Achievement Unlocked: E2EE Messaging

Posted on by

Although some might call it pride or hubris, but today is a Very Important Day in Mensago’s journey. Today, for the first time, I sent an actual, real message outside of a software test, and it worked.

A screenshot of two Mensago windows, side by side. The left one shows an administrator's inbox with the message selected. The right window shows the test user's inbox with the message "Contact Approved for Administrator" selected.

The rest of the application is not without issues — and it doesn’t take much effort to find some in the above screenshot — but this is a huge milestone. Why? Because if someone tried to intercept the message as it was going between servers or a malicious administrator tried to read it, this is what they would see:

The contents of Mensago's first real message in a text editor. It looks like JSON code with a bunch of garbage in and around it.

Although a web developer might recognize the structure of part of this file, most of it looks like garbage, and that’s the point. Unless you’re the sender or the recipient, the contents of this file are completely worthless. Although this particular message just contains a quote that I have hanging on my wall in my office at work, it could easily have banking information, social security numbers, passwords, or any other manner of sensitive information, and there would be no risk of it falling into the wrong hands in transit. None.

And the best part is that at no time did either party have to know about encryption, PGP, or signatures, so what did happen?

  • Test User sent a Contact Request.
  • Administrator accepted it.
  • Test User made and sent a message.
  • Administrator received it.

That’s it.

By comparison, here is a picture of the contents of the sample email I sent myself.

I know it’s tiny, but if you view the picture in its own tab, it’s easier to read. As seen in the window on the right, the email contains two separate copies of the message, one with just the text and one written for display in a web browser. The window the left shows all sorts of delivery-related information, and there’s some overlap between the two windows so you can see how the entire message is put together.

This is what goes over the Internet. This is how Google’s computers read your Gmail messages to show you ads. As I’ve said to many, sending an email is like mailing a postcard: literally anyone who can physically get their hands on your postcard can read it, anyone can send you a postcard and pretend to be someone else if they want, and the postal service will deliver every postcard someone sends to you, even if you don’t want them to.

What Now?

This is a working proof of concept.

I’m looking for help in the form of someone wanting to help code or someone with money to sponsor me so I can do this full time and actually turn it into a releasable Free Software product.

Show this to people. Talk to people. If you’re sick and tired of spam and at least one company making the news because they got hacked, we can solve this together.