Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > Miscellaneous > Lounge

Notices

Reply
 
Thread Tools Search this Thread
Old 09-12-2005, 11:12 AM   #1
Bob Russell
Recovering Gadget Addict
Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.
 
Bob Russell's Avatar
 
Posts: 5,381
Karma: 676161
Join Date: May 2004
Location: Pittsburgh, PA
Device: iPad
Email Encryption.. Do you use it?

I suspect very few people are using email encryption. Yet, for all I know, it may not be expensive or difficult to put into place.

Why does it matter? The bottom line is that if there is any sensitive information traveling in unencrypted emails, you can't guarantee that it will remain private. And in the case of China, it can even be a significant issue.

Wondering where to learn more? I am. Plus I have the obvious questions like what software is best, what do you need, does the receiver have to have the same software to read your encrypted emails, and so on.

Here's a few sites that popped out for me. Hopefully, they have some answers that are useful...
http://www.eff.org/Privacy/Crypto/emailencryption/
http://www.newsfactor.com/perl/story/18860.html
http://www.businessbureau-uk.co.uk/e...yptography.htm
http://www.internet-guide.co.uk/email-encryption.html
http://www.networkworld.com/techinsi...ider-mail.html

Let us know if you have any good tips or sources of information.
I wonder -- is anyone using encryption on email?
Bob Russell is offline   Reply With Quote
Old 09-12-2005, 11:19 AM   #2
MrSaint
Little Computer Guy
MrSaint knows what time it isMrSaint knows what time it isMrSaint knows what time it isMrSaint knows what time it isMrSaint knows what time it isMrSaint knows what time it isMrSaint knows what time it isMrSaint knows what time it isMrSaint knows what time it isMrSaint knows what time it isMrSaint knows what time it is
 
Posts: 73
Karma: 2466
Join Date: Aug 2005
Device: Treo 650 + iPaq
IMO, the two best ways to encrypt your e-mails right now:

- PGP (GnuPG)
- Hushmail

Do I use e-mail encryption? No. I guess I am too lazy.
MrSaint is offline   Reply With Quote
Advert
Old 09-12-2005, 06:19 PM   #3
cbarnett
MR prodigal son
cbarnett ought to be getting tired of karma fortunes by now.cbarnett ought to be getting tired of karma fortunes by now.cbarnett ought to be getting tired of karma fortunes by now.cbarnett ought to be getting tired of karma fortunes by now.cbarnett ought to be getting tired of karma fortunes by now.cbarnett ought to be getting tired of karma fortunes by now.cbarnett ought to be getting tired of karma fortunes by now.cbarnett ought to be getting tired of karma fortunes by now.cbarnett ought to be getting tired of karma fortunes by now.cbarnett ought to be getting tired of karma fortunes by now.cbarnett ought to be getting tired of karma fortunes by now.
 
cbarnett's Avatar
 
Posts: 1,085
Karma: 1083739
Join Date: Mar 2003
Location: Australia
Device: Kobo Aura H2O
I've looked at email encryption in the past, but the emails I send just aren't important enough to warrant the effort, so I guess you could say I'm too lazy as well.

Craig.
cbarnett is offline   Reply With Quote
Old 09-12-2005, 08:52 PM   #4
Chaos
Evangelist
Chaos has a complete set of Star Wars action figures.Chaos has a complete set of Star Wars action figures.Chaos has a complete set of Star Wars action figures.
 
Posts: 418
Karma: 281
Join Date: Jul 2004
Location: Canada
Device: Assorted older devices
I've got GPG set up and ready in case I ever need encryption.

The catch? No one else I know has GPG. So I'm currently not using it, but I have it if I ever need it.

Personally I think GPG is one of the best (if not the best) option, considering the price.

