back to article Still sending naked email? Get your protection here

In this age of brazen, warrantless wiretaps and never-ending data breaches, you'd think email encryption would be considered de rigueur. Alas, even among the digerati it's rarely given the time of day because encryption is seen as an exotic undertaking that brings more hassle than benefit. To be sure, incorporating a robust …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Stop

    Good article but ....

    While I am a big fan of email encryption to retain one's privacy, in the current climate here in the UK it is surely the quickest way to draw attention to yourself and potentially get slapped with the RIP Act 2000 (landing you in prison unless you hand over the keys).

  2. Tony Hoyle

    It'll never work

    Nice advert. However just as all the other times it's been tried it'll never work.

    Simply because it requires everyone to upgrade at once.. and that's never going to happen.

    If you send a mail to someone that doesn't understand encryption with this system they can't read it. x509 signed email is *much* easier for people to setup as it's built into outlook - and in the expermiments I tried people just assumed the email was broken when they saw the decrypt icon... 'something new to press' means 'broken' to non-technical people.

    PGP encryption requires them to download something extra.. and again that isn't going to happen.. if it doesn't ship with the OS it doesn't exist for well over 90% of users.

    What is taking off somewhat is having individual email servers communicating over SSL. I can see a day when that starts to become mandatory, thus solving the privacy issues.. but even that's years away.

  3. Toby Richards
    Alert

    SSL

    It's too bad you did this article using GPG. The SSL solution is superior. GPG doesn't use a trusted third party (such as Thawte or VeriSign) to verify your identity. SSL is ultimately easier and more professional; you don't have to attach any funky-looking public keys to every message. With SSL, you get a certificate that most (if not all) contemporary e-mail clients know how to handle.

  4. Andrew

    Advertorial?

    One of the reasons for slow up-take of email encryption is the mess of competing standards. PGP/GPG has proliferated plenty, but most major vendors support S/MIME. That gets no mention here ...

  5. Anonymous Coward
    Thumb Down

    Tooooo complicated

    If it takes pages to explain how to use, no one is gunna use it. All the PGP stuff is just too complicated for most; even if you do pay loads of money for it.

    Any how, how come PGP gets the free plug for their software? I'm sure that there are other folks out there with different competitive products.... Dan, you didn't get a little something on the side for this one did you?.... ;-)

  6. Chris

    Biggest problem..

    Is that it is a two way street. Not only do you need the people you send emails to to encrypt them, you need them to be able to decrypt yours. As much as I'd love all my casual emails to be encrypted - the people I'm sending them too don't know anything about encrypting.

  7. Anonymous Coward
    Anonymous Coward

    if you use linux

    chances are you don't need a guide to use gpg. from what i remember, it's practically built in to most distros, because it's the kind of thing f4nb01s like. meh.

  8. J
    Thumb Up

    Bad analogy?

    Nice article, simple article. Although I guess mentioning "checking MD5 sums" so cursorily in an article meant for newbies was a little problem.

    "Jon Callas, CTO of encryption software provider PGP, likens encrypting email to wearing a seatbelt, which a few decades ago was so unpopular that many people only did when they were required by law to do so."

    Yeah, except encryption is "harder". Wearing the seatbelt? One can just do it regardless of what other people do. Encryption, you got to make other people play along, you don't "just do it". It would be, stretching the seatbelt analogy, like having two cars going on a trip, and neither car being able to move until the drivers of both cars have their seatbelt on.

  9. Anonymous Coward
    Anonymous Coward

    Hoorah

    Finally an article on it :)

    I have been giving out my public key for years now, and not one person has taken me up on it :)

    It is in all my emails, it is on my website, I am kind looking forward to seeing what happens when someone does bother to encrypt to me or sends a public key so I can encrypt to them.

    I think I have a couple of them, would be nice to get it signed one day as well, but hey I can wait.

    Encryption does need to become the norm, it is a little hassle to setup but not too hard if you follow directions, and more importantly it is fun,

  10. Richard
    Alert

    Why install anything?

