Abstract

Despite being one of the most basic and popular Internet applications, email still largely lacks user-to-user cryptographic protections. From a research perspective, designing privacy preserving techniques for email services is complicated by the requirement of balancing security and ease-of-use needs of everyday users. For example, users cannot be expected to manage long-term keys (e.g., PGP keypair), or understand crypto primitives.

To enable intuitive email protections for a large number of users, we design FriendlyMail by leveraging existing pre-authenticated relationships between a sender and receiver on an Online Social Networking (OSN) site, so that users can send secure emails without requiring direct key exchange with the receiver in advance. FriendlyMail can provide integrity, authentication and confidentiality guarantees for user-selected messages among OSN friends. FriendlyMail is mainly based on splitting the trust without introducing new trusted third parties. A confidentiality-protected email is encrypted by a randomly-generated key and sent through email service providers, while the key and hash of the encrypted content are privately shared with the receiver via the OSN site as a second secure channel. Our implementation consists of a Firefox addon and a Facebook application, and can secure the web-based Gmail service using Facebook as the OSN site. However, the design can be implemented for preferred email/OSN services as long as the email and OSN providers are non-colluding parties. FriendlyMail is a client-end solution and does not require changes to email or OSN servers.