MacGPG is something for OSX users to look at. Some nice plugins linked to as well, like one for Apple's Mail.app.
Chaos is offline   Reply With Quote
Old 09-13-2005, 02:16 AM   #5
Curt Sampson
Nameless Being
 
cjs@cynic.net

Yes, I'm using PGP-encrypted e-mail on a regular basis, though only for "sensitive" information.

But using encryption on e-mail is trickier than you might think.

For example, I use it on a very limited selection of e-mail not because I'm lazy, but because I have a long passphrase (as one should!) and it's inconvenient (not to mention less secure) to be typing it all the time. I could use an agent that asks for my passphrase just once and then keeps an unencrypted copy of the key in memory for use by my mail program, but that also reduces security by exposing your unencrypted key for a longer time. (A virus, trojan or intruder would have a larger window for stealing your key.) I really ought to be using a secondary, low-security key for most e-mail, one signed by my high-security key, but that introduces its own issues.

I've also trained non-technical users in the use of encryption on e-mail, and it's hard for them. Not the mechanical actions of encryption or whatever itself, but remembering the threat model and making intelligent choices about what to do when they're not sure about something. The generally terrible user interfaces don't help, either; even I, a security professional, have difficulty making sure that the Windows version of PGP software is telling me a signature is valid, rather than invalid.

If I were looking at increasing security on e-mail, I'd do an analysis of all the threat models and try to see if there are other, easier areas where I can get some security benefits before I moved on to encryption of individual e-mail messages.
  Reply With Quote
Advert
Old 09-13-2005, 06:10 AM   #6
StuBear
Member
StuBear began at the beginning.
 
Posts: 23
Karma: 25
Join Date: Jun 2005
Location: Osaka, JAPAN
Device: Zaurus SL-C1000
Quote:
Originally Posted by Chaos
I've got GPG set up and ready in case I ever need encryption.

The catch? No one else I know has GPG. So I'm currently not using it, but I have it if I ever need it.

Personally I think GPG is one of the best (if not the best) option, considering the price.

MacGPG is something for OSX users to look at. Some nice plugins linked to as well, like one for Apple's Mail.app.
One way to get people you know using GPG is to start signing all your emails (not encrypting them, just sign them) that gets people interested in "what that stuff" is on the end of your email, and after you explain some of the more tech savvy people may start to use it too.

I sign all outgoing email, but rarely encrypt emails - only when transmitting sensitive data like bank details etc. Most of me friends don't use GPG but they all have an idea what it is now

Stu
StuBear is offline   Reply With Quote
Old 04-17-2006, 09:37 AM   #7
scottw
Junior Member
scottw began at the beginning.
 
Posts: 1
Karma: 10
Join Date: Apr 2006
I use encryption in my small biz. But I only really need to encrypt maybe 1 in 20 that I send. My biggest obstacle trying to get others to install "reader" applications. PGP is beyond me.

I finally settled on Messagelock for my Outlook. It encrypts email and file attachments using the common zip format, which means most people that have Winzip can receive an encrypted message I send them, as long as they know the password. Messagelock fit the bill for my small firm, where we don't have an It dept. If we both have Messagelock the process of sending/receiving is automatic, but I haven't been able to get anyone to install it on their end yet.
scottw is offline   Reply With Quote
Old 06-16-2006, 05:57 PM   #8
Bob Russell
Recovering Gadget Addict
Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.Bob Russell ought to be getting tired of karma fortunes by now.
 
Bob Russell's Avatar
 
Posts: 5,381
Karma: 676161
Join Date: May 2004
Location: Pittsburgh, PA
Device: iPad
The topic just came up on LifeHacker... here's their take on how to do it...
http://www.lifehacker.com/software/t...ail-180878.php
Bob Russell is offline   Reply With Quote
Old 06-17-2006, 04:33 AM   #9
ath
Addict
ath doesn't litterath doesn't litter
 
Posts: 222
Karma: 110
Join Date: Jun 2006
Location: Malmo, Sweden
Device: iLiad, Sony PRS-505, Kindle Paperwhite & Oasis
Quote:
Originally Posted by Bob Russell
Let us know if you have any good tips or sources of information.
I wonder -- is anyone using encryption on email?
I do -- for those mails that just must not be read by anyone else. (I use PGP)

But encryption is hairy -- it's not just installing an application and generating a private key (assuming public-key encryption).