    You can get a Freemail certificate from Thawate which works out of the box with almost any e-mail clients. Even people stuck using IT managed computers can usually send encrypted e-mail with no more effort than receiving a signed e-mail from you.

    http://www.thawte.com/secure-email/personal-email-certificates/

  11. This post has been deleted by its author

  12. jon
    Thumb Up

    TLS

    The first key step is SSL or preferably TLS (SSL3.1+) for your data connections ([e]ssmtp, spop3, imap4 over TLS).

    Implementation often only requires 'ticking the box' in account settings and it will protect you from casual traffic snooping.

  13. Dennis
    Coat

    no trusted third party and GPG malware presentation

    GPG == no trusted third party for keys == security theater.

    Fail.

    Leave GPG for hobbyists, and students of information assurance.

    @Frank Gerlach:

    http://www.internetnews.com/dev-news/article.php/64191

    Good article. Want to use GPG? Good! There has been malware waiting for your keys for at least 9 years!

    My coat is the one with the Alfred E. Newman GPG key pair in the pocket.

  14. Sabahattin Gucukoglu

    Enable STARTTLS In Public-Facing MTAs

    You should find that a number of hosts, especially M$ Exchange, are by default attempting STARTTLS against hosts they find it advertised on. So, if you run an MTA and happen to have a certificate in use likely to be trusted by M$'s highly-paying customers (I.E. the certificate issuers they've let into their OS) then go ahead and enable STARTTLS and present it. (Enabling STARTTLS without such a certificate isn't advised because you risk losing mail from such mailers - they'll try STARTTLS, fail, then bounce; other hosts may or may not yield to failed verifications, and many may include the lesser known certificate issuers like cacert.org where M$ do not.) That should facilitate transparent cross-border encryption and verification without end-user help.

    Cheers,

    Sabahattin

  15. Lawrence Dudley
    Thumb Down

    Erm...

    7 bloody pages?! Do you really think I can be bothered?!

    Email getting "lost" is one of those things talked up by security companies to sell products, not something that happens all the time.

  16. zig158
    Coat

    Data Nazi

    Email clients that self sign messages by default would at least be a start.

    Companies are going to have to start doing this internally before the masses start doing it.

    Mine is the one with the 10251 bit key

  17. Robin Szemeti
    Paris Hilton

    Oh dear lord ...

    So ... after studying the basic principles of security, and considering RIPA and the rest you decided:

    "The best idea is to save the key to a USB thumb drive and then stash it in a secure lockbox (along with your passphrase written out)."

    Umm .. color me stupid ... but of all the possible things in the world you might want to store with a copy of your private key is your passphrase?

    I was wondering if it was the worst possible thing to do, but, after a few moments thought, I decided storing the passphrase in a planintext file somewhere on disk would be dumber .. but 9/10 for finding the 2nd worst idea right off the bat :)

    Paris. because only she would be dumb enought to write down her passphrase.

  18. Anonymous Coward
    Anonymous Coward

    Trusted who now?

    I had a good laugh at Toby Richards' post about GPG not having trusted third-parties like Verisign! If you trust Verisign then you may as well give up now.

    Any system which depends on the integrity of a third-party - especially one motivated by profit - is of no interest to me.

    If you want secure and mass-level communication then you need something better than is currently available. As things stand you need to decide who you're communicating with and make special arrangements with them individually - preferrably involving face-to-face contact at some point.

    If you want "securish" then there's lots of systems which will do it, including SSL and GPG.

  19. Anonymous Coward
    Paris Hilton

    7 pages of advertising

    I can't be bothered to read 7 pages of anything, let alone something that starts out sounding like advertising.

    All of my email servers support starttls and tlsmta (for OE users on port 465).

    I tried s/mime years ago and sent an encrypted message to a technical colleague who responded with something along the lines of "I didn't know what that icon was for... I assumed you'd sent me a dodgy attachment"... I figured that if that's a techy persons response, the great unwashed masses don't stand a chance!

    Treat email like postcards and you'll be fine. If you want to send something confidential or secure, use something designed for it (VPNs through to _encrypted_ CDs by courier)

    End of

  20. Anonymous Coward
    Go

    mailserver domain based pgp please

    Shame I can't find server based pgp with a cert for the domain and messages encrypted/decrypted at the final server. One key for a whole domain/subdomain will do for business users - at least to start with.

