This week I received an email from my bank company. They advertised that they are cooperating with the “Post”(Austrian mailprovider) and recommended to use “E-Brief” for notifications from them. My first thought was: “it’s E-Mail”. Because E-Brief translated from german means: “E-Mail”. So I took a look in the FAQ’s from the Post and they wrote things like(translated from German):
Your E-“Letter Box” from everywhere
E-Brief is not E-Mail. Documents, policies and bills will be transmitted digitally and delivered to your “E-Briefkasten”(Letterbox). It’s not just comfortable and fast but also secure. Emails are transmitted insecure but E-Brief is delivered in a secure and certificated portal(E-Briefkasten).
I have my own mailserver that can DANE. So E-mails aren’t always transported insecure. We have standardizes protocols and techniques for that, that’s why I wonder what the Post does differently. Maybe they do end-to-end encryption. But why didn’t they mention that in the FAQs? If they do end-to-end encryption, are the private keys secured with a password that only the person who receives the email knows? I had a lot of questions, so I wrote the Post an Email and just asked:
I would like to know more technical details about E-Brief. Which methods are used for transport encryption? Which methods are used for content encryption? How do you store the data? Do you do backups? Is the backup encrypted? How do you ensure that only the recipient can access to the mailbox? Is your webapplication secure and what do you do to ensure that it is?
I waited very naively for a honest reply and after a few days I got at least a reply(translated from German):
Of course we do end-to-end encryption. For security reasons we are not allowed to give you more details about E-Brief
It is very interesting that they didn’t mention end-to-end encryption in the FAQ’s. When it comes to encryption, I prefer open standards and open-source. I want to know whats behind it in order to trust it or not. In the digital world “THINGS” happen so easily. “THINGS” like manipulating data or unauthorized reading it. Today data can be accessed from everywhere and if we are dealing with very important data, we have to be aware of the dangers.