A fake inbox/passphrase (for plausible deniability purposes)
In Truecrypt, you have an option that enable you to set up a "fake passphrase", in order to access another Truecrypt volume that the really secure/secret one. If someone ever forces you to reveal your passphrase, you just have to reveal the "fake passphrase" and your private data remains secure. There is no way to detect if the fake volume is, in fact, a fake volume; you can always argue that it is the real one: this is plausible deniability.
A similar option in Tutanota would be great: it would work by offering to the user the possibility to set up an alternate inbox for the one he is using. If forced to reveal his passphrase, the user would just have to reveal the one to the alternate inbox.
This option, in my opinion, would perfectly complete the only weakness it exists in the way Tutanota works. Yes, everyting is encrypted from end to end, but if one gains access to the real passphrase corresponding to an inbox, he gains access to everything. A fake passphrase and a fake inbox would limitate greatly this flaw.
Interesting feature, but two passwords would mean two keys. I like SwissTengu's and Mustafa's ideas for an optional hidden vault inside the account like Truecrypt's suggestion of a volume inside a volume, another method for plausible deniability. Make sure the vault is not counted for the "Used space" percentage until its password is entered.
> Wouldn't the attacker immediately be able to tell that the inbox is fake simply by sending en email to it? Am I missing something?
Exactly. I haven't heard this system played out for email yet.
> I've always wondered about systems that advertise plausible deniability. What's to stop your adversary from continuing to beat you with a $5 wrench while screaming, "Now enter the REAL password!"
Plausible deniability is for the legal world. There is no solution for someone torturing you.
Rather than conceptualizing it as a 'normal' and 'emergency' password, why not look at it as a 'vault access' and 'normal' password? That way you can go about your normal emailing but have a separate login for all the other things...without the question of deniability/duress.
I've always wondered about systems that advertise plausible deniability. What's to stop your adversary from continuing to beat you with a $5 wrench while screaming, "Now enter the REAL password!"
Anonymous Anonymous commented
Conceptually, I find this to be a good idea, but right now I would like to just have an alias user name for the alias email address. As far as I know you only have one User Name for both email addresses.
@Mustafa yep, that's even better, and would be addressed by another feature request: filters.
That would probably be the smartest solution, and, I think, the most userfriendly.
Mustafa Mohsen commented
Good solution @SwissTengu
Though I believe that balancing both cases, I think that exposing the real inbox will put the user under the risk that no "sensitive" emails are sent while his/her inbox is exposed. I guess it's less likely that @t's scenario happen
A mix-and-match might be to selectively add some addresses/keywords to create some (hidden) filter that by default moves the email to the vault folder, and make the filters too inaccessible except using the "safe" password
Good point @t indeed. Better solution might be:
- create some "vault" folder
- if standard password is entered, display it
- if "emergency" password, hide it and its content
Would mean "user responsibility to move sensitive mails to the vault". But this would prevent the point raised by @t in an elegant way.
Good point @t
Wouldn't the attacker immediately be able to tell that the inbox is fake simply by sending en email to it? Am I missing something?
I believe that this is one of the most important features to add. I don't know a lot about technicalities, but maybe having two distinct mail boxes each is accessed through the same email with different password, without a noticeable way to distinguish them
One important aspect is to "hide" this feature somehow. If a person is "forced" to show his mail box but it was discovered that it could be a fake one, then it won't be "plausible" anymore. Maybe one way to do it is to enable this feature using a keyboard shortcut (not a link/setting). There must be some other ways too
Nick Chapman commented
I think this is an interesting idea. I'm not sure if the whitelist feature could be implemented without compromising security - I can see some real problems with that. But... Well, I think it's interesting and worth considering.
Zachary Hill commented
It could possibly only show emails from a whitelist/blacklist of senders/recipients for the best plausible deniability. (IE, show emails to/from your family, but not to/from your boss)
Of course, it would be needed to determine how this alternate passphrase would work:
Does it grant access to a fully functional inbox? It seems difficultt, since it seems impossible to make it so that to a same address [firstname.lastname@example.org] corresponds two different inboxes.
However, I can work by enabling the possibility to transfer email to the fake inbox, from the real one.
Just some thoughts! ;-)