    The problem with pgp adoption for business users is the overhead, management for each user and internal archiving/search issues. Internal openness is ok and in most cases a necessity to getting work done.

  21. I. Aproveofitspendingonspecificprojects

    Passwords

    One of many nay sayers:

    "Is that it is a two way street. Not only do you need the people you send emails to to encrypt them, you need them to be able to decrypt yours. As much as I'd love all my casual emails to be encrypted - the people I'm sending them too don't know anything about encrypting."

    The point is that if you have anything you want kept secret, you wouldn't tell some people if they had access to the best coding machinery going. If you need to keep your business private you will only be sharing passwords and keys with people who are like minded.

    A man would be a fool to do other than meet face to face to exchange such details as are required to decrypt any such messages. And as for trusting third party sites, would you trust the government?

    Not many would but plenty would trust a third party?

  22. Tommy Pock

    Alternatively...

    email in Welsh.

  23. Cliff

    @TLS - absolutely

    It was one of my projects at a major software company, getting TLS set up from our domain to all the outsourced services domains (payroll, P11d's, benefits, for all employees as well as commercial relationships). In the end it was quicker, cheaper and easier for ALL email from our domain to be enctypted en-route to the partners (and back), than individual smartcard certificates working reliably between individuals. This way we had to trust the internal networks as non-hostile, and just the internet leg of the journey as hostile, which is the most likely scenario, after all.

    It wasn't nearls as straight-forward (sadly) as just ticking a couple of boxes, partly down to the way the company was structured, and having to get techies from both companies talking and agreeing, and working across multiple technical platforms - but absolutely worth it. I was stunned at how 'cutting edge' this was considering this really really ought to have been done once and for all 10 years ago...

  24. John

    The real solution

    Setting up encryption for email is just too difficult today. This means most people will not do it which means you will not be able to send encrypted messages to them. How can this problem be solved?

    Use TrulyMail instead of email. To encrypt your messages you just add encryption to your account and then every recipient can receive and read your encrypted messages.

    It must be this easy for the public at large to start using encryption.

  25. Anonymous Coward
    Anonymous Coward

    Passwords and encryption

    I recently had to send some data out from work. Due to the nature of the data, the ZIP was encrypted with 256 bit AES, and was password protected. This e-mail was then promptly stopped by the IT department for contravening IT e-mail policy by containing a file that was either encrypted, or password protected.

    I don't know why I bother.

  26. Tom
    Happy

    @Tommy Pock

    Beth sy problem gyda e-bostio yn Gymraeg?

    Dw i'n mynd o pwb nawr am un cwrw, ond pump.

  27. Doug Glass
    Go

    Too Simple

    Never put anything in an email you wouldn't want your mama to read and never put anything in an email you wouldn't want published in every rag (hard copy or cyberprint) for the world to see.

    Same goes for wireless communication come to think of it.

    It's a tough life requiring others to compensate for irresponsible behaviors.

  28. Michael Fremlins
    Unhappy

    And this is why so few people use encryption

    A simple 7 page tutorial on how to set up and send encrypted email? No, a "simple" tutorial is 1 page.

    The problem is another application needs to be installed, a plugin needs to be installed, and these need to be understood to use them.

    When Thunderbird is supplied out-of-the-box with email encryption, and it's a click box item to use it, it will get some mileage. Until then, it's definitely a niche thing. I speak from experience having used this setup before. It's a pain to use. Not difficult, just a pain.

  29. Gareth Jones Silver badge

    No Title

    So you start from the premise that it isn't really a hassle and then take seven pages to explain it, which invalidates that original argument.

    The best advice is not to send anything even approaching the confidential by email. There are other much more secure ways of transferring confidential information these days.

  30. Anonymous Coward
    Anonymous Coward

    Have to agree - it's too complex

    I've just tried installing GPG on a new Linux box, I followed the instructions and what happens? The make file doesn't - well - make. The error is unintelligible to me, I have absolutely no idea how to fix the problem and so my machine goes without protection.

    The suggestion above that Thunderbird needs to ship with this sort of security out of the box is an excellent one. Install it (preferably with a click interface) then follow the one-off wizard to set up protection.

