Discuss Scratch
- Discussion Forums
- » Things I'm Making and Creating
- » GTMail: Free Email, Encrypted Automatically
![[RSS Feed]](//cdn.scratch.mit.edu/scratchr2/static/__ff7229f036c458728e45c39b0751aa44__//djangobb_forum/img/feed-icon-small.png "[RSS Feed]")
![[RSS Feed]](http://cdn.scratch.mit.edu/scratchr2/static/__ff7229f036c458728e45c39b0751aa44__//djangobb_forum/img/feed-icon-small.png "[RSS Feed]"){kind=icon}
- GeonoTRON2000
-
Scratcher
100+ posts
GTMail: Free Email, Encrypted Automatically
One thing that's been bothering me lately, and should bother you too if you follow tech and care about privacy, is Google reading my emails. I've used Google's email (which I'm not allowed to name drop apparently) since I was either nine or thirteen years old, depending on whether I'm lying to my parents, and basically a decade an a half of my life has been stored unencrypted on Google servers for them to harvest targeted advertising data points from–every website I've ever signed up for; every school event I've been invited to; personal communications with all my friends, family, and loved ones; my college applications and their resulting acceptances or rejections; every club I ever joined or internship I had in college; and the entire process of applying for the job I now currently have. My entire life is laid bare for a corporation to harvest data from and train chatbots on, and that feels Quite Bad. It is also a nearly universal experience. They are doing this to basically everyone, and so is Microsoft, Yahoo, AOL, and even Yandex if that's your poison.
The landscape of the internet did not used to be so dystopian. There was a time when phrases like “breach of trust” and “don't be evil” actually motivated people at all levels of corporations to act with the best interests of their users in mind. These giant free email providers came to us not to conquerors, but as liberators. No longer were you beholden to your school's IT department deciding to block your Poptropica activation emails on a notion that they were “too distracting”. All you had to do was make a (google email), and you could do whatever you wanted on the internet. So everyone did. And when everyone ran to Google with open arms, the monkey's paw curled. We could not imagine why we shouldn't trust this liberator, this great and generous provider, and in time they showed us why.
See, the tools for maintaining private and secure email communication have existed since before I was even born. Some people of my parents' generation will remember them, but because they never appeared anywhere in the (google email) web app, I could not name you a single person of my generation I've run into in the wild that has any notion that such tools exist, nor even that there's a need for them to. For those not familiar with the inner workings of emails, emails are just files sitting on a server. And the owner of that server (Google, Microsoft, Yahoo, etc.) can just decide to read them, as easily as they might open a PDF document sitting on their desktop. The concept of an account/login only affects people trying to connect from the outside world. As a result of being asked to adopt such a… trusting… communication system, engineers came out with two systems for end-to-end encrypted email: PGP and S/MIME.
PGP, in particular, benefits from the great irony that it is widely used to this day. I work as a software engineer, and every single one of my coworkers signs their code with a PGP key multiple times per day. They then turn around to check their completely unsecured plain-text email sitting on Microsoft's Outlook servers, free for anyone (or anything, looking at you OpenAI) at Microsoft to read. This is the tragedy of the modern internet–we have been persuaded that it is not worth the effort to guard our personal communication, by the very same companies that would seek to harvest it for profit. I find this disgusting.
What can be done?
Realistically, probably nothing for the vast majority of people. Any social awareness raised about this is likely too little, too late. But for one's self, in defense of one's own data, it turns out there's a great deal that can be done. I have for a long time been of the opinion that building simple, user-friendly tools to accomplish at least the following goals would have been easy, and it's disgraceful that big tech has prevented it from happening:
1. Users understanding and creating PGP keys. People know what keys do. All they need to know about a PGP key is that it's a file you use to unlock your emails. Much like you wouldn't hand your apartment keys out on the street, you should not hand out your private key on the internet, this is just common sense.
2. When there is a private key securing a user's inbox, the corresponding public key should be easy to look up for email clients looking to send encrypted email to that inbox. Ideally this would happen entirely behind the scenes between email providers, and thanks to a protocol called WKD, it can.
3. When there is a private key securing a user's inbox, all incoming unencrypted email should be encrypted to that key before it is stored on the server.
