This article is a follow up to Germany's E-Pestbeef. I suggest reading that in case you haven't already.
I found a flyer for Deutsche Post AG's E-Postbrief in my mailbox the other day. I've found some of those there before but always tossed them immediately (with the rest of the advertisement crap I don't need). This time I actually went through it however. The idea was to have a laugh. Instead I ended up raging.
It is just ridiculous what claims they make in there. What upsets me the most is how they try to deceive normal people who have no clue about the matter into registering and using their "secure" system. I will comment on some quotes taken from the flyer. The original quotes are in German and I will include them in brackets after the translated quote. Let's take a look:
"Conventional emails are too insecure - you never know who else might be reading. Michael's solution: the E-Postbrief." ("Einfache E-Mails sind zu unsicher - da weiß man nie, wer alles mitliest. Michaels Lösung: der E-Postbrief.") - Aktuelles zum E-Postbrief 12/2011 page 8
So conventional emails are not as secure as the E-Postbrief. I beg to differ. First of all it depends on how you define "conventional email".
Let's say "conventional email" means unencrypted emails then I'd say conventional emails and E-Postbrief are pretty much on the same level. Yes, E-Postbrief uses encryption. But what encryption? We don't know.
Who encrypted it? Not you.
Update: Actually this wasn't quite correct to prove my point. It's more like: Who decrypts it? Not you, they decrypt it for you on their system.
Meaning: a third party being not you nor the recipient knows how to decrypt the message. Insecure crap.
Let's say "conventional email" means an encrypted email with GPG/PGP. You created your key, the recipient created their key, there is no third party involved. The message has been encrypted with well known and proven security standards.
Which would you choose now? Of course they're not telling you that, though. This is exactly what makes me rage: they're telling people their system is secure and some who don't really know a lot about the matter will believe and trust them. However in reality their system is NOT secure at all. It's a freaking lie.
"Your documents are stored permanently and securely like in a giant safe at www.epost.de." ("Ihre Unterlagen sind bei www.epost.de wie in einem riesigen Safe dauerhaft und sicher abgelegt.") - Aktuelles zum E-Postbrief 12/2011 page 5
Yes, permanently alright. Since once you delete something it actually is not deleted. Securely, huh? Let's see...
"The high quality and security standard of the E-Postbrief platform is even approved and certified by TÜV." ("Der hohe Qualitäts- und Sicherheitsstandard der E-Postbrief-Plattform ist sogar vom TÜV bestätigt und zertifiziert.") - Aktuelles zum E-Postbrief 12/2011 page 5
This one actually makes me laugh and die a bit inside. Security certified by TÜV. Want to know software that has also been certified by TÜV?
Internet Explorer 8 and Internet Explorer 9 (OMFG, are those spaces in the URL?)
What a guarantee for security and quality! Trollolololol.
DON'T USE THIS SERVICE. I can't say it often enough. It is NOT secure, it is NOT private, it's all a big freaking lie.
Also have a look at this nice list of companies who apparently seem to be as incompetent as Deutsche Post AG (since they are all already using and supporting E-Postbrief).
At least they're maintaining a handy blacklist. Vote with your wallet.
Note: Due to copyright I'm not publishing the whole flyer on here. I have a copy however, in case you want to have a look at it, simply contact me.
First of all, what's "E-Postbrief" supposed to mean? The "E" stands for electronic, just like when talking about conventional emails. I was wondering how to translate "Postbrief" so I consulted a dictionary to help me out:
E = electronic
Post = mail
Brief = letter
So, that would make it "electronic mail letter". Awesome.
Now, what's the difference between a conventional email and this new E-Postbrief? You can send usual letters with it, either completely electronic (should your second party also use E-Postbrief) or have them printed and sent as a normal, written letter. Both options cost a minimum of 0,55€ though. Also the electronic delivery is limited to a size of max. 20MB. The idea is to have an email with legal ground, which is legally binding, so you can get doctor's bills, etc. via E-Postbrief and save them digitally instead of having to deal with printed letters.
My first thought: Hell no, I'm not going to pay 0,55€ for each mail. But really, that's still the least of my concerns with this service.
Because what I didn't mention so far: the service is supposed to be secure and encrypted!
And how does that work? Well, not with your own public and private keys like PGP or GPG, that's for sure. Instead, it's made simple for the average citizen. That is: Deutsche Post AG is doing all the work for you. They encrypt and decrypt everything for you. Anybody else noticing this weird smell?
In case you're at least wondering what encryption algorithms they're using, well, you won't know. Because they're not telling.
Security through obscurity. Except that this pretty much equals having no security at all.
Also they claim that it's "not possible" for Deutsche Post employees to read any E-Postbrief saved in your account. The second sentence corrects that down in a way though by saying it's secured against access by "unauthorized" people. Who is authorized?
In case you're still not convinced that this is some utter insecure crap, by accepting the terms of services you agree that Deutsche Post may forward your mails (unencrypted!) to law enforcement agencies in case public security is being endangered. (aka terrori- ohshit, I'm scared.) (9. 9(3))
Did I mention your emails are mirrored and not deleted once you delete them? Yes, that's right, they'll only be deleted after an unspecified period of time. You may not see them anymore in your inbox but they're still there. That's of course just because you might delete something by accident. (2. 2(5))
Because of all the criticism, Deutsche Post added a service so you can generate your own private key and a signature. Funny though: they claim this key is only accessible to you, but who guarantees that? The key is generated on their servers, you simply download it from them. The only way to have a real secure private key is by generating it on your own machine, not anywhere else.
I only raise one question: When they reserve the right to forward mails to law enforcement agencies in an unencrypted format, how is it not possible for any employee to read mails? They have the ability to decrypt them, they have the ability to forward them, but they don't have the ability to read them? Blind employees, the security concept of the future. Germany's always one step ahead.
So, to recap these awesome features of E-Postbrief: Costs money, insecure, totally unnecessary, insecure, did I mention insecure already?
Leave it, don't use it, is my suggestion. Stick to GPG/PGP and once again: Stay private.