    Until then...

  31. Anonymous Coward
    Anonymous Coward

    What a bunch of moaning minnies

    the good man from sanfran takes time out to write an interesting article, and it is just complaint, after complaint.

    I don't know, obviously not into secure comms now are we.

    And Dennis with his omen of doom, well as they say round here; put up or shut up, let's see this mythical GPG 'malware' then.

  32. This post has been deleted by its author

  33. This post has been deleted by its author

  34. Dennis
    Flame

    @AC: "What a bunch..."

    In response to: "And Dennis with his omen of doom, well as they say round here; put up or shut up, let's see this mythical GPG 'malware' then."

    Next time, please do some cursory research before flaming.

    First, actually click on the link in the comment before writing your own comment.

    Second, I would recommend using Google to search for relevant keywords.

    If your searches are thorough, you should come up with some interesting stories surrounding the recent Chinese cyber activity against the Falon Gong and Tibetans.

    Otherwise, nice use of a semicolon.

  35. Winkypop Silver badge
    Thumb Up

    easy answer

    Send paper mail...

  36. Anonymous Coward
    Black Helicopters

    Great info, but only for the geeks

    It's hard enough getting the casual internet user to setup a POP3 account, let alone encrypt their email.

    Far better to encourage people to be discreet and treat email as if it was a public discussion.

    If you could hammer home to casual net users that their email is more akin to talking in a crowded room than a private conversation, perhaps they would get the message.

    If you want to send sensitive information to someone, take a leaf from the governments book and send it on disc via the Post Office.

  37. Daniel B.
    Flame

    PGP's good.

    I don't understand all these dudes dissing on PGP/GPG. The damn standard has been around for so long it is pretty much used in most sensible secure apps. If you wanted, you could also get your PGP public key signed by a CA and get your own X.509 cert. Hell, I think the OpenPGP standard even predates all those other implementations!

    Hushmail uses the OpenPGP standard. If I want to do secure e-mail with Hushmail users, I need to use that.

    And PGP Desktop isn't that hard to use for the Windows sheeple. Just buy, download, install; the Outlook plugin is included. It is really more about how much users care about privacy; those who don't care, well, they deserve getting their e-mail read.

  38. Jason Togneri

    Did any of you actually READ the article?

    Whine whine, moan moan, I have to read more than a few paragraphs, it's too hard, oh boo hoo sob sob. My edjukayshun was poor and my brane hurtz0rz.

    Seriously. I hadn't really gotten into PGP or encryption in emails, and this made me start thinking. So I read it (all seven pages! Gasp!). You know, they're quite short pages, with only a little text, and I'm sure mostly broken up because of the HUGE FUCKING OBVIOUS GRAPHICS. Knowing that, I'm sure that a few of you could go back and maybe struggle through those seven entire pages. It'll be hard on your little minds, but I'm sure you'll manage somehow.

    Seriously folks, coming from a background of not having used this, I read (quite quickly) through ALL SEVEN PAGES DEAR GOD and got it working. Ten minutes later and I've got the option to send and receive PGP encrypted email. I know it's not everyone's cup of tea, and there are other options available, but seriously, all this fuss, particularly over the structure of the article? Pathetic.

  39. JohnG
    Thumb Down

    It ain't gonna happen

    Like others have said, non-technical users aren't going to manage all this stuff. I avoid sending sensitive stuff by email, much as I avoid sending cash in the post. If I really have to send something sensitive by email, I Zip it and then phone the recipient to give them the Zip password.

  40. Neoc

    Missing the point.

    I use GPG on Thunderbird (via EnigMail) for one simple reason: I need to be able to *sign* some emails.

    Couldn't be bothered encrypting them, though; what I have to say isn't that "hush-hush", but it has to be able to be authenticated.

  41. Zygote

    No title require - just a few thoughts ;-)

    I am in two minds regarding email encryption. I sometimes think of email in the same way that I do of the telephone. When I make a call, I know that my call is not encrypted and that anyone with the proper authority or equipment can listen in. But I still use the phone every day. Why? Because I know that just about any conversation that I have on the phone will be of little interest to anyone.