To prove that these are trivial asks, and because I have a server lying around that I'm dramatically under-utilizing, I have built a free email service called GTMail, and turned my old website (which is already whitelisted on Scratch
) into a frontend for it. I'm not anticipating this service getting big, but, if you're tired of big tech snooping in your emails like I am, or you want to learn the basics of internet privacy, you're welcome to make use of it. It accomplishes (1) with a series of easy-to-use PHP forms, which will speed you through key management; (2) by implementing the WKD protocol automatically; and (3) using an open-source milter (mail filter) script I've built to encrypt all incoming emails, which you can check out here: https://github.com/GeonoTRON2000/gt-pgp-milter/tree/master.
How to get started with GTMail
The first thing you'll need to do is register for a GT account here: https://accounts.thegt.org/register.php
The sign-up form should be fairly straight-forward and look something like this. An existing email is not required to register, it's just a precaution in case you want to reset your password later. You can leave it blank, and even change your recovery email to your new GTMail address later if you like.
https://i.imgur.com/IVJZp9y.png
Once you're registered, find “emails” in the navbar, highlighted in red here:
https://i.imgur.com/tHrRwFU.png
You should be presented with a form that looks like this:
https://i.imgur.com/In319Tf.png
In the “New Account” form you can enter your desired email address and password in order to create a new GTMail account. This password is only for checking your email, and is unrelated to your GT account password. Once you click “Create Account”, you should see the new address in the “Existing Accounts” form, and verify that “Encrypt” and “Active” are checked. If either is missing, check the box and click “Save Changes”.
Congratulations, you now have a GTMail account! You can find information on how to check your email at the top of the page. But, in order to start encrypting your incoming emails automatically, we still have to secure your account with a key. (Translation: at this stage I can still read your emails. I don't want to be able to read your emails, so keep reading.)
The next thing you'll need to do is find “keys” in the navbar, highlighted in purple above.
You should see an interface that looks like this:
https://i.imgur.com/pFU4sE1.png
You can either import an existing PGP public key if you have one by pasting it into the “Add Key” form, or generate a new one by typing a passphrase to encrypt the new key with and clicking “Generate” in the “Generate New Key” form. All the key generation is done locally in your browser via JavaScript (proof: the javascript) and you will be prompted to download the encrypted private key file. Once you've downloaded the private key file, the “Add Key” form will auto-fill with the corresponding public key, and you can click “Add Key” to start securing your emails with this key (or you can do something else with it if you just want to use the key generation utility).
And that's it! Your emails are now automatically encrypted. You can make up to five emails per GT account, and each starts with 1GB of free storage. This seemed like a lot to me, but if you run into trouble with the amount of space feel free to ask for more and I'll be happy to grant it to you.
How to read encrypted email
Now that we've solved the problem of blocking other people from reading your email, let's cover how you can use your private key file to read it. Some webmail clients use a plugin called Enigma to decrypt your emails automatically using a password, which is very convenient, but basically defeats the purpose of this whole exercise (it makes you upload your private key to the server
), so I've elected to avoid adding that to the GTMail web client. Instead, we want to look at solutions that keep your private key on your device. I recommend one of the following:
1. Use a browser extension. This is the easiest solution that still keeps your key safe. Mailvelope is a great option that works out of the box with GTMail, but almost anything in that category that looks solid ratings-wise should do the trick.
2. Use a desktop email client with PGP support. This is more effort, but comes with the possibility of even more security (keep reading to see why). I recommend Mozilla Thunderbird for this.
Bonus Points: Use a Hardware Security Key
If you're already getting comfortable with your encrypted inbox and using PGP keys, you may be ready for the next step. And that is, taking your private key off your hard drive entirely. What happens if one day you're downloading sketchy EXE files looking for retro game emulators (or whatever it is you do) and a hacker gets access to your files? Well, your private key is just a file, so now they can read your email as well (or use your key to try and impersonate you, which is a whole can of worms we won't get into here), and that's no fun. One level of protection is the passphrase we added in the “keys” tab, but an even better option is to use a device like a Yubikey to store it. A Yubikey is a hardware device that takes in your private key and refuses to ever spit it back out again, instead performing decryption operations on the physical device. Because of its one-way nature, it's impossible for a remote hacker to capture your private key if it lives on a Yubikey, since they would need access to the physical device. As a nice secondary benefit, these keys can be used as a two-factor authentication device on a lot of websites, so you can avoid getting all those irritating 6-digit codes on your phone. I won't get into setting up Yubikeys here as it's very tangential, but the Yubikey Website has a lot of very good guides to that end if you're interested.
