Q1: How secure is it?
The padlock and key is created using a RSA 2048-bit private/public key style system, the current standard. This can be decrypted by someone using a powerful computer but it will take some time to do. The Epadlocks and keys are randomized, so it is very unlikely to get two padlocks and keys the same. The main threat to any encryption is the so called 'Man in the Middle' attack where someone monitors the transmission and changes the files so that one party uses a key created by the attacker, thus nullifying its effectiveness.
The usual way to solve this is the SSL 'secure' link between 2 PCs. You can't do that with email as the files have to pass through multiple machines - so Epadlock uses a variant private/public key system. The Epadlock is created by you as part of a SSL secured session with our server. So the only time the padlock is in the open is when you email to the other person, so it could be intercepted and changed by 'A man in the middle'.
The main security is in anonymity - your information has been turned into the type of code you might see in the header of the email, rather than plain text. So the person attempting to read your information has first to find out what is the actual code in the email containing your information and how to do it (there should be no reference to Epadlock in the return email), then they have to decrypt it.
Epadlock provides a simple level of security for your personal information, but if you feel that your email transmissions are being targeted then you need to consider very powerful secure encryption for the entire email transaction.
You can read more about encryption techniques on Wikipedia HERE
Q2: How can I trust you?
A good question for any encryption product. If it is a program and you can't read the code, how do you know it is not doing something else behind the scenes? For Epadlock you don't need to trust me.
Q3: Why don't I just use something like PGP?
You should if you are concerned about the security of your email information. There are free versions available for good email clients. Unfortunately, you can't make someone emailing you use it. The Epadlock makes it easy for you to get information sent to you kept away from prying eyes. You could use a pair of padlocks/keys to protect an email 'conversation' by getting the other party to download their own Epadlock. Download resources for OpenPGP HERE.
Q4: Will it work on a MAC or Linux?
Q5: Which browsers does it work on?
Q6: Help it doesn't work for me?
Sorry to hear that. Contact us
Q7: Can I re-use the padlock and key?
Yes. The padlock/key is just as secure each time it is used. Of course, like any security system, any repetition in theory makes decryption easier (that's one of the ways the WWII Enigma was broken) but in practical terms, unless you believe that you are being specifically monitored, re-using the key is not a major issue. If you want to use different padlocks for different people you can rename the padlock and key files. The important thing is to keep the 'keyfile' secure, because with this the code can be decrypted to plaintext - but this means keeping your PC secure.
Q8: Why is it free?
I created the e-padlock for my own personal use. I can't guarantee the security (because no-one can guarantee security), but I am offering it on the internet as a way to help other people keep their information safe. If you find it useful and want to donate towards the cost of development and server maintenance you can do so HERE
Q9: Why is it written in HTML - all the source is readable?
My objective was usable security.
In addition, you wouldn't be able to see what the code does - quite reasonably that might make you think twice about using it, just in case it did something else with your information (after all some unscrupulous people have written anti-virus programs that have installed viruses).
To quote Bruce Schneier, Crypto-Gram: "Client side encryption is a must have for developing host proof applications:
There must be no knowledge of the clear text data at the server side, all data is encrypted prior to being submitted to the server. Client side encryption is mandatory for protecting the privacy of the users. "Don't trust us, check our source code!"
"As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the
cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary
security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model;
it's smart engineering practice." 15th September 1999).
Q10: How much data can I send encrypted?
Currently the maximum is 180 characters. The system will only allow this amount at the moment to keep it quick. The main restriction is processing power. The longer the plaintext, so the longer the cyphertext and the longer required for encryption and decryption. It was designed for codes, passwords and short text.
Q11: What do the numbers in the filename mean?
In order for the server to manage the process of creating the unique padlock and key files it creates a unique name for each zip file. The number is composed of the IP address of the computer requesting the file and the time and date of creation. This avoids possible duplicates. You can change the name of the padlock and key files to anything you want, just keep the HTML extension so it will be opened in a browser.
Q12: How can I make Epadlock more secure?
The best way is to get the padlock to the sender via an alternative to email, that way the Epadlock combination details will never be exposed to the internet. But, normally that is impractical as if you could do this you could send the data that way too!
The Epadlock uses a RSA standard of 2048-bit keys that they claim are sufficient until 2030. More here.
However the main strength of the system is not the key size, but anonymity. In order to break the code you need to know that it was created with Epadlock and the cyphertext supplied has not been changed in any way. You can improve security by adding pre-agreed, additional characters to the cyphertext when it is sent, which you can remove before de-cyphering. Alternatively, you can encrypt the cyphertext twice using 2 Epadlocks. In any event you will of course need to make sure your recipient understands the process.
If you want to find out more about how it works...