You need to backup your keys -- and as private keys must not be accessible to anyone else, particularly not system administrators or backup operators, it usually means you have to do it yourself. (I keep my key rings on a special USB stick, and I keep that stick in a safe. I backup the stick to CD's, which I keep in another safe. I probably should worry about CD aging causing the discs to be unreadable in a year or two... and, when the CD's get too many, how I quickly see if a CD is missing from the safe.)

You need to keep old, and outdated keys around -- or else you have to decide how are you going to read mails encrypted with those old keys?
(Saving those mails in decrypted form on the computer is a risk ... on computer, they should remain encrypted. Otherwise, store them off computer.)

If you store key rings on your computer, you need to be very careful about recording passphrases -- or you can't revoke keys that have been compromised, and so risk to get mails encrypted by broken keys. That also includes some kind of method for deciding when there is risk for a compromise ... and that may indirectly require ensuring that the computer and network is secured to a higher extent than it is now. (Keeping key rings off the computer minimizes this problem -- it's only when the USB device gets exposed that revocation is needed -- so I use a USB device with fingerprint reader -- even though I'm beginning to wonder what degree of protection this device really gives. Same thing with decrypted mail.)

Trust models also need to be considered: do I really trust a public key signed by a friend-of-a-friend-of-a-friend? When do I call the owner, and verify the key? (Me, always. I only trust keys signed by myself, and I don't sign a key unless I really need to. In a company, there should be a policy for this.)

In a company, the company typically needs to read business mail I've sent or received. And that means more thought going into key handling... and possibly even depositing private keys (i.e. private to the me as an employee of the company, not me as a private person). And ensuring there is a solution for how the company is going to get into my fingerprint-protected USB stick in case I get run over by a steam-roller.

And then, there will be bugs in the software. How do you get told about them? Do you have to look for them yourself?

And even so, if some long-haired number-theoretician manages to find a faster way to factorize big numbers (I guess someone in India will do this in about ten years), your encryption security may be gone, and you need to reestablish a new encryption scheme that does not involve factorization/multiplication. Be prepared when it happens -- and keep those backupped keyrings ...

It should be pretty clear now that mail encryption by this hands-on method is expensive. Don't do it unless you must. If you do, don't make any mistakes. If you do use it, also consider who the enemy is. Sometimes it's enough to know that encrypted mails sometimes are sent between two parts, while clear-text is used in general. If that's the situation, encrypt everything -- or the enemy will know what mails are the most sensitive ones. But that is even more expensive ...

Encryption hairiness can be managed, as long as it is known what it involves, and where the break-even points are. But too rarely the risks are well-documented enough.

For encryption in general, try Ferguson & Schneier: Practical cryptography. It doesn't go into too many technicalities. But typically you will need a good manual for the encryption system you have decided to to use. (I don't know of anything good for PGP myself -- I've mainly used it and wondered about various problem scenarios, and adapted to problems I've found.)
ath is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Email password showing during Test email under Sharing? Esquire1 Calibre 1 09-15-2010 02:50 AM
Email Delivery without Encryption rsturgill Calibre 1 06-10-2010 12:43 PM
What is the encryption method used by eReader? delphidb96 Workshop 26 03-12-2009 11:45 AM
Yahoo begins test of email service that looks more like desktop email programs Bob Russell Lounge 2 09-18-2005 07:20 PM
Verizon.net email...no email from countries outside the US? Zire Lounge 4 02-19-2005 09:29 PM


All times are GMT -4. The time now is 03:10 AM.


MobileRead.com is a privately owned, operated and funded community.