Unencrypted Emails from Malwarebytes?

[Atli]

Hey.

GMail seems to think emails from Malwarebytes are unencrypted. (See attached.)

An internet security firm sending emails to their customers - about security - without security?

Just saying... 

[David H. Lipman]

There is MORE insecurity in just using Google GMail for an email provider than a broadcast email not being encrypted or using Secure Sockets Layer.

Do you know what it means to have an encrypted email or to sign an email for purposes of non-repudiation ?

Do you know about Public Key Infrastructure ?

Do you know what the difference is between Webmail and an Email Client ?

" An internet security firm sending emails to their customers - about security - without security? "

What does that question actually mean ?

Do you understand what "security" means and for what context ?

If I write "I bought a security." does that mean I am now secure ?

 

I will try phrase this in actual "context" using comparative analogy.

There are two kinds of media communication.  Unicast and Broadcast.

Unicast is a One to One system.

If I call you on the telephone that's a type of Unicast communication.  If you and I use Walkie-Talkie Radios that too is a type of Unicast communication

Broadcast is a One to Many system.

If I am a DJ at WCBS FM that's a type of Broadcast communication.  I use a CB Radio on Channel 9 that is a type of Broadcast communication.  If I use a telephone in a teleconference that may be a broadcast as well even though it is a Many to Many communication stream.

If I call you on a telephone or if we use Walkie-Talkies there is the possibility that our conversation can be intercepted and listened too.  Therefore Telephone or Radio communication can be encrypted such that only you and I can be a party to the conversation and nobody can listen-in.

If I am a DJ at WCBS FM it absolutely makes no sense to encrypt the broadcast.  It defeats its purpose.

However if I am Police Officer or if I am Military Officer directing a squadron of personnel then that broadcast may be encrypted to protect that data stream from being intercepted.

The same is true when a company broadcasts an email.  Broadcasting an email is when one party uses a distribution list and sends email to that distribution list.

If I am a company who broadcasts an Email Newsletter it makes absolutely no sense to encrypt the email.

However if I am sending an email that contains protected data such as Personally Identifiable Information ( PII ) which may contain a subordinate's Social Security Number then encrypting the email makes perfect sense.  If I encrypt that email and send it to one person, that a Unicast message.  If I encrypt that email and send it to several people that's a Broadcast message.

 

To discuss this subject matter we must frame it in context and scope.  The word "security" can mean many things and its context plays a big roll.

I can go on and on getting into depth of why I may use Webmail over HTTPS vs. Webmail using HTTP, or using an email client using Secure SMTP ( SMTP/S ) vs. using an email client using plain  SMTP but I'd probably lose you as I have written enough already.  It is the term "security" in context that can steer this thread and I can't cover all the facets involved.

 

 

 

 

[Atli]

Hey David.

Thank you for that incredibly patronizing, and detailed, reply.
Allow me to reply in kind...

For the record, I am in fact an experienced software developer, that have worked extensively with, and understands well, the inner workings of the internet itself, internet security and email, at a low level.

Fist: about "broadcast email"
This concept is just plain incorrect; the analogy is flawed at the core.

Even when "broadcast" to a mailing list - like in this case - the emails are still sent directly to specific recipients. They are not simply "put out there" and left for anybody who cares to listen. The email protocols, and the very concepts involved, simply do not support that.

Even for people unfamiliar with the technical aspects of email, this is clear from the image I posted earlier.

How often do you turn on the radio, and the radio host greets you (and everybody else listening...) by name? Never, because that is not possible for "broadcast media". Tailored messages like that are only possible in a one-to-one or bi-directional schemas, and even when the messages are identical, on a low level all emails are tailored for specific recipients.

Second: about the security
Pointing out why data encryption is necessary on the internet is pointless; everybody an their grandparents understand that. So I'm just going to assume you realize how sending unencrypted emails exposes their contents to the world.

