|09-12-2005, 11:12 AM||#1|
Recovering Gadget Addict
Join Date: May 2004
Location: Pittsburgh, PA
Email Encryption.. Do you use it?
I suspect very few people are using email encryption. Yet, for all I know, it may not be expensive or difficult to put into place.
Why does it matter? The bottom line is that if there is any sensitive information traveling in unencrypted emails, you can't guarantee that it will remain private. And in the case of China, it can even be a significant issue.
Wondering where to learn more? I am. Plus I have the obvious questions like what software is best, what do you need, does the receiver have to have the same software to read your encrypted emails, and so on.
Here's a few sites that popped out for me. Hopefully, they have some answers that are useful...
Let us know if you have any good tips or sources of information.
I wonder -- is anyone using encryption on email?
|09-12-2005, 06:19 PM||#3|
MR prodigal son
Join Date: Mar 2003
Device: Galaxy Note 3, iPad Air, Kobo Touch
|09-12-2005, 08:52 PM||#4|
Join Date: Jul 2004
Device: Assorted older devices
I've got GPG set up and ready in case I ever need encryption.
The catch? No one else I know has GPG. So I'm currently not using it, but I have it if I ever need it.
Personally I think GPG is one of the best (if not the best) option, considering the price.
MacGPG is something for OSX users to look at. Some nice plugins linked to as well, like one for Apple's Mail.app.
|09-13-2005, 02:16 AM||#5|
Yes, I'm using PGP-encrypted e-mail on a regular basis, though only for "sensitive" information.
But using encryption on e-mail is trickier than you might think.
For example, I use it on a very limited selection of e-mail not because I'm lazy, but because I have a long passphrase (as one should!) and it's inconvenient (not to mention less secure) to be typing it all the time. I could use an agent that asks for my passphrase just once and then keeps an unencrypted copy of the key in memory for use by my mail program, but that also reduces security by exposing your unencrypted key for a longer time. (A virus, trojan or intruder would have a larger window for stealing your key.) I really ought to be using a secondary, low-security key for most e-mail, one signed by my high-security key, but that introduces its own issues.
I've also trained non-technical users in the use of encryption on e-mail, and it's hard for them. Not the mechanical actions of encryption or whatever itself, but remembering the threat model and making intelligent choices about what to do when they're not sure about something. The generally terrible user interfaces don't help, either; even I, a security professional, have difficulty making sure that the Windows version of PGP software is telling me a signature is valid, rather than invalid.
If I were looking at increasing security on e-mail, I'd do an analysis of all the threat models and try to see if there are other, easier areas where I can get some security benefits before I moved on to encryption of individual e-mail messages.
|09-13-2005, 06:10 AM||#6|
Join Date: Jun 2005
Location: Osaka, JAPAN
Device: Zaurus SL-C1000
I sign all outgoing email, but rarely encrypt emails - only when transmitting sensitive data like bank details etc. Most of me friends don't use GPG but they all have an idea what it is now
|04-17-2006, 09:37 AM||#7|
Join Date: Apr 2006
I use encryption in my small biz. But I only really need to encrypt maybe 1 in 20 that I send. My biggest obstacle trying to get others to install "reader" applications. PGP is beyond me.
I finally settled on Messagelock for my Outlook. It encrypts email and file attachments using the common zip format, which means most people that have Winzip can receive an encrypted message I send them, as long as they know the password. Messagelock fit the bill for my small firm, where we don't have an It dept. If we both have Messagelock the process of sending/receiving is automatic, but I haven't been able to get anyone to install it on their end yet.
|06-16-2006, 05:57 PM||#8|
Recovering Gadget Addict
Join Date: May 2004
Location: Pittsburgh, PA
The topic just came up on LifeHacker... here's their take on how to do it...
|06-17-2006, 04:33 AM||#9|
Join Date: Jun 2006
Location: Malmo, Sweden
Device: iLiad, Sony PRS-505, Kindle
But encryption is hairy -- it's not just installing an application and generating a private key (assuming public-key encryption).
You need to backup your keys -- and as private keys must not be accessible to anyone else, particularly not system administrators or backup operators, it usually means you have to do it yourself. (I keep my key rings on a special USB stick, and I keep that stick in a safe. I backup the stick to CD's, which I keep in another safe. I probably should worry about CD aging causing the discs to be unreadable in a year or two... and, when the CD's get too many, how I quickly see if a CD is missing from the safe.)
You need to keep old, and outdated keys around -- or else you have to decide how are you going to read mails encrypted with those old keys?
(Saving those mails in decrypted form on the computer is a risk ... on computer, they should remain encrypted. Otherwise, store them off computer.)
If you store key rings on your computer, you need to be very careful about recording passphrases -- or you can't revoke keys that have been compromised, and so risk to get mails encrypted by broken keys. That also includes some kind of method for deciding when there is risk for a compromise ... and that may indirectly require ensuring that the computer and network is secured to a higher extent than it is now. (Keeping key rings off the computer minimizes this problem -- it's only when the USB device gets exposed that revocation is needed -- so I use a USB device with fingerprint reader -- even though I'm beginning to wonder what degree of protection this device really gives. Same thing with decrypted mail.)
Trust models also need to be considered: do I really trust a public key signed by a friend-of-a-friend-of-a-friend? When do I call the owner, and verify the key? (Me, always. I only trust keys signed by myself, and I don't sign a key unless I really need to. In a company, there should be a policy for this.)
In a company, the company typically needs to read business mail I've sent or received. And that means more thought going into key handling... and possibly even depositing private keys (i.e. private to the me as an employee of the company, not me as a private person). And ensuring there is a solution for how the company is going to get into my fingerprint-protected USB stick in case I get run over by a steam-roller.
And then, there will be bugs in the software. How do you get told about them? Do you have to look for them yourself?
And even so, if some long-haired number-theoretician manages to find a faster way to factorize big numbers (I guess someone in India will do this in about ten years), your encryption security may be gone, and you need to reestablish a new encryption scheme that does not involve factorization/multiplication. Be prepared when it happens -- and keep those backupped keyrings ...
It should be pretty clear now that mail encryption by this hands-on method is expensive. Don't do it unless you must. If you do, don't make any mistakes. If you do use it, also consider who the enemy is. Sometimes it's enough to know that encrypted mails sometimes are sent between two parts, while clear-text is used in general. If that's the situation, encrypt everything -- or the enemy will know what mails are the most sensitive ones. But that is even more expensive ...
Encryption hairiness can be managed, as long as it is known what it involves, and where the break-even points are. But too rarely the risks are well-documented enough.
For encryption in general, try Ferguson & Schneier: Practical cryptography. It doesn't go into too many technicalities. But typically you will need a good manual for the encryption system you have decided to to use. (I don't know of anything good for PGP myself -- I've mainly used it and wondered about various problem scenarios, and adapted to problems I've found.)
|Thread Tools||Search this Thread|
|Thread||Thread Starter||Forum||Replies||Last Post|
|Email password showing during Test email under Sharing?||Esquire1||Calibre||1||09-15-2010 02:50 AM|
|Email Delivery without Encryption||rsturgill||Calibre||1||06-10-2010 12:43 PM|
|What is the encryption method used by eReader?||delphidb96||Workshop||26||03-12-2009 11:45 AM|
|Yahoo begins test of email service that looks more like desktop email programs||Bob Russell||Lounge||2||09-18-2005 07:20 PM|
|Verizon.net email...no email from countries outside the US?||Zire||Lounge||4||02-19-2005 09:29 PM|