Edit: I apologize, img tags don't seem to be working at the moment, so I've provided links to the screenshots instead.
The landscape of the internet did not used to be so dystopian. There was a time when phrases like “breach of trust” and “don't be evil” actually motivated people at all levels of corporations to act with the best interests of their users in mind. These giant free email providers came to us not to conquerors, but as liberators. No longer were you beholden to your school's IT department deciding to block your Poptropica activation emails on a notion that they were “too distracting”. All you had to do was make a (google email), and you could do whatever you wanted on the internet. So everyone did. And when everyone ran to Google with open arms, the monkey's paw curled. We could not imagine why we shouldn't trust this liberator, this great and generous provider, and in time they showed us why.
See, the tools for maintaining private and secure email communication have existed since before I was even born. Some people of my parents' generation will remember them, but because they never appeared anywhere in the (google email) web app, I could not name you a single person of my generation I've run into in the wild that has any notion that such tools exist, nor even that there's a need for them to. For those not familiar with the inner workings of emails, emails are just files sitting on a server. And the owner of that server (Google, Microsoft, Yahoo, etc.) can just decide to read them, as easily as they might open a PDF document sitting on their desktop. The concept of an account/login only affects people trying to connect from the outside world. As a result of being asked to adopt such a… trusting… communication system, engineers came out with two systems for end-to-end encrypted email: PGP and S/MIME.
PGP, in particular, benefits from the great irony that it is widely used to this day. I work as a software engineer, and every single one of my coworkers signs their code with a PGP key multiple times per day. They then turn around to check their completely unsecured plain-text email sitting on Microsoft's Outlook servers, free for anyone (or anything, looking at you OpenAI) at Microsoft to read. This is the tragedy of the modern internet–we have been persuaded that it is not worth the effort to guard our personal communication, by the very same companies that would seek to harvest it for profit. I find this disgusting.
What can be done?
Realistically, probably nothing for the vast majority of people. Any social awareness raised about this is likely too little, too late. But for one's self, in defense of one's own data, it turns out there's a great deal that can be done. I have for a long time been of the opinion that building simple, user-friendly tools to accomplish at least the following goals would have been easy, and it's disgraceful that big tech has prevented it from happening:
1. Users understanding and creating PGP keys. People know what keys do. All they need to know about a PGP key is that it's a file you use to unlock your emails. Much like you wouldn't hand your apartment keys out on the street, you should not hand out your private key on the internet, this is just common sense.
2. When there is a private key securing a user's inbox, the corresponding public key should be easy to look up for email clients looking to send encrypted email to that inbox. Ideally this would happen entirely behind the scenes between email providers, and thanks to a protocol called WKD, it can.
3. When there is a private key securing a user's inbox, all incoming unencrypted email should be encrypted to that key before it is stored on the server.
To prove that these are trivial asks, and because I have a server lying around that I'm dramatically under-utilizing, I have built a free email service called GTMail, and turned my old website (which is already whitelisted on Scratch
) into a frontend for it. I'm not anticipating this service getting big, but, if you're tired of big tech snooping in your emails like I am, or you want to learn the basics of internet privacy, you're welcome to make use of it. It accomplishes (1) with a series of easy-to-use PHP forms, which will speed you through key management; (2) by implementing the WKD protocol automatically; and (3) using an open-source milter (mail filter) script I've built to encrypt all incoming emails, which you can check out here: https://github.com/GeonoTRON2000/gt-pgp-milter/tree/master.How to get started with GTMail
The first thing you'll need to do is register for a GT account here: https://accounts.thegt.org/register.php
The sign-up form should be fairly straight-forward and look something like this. An existing email is not required to register, it's just a precaution in case you want to reset your password later. You can leave it blank, and even change your recovery email to your new GTMail address later if you like.
https://i.imgur.com/IVJZp9y.png
Once you're registered, find “emails” in the navbar, highlighted in red here:
https://i.imgur.com/tHrRwFU.png
You should be presented with a form that looks like this:
https://i.imgur.com/In319Tf.png
In the “New Account” form you can enter your desired email address and password in order to create a new GTMail account. This password is only for checking your email, and is unrelated to your GT account password. Once you click “Create Account”, you should see the new address in the “Existing Accounts” form, and verify that “Encrypt” and “Active” are checked. If either is missing, check the box and click “Save Changes”.
