Slashdot Mirror

← Back to Stories (view on slashdot.org)

Elegant Email Encryption for Everyone?

Posted by Cliff on from the encrypt-everything! dept.

rtos asks: "Here is simple question for the Slashdot crew: What is the easiest way to begin encrypting all of my email communications? It's not that I send anything even remotely interesting or secretive... I'm simply tired of government snoops reading my stuff. So it doesn't have to be the worlds best encryption (although ROT-13 might be a little light)... just something to stall prying eyes and foil automatic keyword checking. But for that to work, I would need an system that everyone will use. And even I stopped using PGP because most other people aren't using it. Chicken. Egg. Repeat." If we want encryption to become a part of our everyday lives, encryption systems should be as easy to use as breathing. Once everyone is using it, we can hope to get those silly US encryption restrictions overturned.

"The problem is that in order to use public key encyrption, both parties (sender and receiver) must be using something like PGP. Most of the people I correspond with consider encryption either too complicated or too bothersom to use... with its key generation, signing, encrypting, decrypting, exchanging keys and such. There are always non-public-key systems, but that usually requires both parties to use the exact same software at each end. And then there is the issue of everyone using different operating systems (Windows, Solaris, Linux, etc.). And then there is cost involved for any commerical packages. Of course, there is always HushMail and its ilk, but I don't want to be tied to a web-based system.

For people like me and you, encryption is easy. But that's not the case for everyone else in the world. Why is it still difficult? And what is the best solution to date?"

8 of 365 comments (clear)

  1. Jive Encrypshun by Anonymous Coward · · Score: 5
    I recommend Jive encrypshun and ah' use it fo' all mah' emails. Also, ah' encourage homeys and relatives t'encrypy any communicashuns wid JIBE encrypshun. De fust half uh yo' o'iginal message, fo' instance, as JIBE encrypted, dig dis:

    ere be simple quesshun fo' de Slashdot crew, dig dis: What be de easiest way t'begin encryptin' all uh my email communicashuns? It's not dat ah' t'row anydin' even remotely interestin' o' secretive. What it is, Mama!.. I'm simply tired uh guv'ment snoops eyeballin' mah' stuff. What it is, Mama! So it duzn't gots'ta be da damn wo'lds best encrypshun (aldough ROT-13 might be some little light)... plum sump'n t'stall pryin' eyes and foil automatic keywo'd checkin'. But fo' dat t'wo'k, ah' would need an system dat everyone gots'ta use. What it is, Mama! And even ah' stopped usin' PGP cuz' most oda' sucka's ain't usin' it. Chicken. 'S coo', bro. Egg. Repeat." If we wants' encrypshun t'become some part uh our everyday lives, encrypshun systems should be as easy t'use as breadin'. Once everyone be usin' it, we kin hope t'get dose silly US encrypshun restricshuns overturned.
  2. Simple solution by CaseyB · · Score: 5
    just something to stall prying eyes and foil automatic keyword checking. But for that to work, I would need an system that everyone will use.

    Compress it. Simple ZIP compression will defeat packet-sniffers looking for keywords or credit card numbers. And the braindead password protection in PK(and Win?)Zip will stop people going the extra step of simply opening attachments. Unzip software is pretty ubiquitous nowadays.

  3. Re:The problem isn't PGP, it's the e-mail software by Jethro · · Score: 5

    PGPDesktop and PGPFreeware for Windows do indeed hook into, at least, Outlook and Eudora. They make encryption and decription transparent - you have to click the little "Encrypt" thinggie on the toolbar and you're done. Unless it can't find the right keys, and then it'll ask you to choose them.


    --

    --


    In the land of the blind, the one-eyed man is kinky.
  4. Mozilla by AT · · Score: 5

    Currently, a PGP plugin interface is being added to Mozilla. It should show up in the next release or the one after that. It will allow PGP to be used almost transparently.

    Hopefully, this will bring PGP a little closer to the mainstream.

  5. SMTP supports encryption by dmoen · · Score: 5
    The SMTP standard supports encryption, and sendmail (at least) has supported TLS encryption since last year; I believe that TLS support was made available for open source sendmail minutes after the RSA patent expired.

    The advantage of putting encryption into your MTA is that the envelope is encrypted, not just the body. Plus, client software doesn't have to be modified.

    If you are really paranoid, then you of course would want a combination of encrypted SMTP with a PGP encrypted message body, 'cause that provides end-to-end encryption combined with an encrypted envelope while the email is in transit.

    --
    I have written a truly remarkable program which this sig is too small to contain.
  6. PGP (GPG) by autechre · · Score: 5

    One problem is that, currently, PGP keys require a password in order to use them for signing or encrypting email. People don't consider having to type in a password "easy to use." However, if you create a MUA that remembers the password, you've reduced the security, because now whoever can get at the machine can get at the key. This is the same old tradeoff between security and ease-of-use.

    Also, if I understand it correctly, you can really only send an encrypted message to one person at a time, because you're encrypting it with their public key (so that their private key decrypts it). So PGP is not really a solution for, say, mailing lists.

    So, even though Mutt has great GNUPG support, and so is relatively easy to use for someone like me, I can't really make use of it too terribly often, except for signing my mail.

    What would help a great deal is if the mail could be encrypted between the mail servers, thus limiting snooping to localhost exploits. I know that there are protocols available, but with so many people out there running old, insecure, years old versions of Sendmail, I am rather pessimistic about the rate at which we could get people to switch over (much like IPv6, which will help network security in general with its support for IPSEC). Does anyone know of an MTA-to-MTA encryption protocol which satisfies any (or all!) of these:

    1. Mail server agnostic
    2. Falls back to cleartext if encryption isn't supported at the other end
    2a. Gives a warning on this fallback.
    3. Uses existing algorithms, rather than trying to invent a new one, and can intelligently support more than one at once (sort of like SSH with IDEA and Blowfish).


    Sotto la panca, la capra crepa

    --
    WMBC freeform/independent online radio.
  7. mutt by mojo-raisin · · Score: 5

    Yeah it sucks. More people should use software like mutt. It makes dealing with pgp-signed/encrypted messages so easy. (I hear gnus is really good too, but mutt was much easier for me to learn)

    I think the best thing to do is just sign (not encrypt) all your email to your non-crypto using friends. That way they can still read your email, but they'll have to use a pgp aware mua to verify your sig. Hopefully, your friend will eventually be encouraged to use decent software to get this function. Then you're 99% of the way there and you can start exchanging encrypted emails.

    Point being: Sign everything!

  8. The problem isn't PGP, it's the e-mail software. by BlueTurnip · · Score: 5
    PGP itself isn't the problem, the real problem is the lack of really good hooks for commonly used e-mail applications to use PGP.

    Ideal what we probably need, is a really good, full-featured, e-mail client with the capabilities of Communicator or Outlook Express, and PGP built-in.

    As long as people have to run PGP as a separate program, and then try to hook it in with their favorite mail-reader, it will never catch on.