Making (Secure) FETCH Happen End-to-End Metadata Security for IMAP

Abstract

Although communication metadata is known to be intrusive, most end-to-end encryption solutions focus only on hiding the contents of messages. Yet who a user is talking to and when is often as sensitive as the contents of the message. While end-to-end metadata security solutions exist for message transport, existing solutions lack the multi-device synchronization that IMAP provides. Without providing full feature parity with legacy email technologies, a metadata-secure protocol cannot hope to achieve ubiquity. To that end, we present IMAPSec, a client-side extension of the IMAP protocol held to rigorous standards of feature parity without sacrificing on security. With IMAPSec, existing IMAP clients can be invisibly upgraded to provide metadata security for email storage and synchronization, enabling the rollout of end-to-end metadata secure messaging.