DMail And The False Sense Of Security

Email is around since several decades. Nevertheless, it is still one of the most used form of communication, especially in business. Therefore the security of an email message is really important.

Over the years, different methods have been implemented. Lately also the guys behind Delicious have implemented their solution, starting a new service called DMail. The claim is:

Self-Destructing Email

Finally, sent email has a delete button

At present, the service is in Beta version, and it's free, so I've tried it to understand how it works.

I have to admit it: I was pretty skeptical... and I was right. But first things first.

How It Works

Let's start by saying that it works only on top of GMail (not even Inbox) and only with Google Chrome/Chromium. In fact, by clicking on the button "Try it now!", you are redirected to the extension page in the Chrome Web Store.

Once installed, you can see the DMail logo on the top-right part of the GMail screen. The same logo appear in the compose window near the enable slider and the combo to choose the expiring time.

New Dmail message in top of GMail

You can write your email and send it like you normally do, but what happens is that the message is not sent to the recipient but it's stored in a DMail server in a encrypted form (or so they say).

The addressee receives an email with a link to the message that is unencrypted on the fly just for him. When the time expires or if the sender decides to destroy the message, the link will show the following message:

Message Unavailable

This message is no longer available for viewing..

It seems cool, right? Uhm, not so sure...

Security?

Let's see where the pitfalls are. First, the mail with the link to the encrypted message is (obviously) unencrypted and it contains the codes (KEY and CLIENT) that I suppose are used to decode the message. This means that, if the email is transmitted over an insecure connection, the message should be considered compromised.

Moreover, the email can be forwarded - and also from the forwarded email is possible to access the message.

You can argue that once the message has expired, no one is able to see it. This is also what Snapchat promised, right? The countermeasures are quite simple. You can save the page with the message from your web browser or take a screenshot or a photo. And make the destroyed message live forever.

Besides, you must remember that you messages lay on someone else's computer that can be compromised and your data be stolen.

Conclusions

To me, this service is pretty useless. The idea is good but, at present, I don't think the right technology exists to provide what they promise in a really secure way.


Cover image taken from Pixabay licensed under the Creative Commons Public Domain Dedication license.

Luca Sommacal

Luca Sommacal

Italian developer (mainly in C for embedded platforms), Linux learner, addicted to rock music, history, science and few other things. Follow me on Twitter

comments powered by Disqus