More on Email Encryption

I’ve been doing a lot more experimenting after my last post, and looking back I realize now that I came into this with a very strong PGP bias.

Don’t get me wrong – I still think PGP is neat. It’s the most flexible in pure terms, and because there are open source versions of it there is a solution for almost every need. The problem is that in day to day use, they almost all get pretty tiresome pretty quickly.

I also realized that while Thawte’s process for getting a key is a bit lumpy, it’s really not as bad as I thought. First, you can have multiple ID’s in one key. Second, you can export the keys from one application to another. True, you do have to enter the password three times but the reason is that two of those times are because it’s offering to let you choose a new password.

Thunderbird with Enigmail is the most graceful solution for free. It is really slick, with the PGP part working as smoothly as the Digital ID – s/mime part. If I had to use both, it would be my first choice.

The thing about s/mime (what I was improperly calling Digital ID) is that it’s really quite transparent in daily use, but not so invisible that you don’t know if it’s working or not. A small lock or ribbon icon on an email confirms that it’s secure, while in Outlook it even prevents you from viewing the email in the preview pane.

Transferring keys is different as well – the software can be set to send your key (they call it a certificate) when you send a signed email. This allows the recipient to pull your key in and use it to send you encrypted email in the future.

Key management isn’t as bad as I thought. While they may expire (I’m not sure they all do) the system keeps track of them more or less automatically – at least in my brief experience it seems to. They are reasonably easy to back up as well, and don’t seem to be computer-dependant as I had originally thought.

So, while I had thought PGP was the easier method, I now believe s/mime is easier – at least it has been in actual use.

4 thoughts on “More on Email Encryption

  1. Great collection of writings on Secure Email. I’ve recently been taken to task by many people claiming that I falsely represented the complexity of using secure email. The fact of the matter is that it IS cumbersome and complicated for the “average business user” to use Secure Email protocols.

    I’m not an email or encryption expert, but I can speak from experience that I am an advanced technology user (power user by any comparison) and I’ve never run into anyone else using digital signatures in email, etc (even in the Enterprise companies I’ve worked at in the past).

    Let me be clear….so that I don’t get flamed on this blog as well……I’m not stating that Secure Email is ‘stupid’ or that it doesn’t exist…I’m simply stating a very real fact that very few people use it (outside of government agencies, enterprise companies and Closed Notes/Domino Environments).

    The very fact that it took you several posts to describe the ins and outs of your secure email experience is testimony enough that its NOT for the “average business person” yet.

    Its sad and unfortunate, but true.

    Like

  2. Isaac,

    You are right. It is cumbersome. PGP using free tools is pretty involved using anything but Thunderbird and Enigmail in my experience, and even s/mime using Outlook changes the user experience.

    The real problem is that someone else reading your mail is an invisible threat. It’s harmless in terms of direct consequences for most people – unless perhaps you’re sending child porn or something – so they don’t think it’s “necessary”.

    I believe that it can be made to be simple, but it’s going to take buy in.

    In any case, the evidence of non-use is clear – the two companies I’ve contacted about setting up PKI, Thawte.com and Verisign.com don’t seem very responsive.

    SSL certs seem to get much more attention.

    However, one company I work with has requested that all comms with them be encrypted. I’ve requested it of others. We’ll see how it goes.

    Like

  3. I’ve been using MessageLock, which uses zip file encryption to protect email. Its the easiest thing I’ve found to send those “one off” secure emails, or to regularly secure a few addresses. Cheap and easy, something PGP is not.

    Like

  4. Good pair of articles. I use encryption for many mails, but only to a few other people keen enough to go through the hassle you describe. For me the biggest issue is Outlook. I was using Thunderbird for ages, and its Enigmail plugin as, as you say, very easy to use (although generating the key pair in the first place isn’t something I’d ask my grandmother to try). But Outlook’s PGP support is, surprisingly, sparse. Previously I’d used gpg4win, but at time of writing it has been impossible to get a clean download of the any of the available versions. I ended up using a commercial tool (PGP Desktop) for the first time (although I did manage to get it to accept my existing keys which I’d generated using Puttygen.)

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s