    Same with my emails - routine, day to day emails that I send contain precious little that would be of interest to anyone, other than the recipients.

    But, as we all know, times they are a changing. From what has been happening in the UK and elsewhere it is evident that your daily mundane, inconsequential emails are almost as likely to be read and stored as those emails being sent from the middle east to the UK, complete with references to explosives, weapons etc ;-)

    So, what to do? AC's initial point about drawing attention to oneself is valid and doesnt require expanding upon. I like the idea of the dead letter drop. :) It has a certain romanticism about it, that we dont get in sending encrypted emails. Or perhaps and Ipaq-rock, like the one busted in Moscow ;)

    Still...

    I used to work on the crypto side of things years ago for the army. I find the subject fascinating. I read the very short 7 page description hhere and within 10 mins was up and running. Now, all I have to do is 1. find a reason for using encryption in my emails and 2. find a friend who uses encryption.

    Email encryption - its a double edge sword for the ordinary user.

  42. Anonymous Coward
    Anonymous Coward

    probs with GPG + Enigmail

    Installed it a couple of years ago. Found its behaviour confusing and it would pop up baffling questions now and again which I couldn't understand. Will try it again, but it wasn't fun.

  43. Matthew Brown

    hmm

    I set GPG up some time ago but I've yet to find anyone outside my technical acquaintances who either a) noticed or understood the public key, or b) cared.

    This is going to take time. Quite a lot of time.

  44. E

    @Toby Richards

    Why should I trust thawte or verisign? I can promulgate my public key my self.

    That said, my Mom and Dad and two of my siblings would have a hard time dealing with GPG or the KDE and Gnome and Windows front-ends' 'accept key' dialogs.

    Fundamentally the problem is education.

  45. Anonymous Coward
    Anonymous Coward

    Dream on

    Any article that promotes encrypted mail gets my vote in this snoop on thy neighbour, privacy challenged age. That said, I've had PGP installed for what seems like forever and very, very rarely does it get an outing, due to the incomprehension from my less tech savvy contacts. Sadly, it's just not going to happen until it's actually built in to email clients and enabled by default. And I really can't see government leaning on MS etc to encourage that.

  46. Chris Matchett
    Paris Hilton

    Still sending naked emails?

    I'm not sure but I do know that I'm not receiving enough!

  47. TeeCee Gold badge
    Thumb Down

    Re: Bad Analogy?

    Too true, but I don't think you've gone far enough.

    To me this reads like that, but you then find that the seatbelts are provided in a box in the boot and you're expected to provide your own spanners, in Whitworth sizes, to fit them first.

    Oh and the Outlook plugin only works with 2003? That one's where the Ford seatbelts only fit MKIII Cortinas. Epic FAIL.

    Oh and German only manuals? How risible. You want takeup? Try getting to a release quality product first.

  48. Matthew Glubb
    Thumb Down

    Bad Analogy

    To the best of my knowledge, I have never used a seat belt that only works if every passenger on the road is also wearing one.

  49. chris
    Thumb Up

    Thanks for the article

    I've been meaning to write something similar for friends, practical, step-by-step and idiot-proof. Instead I think I'll just link to this one.

    Do people even know how insecure email is? I think with the recent talk of a government database for everyone's email, people are more open to taking these precautions.

    Even if you don't think you'll use it, it's polite, innit? If someone wants a discreet word with you, you don't loudly refuse to move from your open plan cubicle to a private room, do you?

    And how on earth can you "advertise" programs that *cost* *nothing*?! GPG, Thunderbird, Enigmail are all free and make a pretty winning and easy-to-use combination, in my experience.

    PS watch for a key-signing party in Glasgow early next year :)

  50. Poopie McStinklestein
    Alert

    I'm amazed that

    I'm amazed that no-one's mentioned the excellent http://getfiregpg.org/

    It runs in Firefox, and when it sees a valid chunk of PGP key or encrypted message, it uses Javascript to give you an import/decrypt link.

    Not as secure as other systems, no doubt - but a lot easier for newbs.