Congratulations, you now have a GTMail account! You can find information on how to check your email at the top of the page. But, in order to start encrypting your incoming emails automatically, we still have to secure your account with a key. (Translation: at this stage I can still read your emails. I don't want to be able to read your emails, so keep reading.)
The next thing you'll need to do is find “keys” in the navbar, highlighted in purple above.
You should see an interface that looks like this:
https://i.imgur.com/pFU4sE1.png
You can either import an existing PGP public key if you have one by pasting it into the “Add Key” form, or generate a new one by typing a passphrase to encrypt the new key with and clicking “Generate” in the “Generate New Key” form. All the key generation is done locally in your browser via JavaScript (proof: the javascript) and you will be prompted to download the encrypted private key file. Once you've downloaded the private key file, the “Add Key” form will auto-fill with the corresponding public key, and you can click “Add Key” to start securing your emails with this key (or you can do something else with it if you just want to use the key generation utility).
And that's it! Your emails are now automatically encrypted. You can make up to five emails per GT account, and each starts with 1GB of free storage. This seemed like a lot to me, but if you run into trouble with the amount of space feel free to ask for more and I'll be happy to grant it to you.
How to read encrypted email
Now that we've solved the problem of blocking other people from reading your email, let's cover how you can use your private key file to read it. Some webmail clients use a plugin called Enigma to decrypt your emails automatically using a password, which is very convenient, but basically defeats the purpose of this whole exercise (it makes you upload your private key to the server
), so I've elected to avoid adding that to the GTMail web client. Instead, we want to look at solutions that keep your private key on your device. I recommend one of the following:1. Use a browser extension. This is the easiest solution that still keeps your key safe. Mailvelope is a great option that works out of the box with GTMail, but almost anything in that category that looks solid ratings-wise should do the trick.
2. Use a desktop email client with PGP support. This is more effort, but comes with the possibility of even more security (keep reading to see why). I recommend Mozilla Thunderbird for this.
Bonus Points: Use a Hardware Security Key
If you're already getting comfortable with your encrypted inbox and using PGP keys, you may be ready for the next step. And that is, taking your private key off your hard drive entirely. What happens if one day you're downloading sketchy EXE files looking for retro game emulators (or whatever it is you do) and a hacker gets access to your files? Well, your private key is just a file, so now they can read your email as well (or use your key to try and impersonate you, which is a whole can of worms we won't get into here), and that's no fun. One level of protection is the passphrase we added in the “keys” tab, but an even better option is to use a device like a Yubikey to store it. A Yubikey is a hardware device that takes in your private key and refuses to ever spit it back out again, instead performing decryption operations on the physical device. Because of its one-way nature, it's impossible for a remote hacker to capture your private key if it lives on a Yubikey, since they would need access to the physical device. As a nice secondary benefit, these keys can be used as a two-factor authentication device on a lot of websites, so you can avoid getting all those irritating 6-digit codes on your phone. I won't get into setting up Yubikeys here as it's very tangential, but the Yubikey Website has a lot of very good guides to that end if you're interested.
Edit: I apologize, img tags don't seem to be working at the moment, so I've provided links to the screenshots instead.
Last edited by GeonoTRON2000 (Jan. 11, 2025 10:23:12)
- cosmosaura
-
Scratch Team
1000+ posts
GTMail: Free Email, Encrypted Automatically
I'm afraid this isn't a good fit for the forum. Before making a topic, please check the “sticky” topics (indicated by a pin icon) for information about what goes in each forum. Thanks!
- Discussion Forums
- » Things I'm Making and Creating
-
» GTMail: Free Email, Encrypted Automatically