It'll never work

Nice advert. However just as all the other times it's been tried it'll never work.

Simply because it requires everyone to upgrade at once.. and that's never going to happen.

If you send a mail to someone that doesn't understand encryption with this system they can't read it. x509 signed email is *much* easier for people to setup as it's built into outlook - and in the expermiments I tried people just assumed the email was broken when they saw the decrypt icon... 'something new to press' means 'broken' to non-technical people.

PGP encryption requires them to download something extra.. and again that isn't going to happen.. if it doesn't ship with the OS it doesn't exist for well over 90% of users.

What is taking off somewhat is having individual email servers communicating over SSL. I can see a day when that starts to become mandatory, thus solving the privacy issues.. but even that's years away.

Advertorial?

One of the reasons for slow up-take of email encryption is the mess of competing standards. PGP/GPG has proliferated plenty, but most major vendors support S/MIME. That gets no mention here ...

Biggest problem..

Is that it is a two way street. Not only do you need the people you send emails to to encrypt them, you need them to be able to decrypt yours. As much as I'd love all my casual emails to be encrypted - the people I'm sending them too don't know anything about encrypting.

if you use linux

chances are you don't need a guide to use gpg. from what i remember, it's practically built in to most distros, because it's the kind of thing f4nb01s like. meh.

Hoorah

Finally an article on it :)

I have been giving out my public key for years now, and not one person has taken me up on it :)

It is in all my emails, it is on my website, I am kind looking forward to seeing what happens when someone does bother to encrypt to me or sends a public key so I can encrypt to them.

I think I have a couple of them, would be nice to get it signed one day as well, but hey I can wait.

Encryption does need to become the norm, it is a little hassle to setup but not too hard if you follow directions, and more importantly it is fun,

Enable STARTTLS In Public-Facing MTAs

You should find that a number of hosts, especially M$ Exchange, are by default attempting STARTTLS against hosts they find it advertised on. So, if you run an MTA and happen to have a certificate in use likely to be trusted by M$'s highly-paying customers (I.E. the certificate issuers they've let into their OS) then go ahead and enable STARTTLS and present it. (Enabling STARTTLS without such a certificate isn't advised because you risk losing mail from such mailers - they'll try STARTTLS, fail, then bounce; other hosts may or may not yield to failed verifications, and many may include the lesser known certificate issuers like cacert.org where M$ do not.) That should facilitate transparent cross-border encryption and verification without end-user help.

Cheers,

Sabahattin

Trusted who now?

I had a good laugh at Toby Richards' post about GPG not having trusted third-parties like Verisign! If you trust Verisign then you may as well give up now.

Any system which depends on the integrity of a third-party - especially one motivated by profit - is of no interest to me.

If you want secure and mass-level communication then you need something better than is currently available. As things stand you need to decide who you're communicating with and make special arrangements with them individually - preferrably involving face-to-face contact at some point.

If you want "securish" then there's lots of systems which will do it, including SSL and GPG.

Passwords

One of many nay sayers:

"Is that it is a two way street. Not only do you need the people you send emails to to encrypt them, you need them to be able to decrypt yours. As much as I'd love all my casual emails to be encrypted - the people I'm sending them too don't know anything about encrypting."

The point is that if you have anything you want kept secret, you wouldn't tell some people if they had access to the best coding machinery going. If you need to keep your business private you will only be sharing passwords and keys with people who are like minded.

A man would be a fool to do other than meet face to face to exchange such details as are required to decrypt any such messages. And as for trusting third party sites, would you trust the government?

Not many would but plenty would trust a third party?

Alternatively...

email in Welsh.

@TLS - absolutely

It was one of my projects at a major software company, getting TLS set up from our domain to all the outsourced services domains (payroll, P11d's, benefits, for all employees as well as commercial relationships). In the end it was quicker, cheaper and easier for ALL email from our domain to be enctypted en-route to the partners (and back), than individual smartcard certificates working reliably between individuals. This way we had to trust the internal networks as non-hostile, and just the internet leg of the journey as hostile, which is the most likely scenario, after all.

It wasn't nearls as straight-forward (sadly) as just ticking a couple of boxes, partly down to the way the company was structured, and having to get techies from both companies talking and agreeing, and working across multiple technical platforms - but absolutely worth it. I was stunned at how 'cutting edge' this was considering this really really ought to have been done once and for all 10 years ago...

The real solution

Setting up encryption for email is just too difficult today. This means most people will not do it which means you will not be able to send encrypted messages to them. How can this problem be solved?

Use TrulyMail instead of email. To encrypt your messages you just add encryption to your account and then every recipient can receive and read your encrypted messages.

It must be this easy for the public at large to start using encryption.