    Password: elreg

    -----BEGIN PGP MESSAGE-----

    Version: GnuPG v1.4.6 (GNU/Linux)

    Comment: http://getfiregpg.org

    jA0EAwMC65Ajupa0gVlgyUf0oI3dYED8WkDih62rbEWwMgwZw1UYY6c9ORQUYqQM

    jt+ixkU94Mr2Oj7/pGPs+gRoitSBhVfa8XK/2Afl05EyNd4IC7ej7g==

    =Md+Q

    -----END PGP MESSAGE-----

  51. Anonymous Coward
    Thumb Down

    It's just not going to catch on...

    I really don't see email encryption, in this way, catching on outside of the technical-minded community.

    It's a well written article, but not exactly ground breaking, or applicable to anyone who uses email for anything not critical.

    I agree that education of users in what should be sent in an email, and what shouldn't is more likely to succeed.

    Anyone who needs highly secure email, should use a closed email network, protected in other ways.

  52. Dennis
    Black Helicopters

    Re: I'm amazed that

    -----BEGIN PGP MESSAGE-----

    Version: PGP Desktop 9.6.3 (Build 3017) - not licensed for commercial use: www.pgp.com

    qANQR1DDDQQJAwJUdHqh6gHOJJjSegFNHYhXQCX8LncUNw7homYgb9VJtSAKssaK

    rmHJg3WcveVqY4axaim9D1r56PEa2Z8uEusvBVlunsFZxdsQXdtapXOqAMBM2EPh

    YqKERzCm8jOSW+qJ59cD09wDfkdfGnDi1W/fBvbN1yjmtRHuI1eJxlCB2wnYDici

    =fu+n

    -----END PGP MESSAGE-----

  53. breakfast Silver badge
    Boffin

    If it's too complicated for you, don't use it.

    Nobody is rubbing this in anyone's face and saying they must use it, but it is pretty useful to actually have a simple tutorial that means if you do need to have secure communications with someone you can point them at this article and they can set themselves up rather than having to effectively put all this content into an email before you can have the conversation you want to have.

    As ever, commentards are very quick with a glib dismissal. It's okay if you're not smart enough to use the software or you don't think everyone in the world will be using it tomorrow, but that doesn't mean that the article itself is pointless.

    In the future email encryption will get more important, especially when people start finding ways to compromise mail servers and use intercepted data to create vastly more credible phishing or spam messages. The more people in general can at least understand the concepts and possibilities involved with encryption the better.

  54. Anonymous Coward
    Anonymous Coward

    Why Johnny can't encrypt

    The reader may be interested in:

    http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf

  55. Steve Ringham
    Thumb Up

    Well I'm pleased the article was written!

    I installed the Enigmail add-on last month but had not done anything else; I was at the point of uninstalling it to stop the "send unencryptedmail?" messages. Laziness on my part, nothing else. I'm an IT "professional" who's aware of the problems of sending bare email and has some inclination to do something about it. So thanks to Dan for writing this article / tutorial.

    And a big "STOP YOUR WHINGEING" to all the nay-saying biatches out there!

    Sure, current means of encryption MIGHT be clunky and long-winded, but until your favourite email client does it easily, out of the box, then we all to get by as best we can. If you think this method sucks, then get off your fat arses and show us something better.

  56. Anonymous Coward
    Paris Hilton

    I send naked email, naked

    Paris cos she loves it

  57. George Sidman

    Beyond PGP to Truly Private Email

    If your Gramma can implement the PGP illustrated in this article, she must have gotten her computer science degree in the '70s. Not that we have anything against PGP, but their complicated and technical approach is way out of date.

    If you want truly private email that Gramma and any doctor, lawyer or indian chief can use, out of the box, then look at WebLOQ. All password and key exchange is user transparent, machine generated and much safer. A central database delivers full HIPAA, SOX and GLB reporting. It runs on all popular platforms, and is today delivering highly secure privacy to health care, public safety, lawyers and others - with nothing new to learn.

    Internet privacy is a hot topic. Encrypting the body of an email is only half a solution. Encrypting the headers - which WebLOQ does - halts malware and assures complete privacy. Getting all this on an easy-to-use platform that also runs on your smartphone is the new paradigm.

    George Sidman

    WebLOQ

This topic is closed for new posts.

Other stories you might like