Liverado uses OpenPGP encryption
OpenPGP is the most widely used email encryption standard. Many new technologies are created through collaboration between programmers, developers, engineers, and other experts. This ensures that knowledge is shared and the entire community can benefit from it.
We see more and more examples of open source use in the information technology sector. Of course, that includes open-source email encryption.
What is open source software?
Before diving into why open source email encryption is important, we must understand what open source software is.
Open source refers to something that has a publicly accessible design and can be modified and shared by people. Open-source software refers to source code software that can be inspected, modified, and improved by anyone. Not just the person, team or company that created the software. For example: LibreOffice, GIMP and Liverado are open source.
Open-source software has the following characteristics:
Secure. Because it enables anyone to see and fix potential security holes.
Available to everyone. No entity owns it.
Reliable. Open-source applications are built on languages like Java or Ruby and are proven reliable.
Flexible and customizable. You can modify open-source software according to your needs.
The opposite of open-source software is proprietary software. The source code of proprietary software can only be accessed and modified by the person, team or organization that created or owns the software. For example, Gmail is proprietary software.
What is open source email encryption?
If you already know about open-source, let's talk about how it relates to email encryption.
People can never be 100% sure who might be monitoring their email conversations. To ensure that your email data is not stolen or damaged, email providers employ different types of encryption.
For example, Gmail uses TLS (Transport Layer Security), which encrypts communications in transit (between sender and recipient), provided both users have TLS.
Additionally, encrypted email providers, including Liverado, ProtonMail, Tutanota, and others, use Pretty Good Privacy Cryptography PGP encryption.
Phil Zimmerman developed PGP in 1991 to encrypt/decrypt emails and text messages.
Pretty Good Privacy (PGP) is an encryption program that provides encrypted privacy and authentication for data communications. PGP is used to sign, encrypt, and decrypt text, email, files, directories, and entire disk partitions and to improve the security of email communications. The basic premise of PGP is to encrypt a message or file to be sent to someone with a random key. This encryption key (public key) can only be decrypted using the recipient's private key.
Since PGP itself is not open source. So Zimmerman released the PGP source code, allowing anyone to create their own version of email encryption software based on PGP. Subsequently, the Internet Engineering Task Force (IETF) formed the OpenPGP Working Group, so the software is now available to all email providers.
PGP and OpenPGP are no different. Except one is proprietary, and the other is open source.
How does OpenPGP work?
Symmetric and asymmetric key encryption
PGP is a hybrid cryptosystem which uses a combination of symmetric and public-key cryptography.
It uses symmetric key encryption to create a one-time session key that is used to encrypt messages. But the problem with this is that you can't securely share the session key via email. For example, someone who intercepts an email will be able to access its content.
So, PGP uses asymmetric or public-key encryption. This is a combination of public and private keys. The sender encrypts the message with the public key but cannot use the same key to decrypt the message. Instead, the recipient must have a private key to decrypt it.
Digital signatures are a way to verify that the sender is the real sender and not an impostor. It uses public-key encryption to verify legitimacy. As a result, there is almost no chance of anyone forging a digital signature unless the private key itself has been compromised.
Once you receive an email with a digital signature, PGP will automatically verify the integrity and authenticity of the signature using the sender's public key.
- The received message is first hashed. The hash function essentially digests the email message in its current form.
- Next, calculate this digest from the digital signature by decrypting it using the sender's public key.
- The PGP then compares the message digest in the email they received with the message digest obtained from the digital signature.
- If there is a character mismatch between the two, the message may be fake, or the sender may not be real.
Open-source software is not only crucial to programmers and engineers, but users can also benefit from open-source software.
Despite the many benefits of OpenPGP email, not many email providers use it. For the unsavvy, PGP can be pretty complex, so many providers avoid it. But it should be an excuse for not providing users with the most secure and anonymous encrypted email.
That's why Liverado uses the audited and trusted OpenPGP.js library maintained by Proton Technologies. Our users can review Liverado's source code at Github. We are one of the few email providers to load website code directly from the open-source client repository at mirror.liverado.com.