Even in the absence of "Personally Identifiable Information", like socials or finance details, there is plenty to be learned from a mailing list message. For one, there is always the email address of the recipient. (I get enough spam as it is, thank you.) Also, in this case, the contents of the mail also contain the user's name. On top of that, anybody intercepting this message will easily deduce that I am a customer of Malwarebytes.

You may be thinking that's not exactly dangerous info. You'd be wrong.
I'm not going to go into details about how this could be used for wrongdoing, but I think the Malwarebytes engineers would agree that simply handing this info over to the world is hardly something to be taken lightly.

[David H. Lipman]

" For the record, I am in fact an experienced software developer, that have worked extensively with, and understands well, the inner workings of the internet itself, internet security and email, at a low level. "

LOL - Then you wouldn't be using a free service like GMail.  It may be free of monetary costs but it certainly is not "free".  You have given up some of your rights to be able to use Google's email system without a monetary subscription.

I'm sorry you felt my reply was patronizing but even in your reply it shows you do not get it.  Right down to calling Malwarebytes a "security firm".  It isn't.  Malwarebytes is an anti malware company and isn't in the security business.  But there we are at the area of security and context again.  Compare Brinks, Pinkerton and Academi ( aka; Blackwater ) with Malwarebytes.

The part that I left out of my reply was associated with "context" was "content".  When I used my PII example that was content related.  When I mentioned a Police Officer or Military Officer directing a squadron of personnel that too is content driven.  A newsletter email from Malwarebytes is not content worthy of encryption.  Furthermore there is no reason that Malwarebytes even needs to send encrypted email.  I have at least 10 years of experience in encrypted email.  Sending, receiving, dealing with personal certificates and how to to obtain them from LDAP and other services.  I have dealt with the situations where a certificate is revoked and a new certificate is issued and I have dealt with the situation where an email is encrypted with a certificate that has subsequently expired or has been revoked.

If you are truly worried about email and snooping.  Drop GMail and pay for an email service provider who is serious about privacy.  The fact is Google does what they tell the public the government shouldn't do.  Obtain a cert from a CA and have it published by a Web Server or LDAP server and use an email client that handles encrypted email properly.

When I used my comparative analogy it wasn't meant to be a 100% match.  However the analogy is still valid.

 

 

[Atli]

2 minutes ago, David H. Lipman said:

LOL - Then you wouldn't be using a free service like GMail.

You assume a lot. Just because I use Google for crap mail, like marketing mail from non-consequential software subscriptions, doesn't mean I'm trusting them with any sensitive data, or anything related to my work. There is nothing forcing people to use only a single email setup at a time. - I use GMail for this kind of stuff because it's convenient, and I don't care in the slightest that Google knows what software I use, or what forums I subscribe to.

14 minutes ago, David H. Lipman said:

Right down to calling Malwarebytes a "security firm".  It isn't.  Malwarebytes is an anti malware company and isn't in the security business. 

Semantics. You know full well what I meant. They produce personal security (anti-malware) software. In my book that qualifies them as a "security business". At the very least a security related business. Even if that doesn't fit some dictionary definition of the phrase.

17 minutes ago, David H. Lipman said:

A newsletter email from Malwarebytes is not content worthy of encryption.

Note that none of this was ever related to encrypting the actual content of the email (e.g. PGP), but rather just encrypting the data in transit between servers. (Standard TLS/SSL.) That is what Malwarebytes is apparently failing to do, and there are few valid excuses left for that these days. - As somebody concerned with data protection, to the point where any use of GMail seems unacceptable to you, I'd have thought you'd be in favour of those basic protections...

Nobody is suggesting that marketing email (or other bulk mail) be encrypted on the content level. At this point in time that concept barely even makes any sense.

[gonzo]

A comment was made.

An argument ensued.

Little value is coming of it.

Please chill!  This is supposed to be a place for collaboration and for solving problems.

[celee]

Hi @Atli, thanks for bringing this to our attention.

I've forwarded this info to our eCommerce team who handles all newsletters. We recently switched to a new email client for newsletters and are hoping to get it rectified soon.

Thanks,

Cecile