated key, and the key and hash of the encrypted content are privately shared with the receiver via the OSN site. Our implementation consists of a Firefox addon and a Facebook app, and can secure the web-based Gmail service using Facebook as the OSN site; the addon is available at: https://madiba.encs.concordia.ca/software/friendlymail/. However, the design can be implemented for preferred email/OSN services as long as the email and OSN providers are non-colluding parties. FriendlyMail is a client-end solution and does not require changes to email or OSN servers. In contrast to most other solutions, we limit our target user base to existing OSN users, to facilitate ease of adoption. In this paper, the focus of our discussion includes: the design, implementation and security analysis of the proposed solution. We acknowledge that a user study will be required to validate usability-related features of FriendlyMail. We are currently considering a comprehensive user study as separate future work; cf. past such studies of PGP (Whitten and Tygar, USENIX Security 1999), S/MIME (Garfinkel and Miller, SOUPS 2005).