3 Reasons Why You Should Never Use Enlocked

Enlocked advertises easy, secure email. Sounds good to me! My current solution (Thunderbird+Enigmail) works, barely, but it is a big pain in the tukhus. I’d go for something better. Heck, I’d pay for it. And Enlocked is free!

I gave their Chrome plugin a try. Installation was a breeze and it worked exactly as advertised. It integrates almost seamlessly into GMail (when replying, quoted text is still encrypted, but they’ll probably fix that soon). It really was friendly enough for anyone! But I’m not dusting off the old blog just to tell you that. No ma’am.

Unicorn and Cow (and sentry)

1. They encrypt and decrypt using their own key.

If you’ve ever spent the not-insignificant time to learn and use PGP yourself, you’ll know that one point of going through all the trouble is complete, end-to-end encryption. You don’t have to trust your email handlers. Any of them. And there can be many! So, uh, you just never give your private key to anyone, ok? Everyone gets their own keys (there are plenty for everyone, and they’re free!). That’s the way PGP works.

I should say that I’m not positive Enlocked uses their own key. It could just be a key they generate using some secret they securely get through you via OpenID or something fancy like that (even so, they’re free to brute force your secret day and night since they have the key). But without knowing for sure, you might as well assume it’s their key and they can decrypt your messages anytime they darn well please. Or if someone forces them to decrypt messages (like a government, or someone with lots of power or money), same result.

2. They encrypt and decrypt on their servers.

From their How it Works page:

The systems at Enlocked only have access to your messages for the short time we are encrypting or decrypting them, and then our software instantly removes any copies.

This is really more of the first reason (no end-to-end encryption), but it’s just another place where their inevitable security breach could occur.

3. Their software is closed-source.

If you know me you know I’m a Free² Software zealot, so you expect this kind of propaganda from me. But transparency is really important where the actual encryption and decryption takes place. They must at least make their client-side code available for review.

Sorry Enlocked, nobody serious about security will adopt your software until you address these issues.

Disclaimer: I’m no security expert. But Bruce Schneier is. If you really want to get schooled on security, read anything he’s written. For instance: Secrets and Lies: Digital Security in a Networked World.

2 thoughts on “3 Reasons Why You Should Never Use Enlocked”

  1. Adam,

    I’d like to help clarify some of the points in your post – full disclosure, I am part of the Enlocked team.

    First, we’re glad you agree that we’ve hit the mark on the issue of ease of use. We believe this is currently a major obstacle for many people in deploying encryption, along with the ability to read their messages across multiple devices.

    Concerning your questions of keys and key management, first, we do not use our own key. When a user first receives an email sent via Enlocked, or when they register with us to send, we generate a PGP key pair for them, and them only. They are able to download these keys and use them with other applications (like Enigmail) or if they already have existing keys they wish to use they can upload those and will be able to receive properly encrypted messages directly or via Enlocked.

    The bottom line on key access is that this is exactly the trade-off we believe users need to make. Right now, most users send their email entirely in the clear, for anyone to read along the way. The reason for this is that encryption is just too complex… installing software on multiple devices, publishing keys, getting the recipient’s key before sending a message, etc. So, VERY FEW people use it. With Enlocked, you are trusting your key with a dedicated security company, and we take the security of those keys very seriously. We all come from security backgrounds, and we have state-of-the-art security tools protecting this data. At the same time, we aren’t saying Enlocked is the only solution — by all means, if you are prepared to take on the headaches of managing your own encryption software and keys, go for it. But, we believe there is an even larger market for the users who want a greater level of security than they have now, without all the hassles.

    Lastly, on the issue of open source, we are actually supporters of this idea, and it is very likely that we’ll move in this direction in the near future with the client and plugin components of our solution. In the meantime, users can actually see the code for the plugins from within their browser, and should feel comfortable knowing that the code for our iPhone/iPad and Android apps has been reviewed as part of the process of getting them approved for distribution via iTunes and Google Play.

  2. Thanks for your reply, Andy. Email security is definitely ripe for improvement, and I’m glad you’re doing it. I hear you about trade-offs that have to be made with respect to security and convenience. I hope you guys do well. And I hope the open source part works out!

    How about Enlocked doing more client-side? Key generation, key storage, encryption, and decryption could all be done without hitting your servers. Basically you’d be implementing a more-useful Thunderbird+Enigmail+GnuPG at that point. I’d love to ditch all three of these for something just as secure that integrated more cleanly with Gmail.

    Everyone in my company encrypts emails with PGP (even some contractors!) but nobody likes having to fire up Thunderbird and remembering a separate password just for email encryption. I’d love to offload that to you guys!

    If you do more client-side, I’ll probably use your stuff and pay for it if I have to. I value security. I pay for LastPass, for instance. Everyone in my company uses it. LastPass is easy; I didn’t have to do any training. And nothing unencrypted touches the LastPass servers.

Comments are closed.