Passwords and encryption

I recently had to send some data out from work. Due to the nature of the data, the ZIP was encrypted with 256 bit AES, and was password protected. This e-mail was then promptly stopped by the IT department for contravening IT e-mail policy by containing a file that was either encrypted, or password protected.

I don't know why I bother.

No Title

So you start from the premise that it isn't really a hassle and then take seven pages to explain it, which invalidates that original argument.

The best advice is not to send anything even approaching the confidential by email. There are other much more secure ways of transferring confidential information these days.

Have to agree - it's too complex

I've just tried installing GPG on a new Linux box, I followed the instructions and what happens? The make file doesn't - well - make. The error is unintelligible to me, I have absolutely no idea how to fix the problem and so my machine goes without protection.

The suggestion above that Thunderbird needs to ship with this sort of security out of the box is an excellent one. Install it (preferably with a click interface) then follow the one-off wizard to set up protection.

Until then...

What a bunch of moaning minnies

the good man from sanfran takes time out to write an interesting article, and it is just complaint, after complaint.

I don't know, obviously not into secure comms now are we.

And Dennis with his omen of doom, well as they say round here; put up or shut up, let's see this mythical GPG 'malware' then.

Did any of you actually READ the article?

Whine whine, moan moan, I have to read more than a few paragraphs, it's too hard, oh boo hoo sob sob. My edjukayshun was poor and my brane hurtz0rz.

Seriously. I hadn't really gotten into PGP or encryption in emails, and this made me start thinking. So I read it (all seven pages! Gasp!). You know, they're quite short pages, with only a little text, and I'm sure mostly broken up because of the HUGE FUCKING OBVIOUS GRAPHICS. Knowing that, I'm sure that a few of you could go back and maybe struggle through those seven entire pages. It'll be hard on your little minds, but I'm sure you'll manage somehow.

Seriously folks, coming from a background of not having used this, I read (quite quickly) through ALL SEVEN PAGES DEAR GOD and got it working. Ten minutes later and I've got the option to send and receive PGP encrypted email. I know it's not everyone's cup of tea, and there are other options available, but seriously, all this fuss, particularly over the structure of the article? Pathetic.

Missing the point.

I use GPG on Thunderbird (via EnigMail) for one simple reason: I need to be able to *sign* some emails.

Couldn't be bothered encrypting them, though; what I have to say isn't that "hush-hush", but it has to be able to be authenticated.

No title require - just a few thoughts ;-)

I am in two minds regarding email encryption. I sometimes think of email in the same way that I do of the telephone. When I make a call, I know that my call is not encrypted and that anyone with the proper authority or equipment can listen in. But I still use the phone every day. Why? Because I know that just about any conversation that I have on the phone will be of little interest to anyone.

Same with my emails - routine, day to day emails that I send contain precious little that would be of interest to anyone, other than the recipients.

But, as we all know, times they are a changing. From what has been happening in the UK and elsewhere it is evident that your daily mundane, inconsequential emails are almost as likely to be read and stored as those emails being sent from the middle east to the UK, complete with references to explosives, weapons etc ;-)

So, what to do? AC's initial point about drawing attention to oneself is valid and doesnt require expanding upon. I like the idea of the dead letter drop. :) It has a certain romanticism about it, that we dont get in sending encrypted emails. Or perhaps and Ipaq-rock, like the one busted in Moscow ;)

Still...

I used to work on the crypto side of things years ago for the army. I find the subject fascinating. I read the very short 7 page description hhere and within 10 mins was up and running. Now, all I have to do is 1. find a reason for using encryption in my emails and 2. find a friend who uses encryption.

Email encryption - its a double edge sword for the ordinary user.

probs with GPG + Enigmail

Installed it a couple of years ago. Found its behaviour confusing and it would pop up baffling questions now and again which I couldn't understand. Will try it again, but it wasn't fun.

hmm

I set GPG up some time ago but I've yet to find anyone outside my technical acquaintances who either a) noticed or understood the public key, or b) cared.

This is going to take time. Quite a lot of time.

@Toby Richards

Why should I trust thawte or verisign? I can promulgate my public key my self.

That said, my Mom and Dad and two of my siblings would have a hard time dealing with GPG or the KDE and Gnome and Windows front-ends' 'accept key' dialogs.

Fundamentally the problem is education.

Dream on

Any article that promotes encrypted mail gets my vote in this snoop on thy neighbour, privacy challenged age. That said, I've had PGP installed for what seems like forever and very, very rarely does it get an outing, due to the incomprehension from my less tech savvy contacts. Sadly, it's just not going to happen until it's actually built in to email clients and enabled by default. And I really can't see government leaning on MS etc to encourage that.