28
E-mail is great, but it has many problems. Did you know that it is very easy to send messages that appear to be from other people? Spammers do this all the time in an effort to encourage you to open their mail. The big problem with e-mail is the absolute lack of security.
There are two parts to security - authentication and encryption:
Authentication is checking that the message is really from the person that it claims to be from. Was is really your bank that sent you that message about your account being suspended?
Encryption is scrambling the message contents so that it cannot be read in transit. This is often compared to the postcard vs. sealed envelope for mail.
The problem with securing e-mail is that it relies on both parties having the desire and the software in order to participate. I cannot simply send an encrypted e-mail to my accountant if she does not have compatible software - and I would need her credentials (public key) in advance.
I obtained a free S/MIME certificate from Thawte a couple of years ago and went to the effort of having my identity checked by multiple people. This allowed me to have a certificate that guaranteed that it was indeed me that was sending the message. My hope was that other people would use this certificate to send me encrypted mail. The result? Not a single message. It is simply too much effort for people to get a free Thawte certificate and nobody ever wants to pay Verisign or anyone else for one.
I have now switched to PGP (actually GnuPG to be precise as I use Linux) as the other mainstream provider of secure e-mail. Using a free add-on for Thunderbird (Enigmail), it is much easier for my contacts to send me messages that are encrypted with my public key.
My suspicion however is that I will never receive an encrypted message. My family and friends primarily use GMail as their mail provider and although there is a Firefox extension for PGP (FireGPG), it is simply too much hassle for them to be bothered with installing GPG4Win and FireGPG (or GPG4Win, Thunderbird and Enigmail). Even if the installation and configuration was automatic, most people would get bored with having to enter a password to sign or open messages. And who can blame them most of the time?
The point is that e-mail security has to be used for all messages for it to become widely adopted, but most messages are not worth signing or encrypting. The problem is more social than technical and now that e-mail is widely used by the entire population, the few that are bothered about security are in the lonely minority.
I am happy to be proved wrong. Go on - surprise me with an encrypted e-mail!
Leave a Reply