Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do Slashdotters Encrypt Their Email?

Posted by Unknown on from the translate-it-to-navajo dept.

An anonymous reader writes "Many years ago when I first heard of PGP, I found an add-on that made it fairly simple to use PGP to encrypt my email. Despite the fact that these days most people know that email is a highly insecure means of communication, very few people that I know ever use any form of email encryption despite the fact that it is pretty easy to use. This isn't quite what I would have expected when I first set it up. So, my question to fellow Slashdotters is 'Do you encrypt your email? If not, 'Why not?' and 'Why has email encryption using PGP or something similar not become more commonplace?' The use of cryptography used to be a hot topic once upon a time."

30 of 601 comments (clear)

  1. No by Anonymous Coward · · Score: 5, Insightful

    Nor does anyone else. Unfortunate, but true.

    1. Re:No by hedwards · · Score: 4, Insightful

      Precisely, when news reports surface of emails being leaked or stolen, rarely if ever do those reports refer to emails being stolen en route. Almost always they're leaked by somebody with access to either the mail server for that domain or the person's own computer.

      Sure one could catch an email en route, but in practice that's hit or miss without having control of the networks to which either the sending or receiving server connects and full knowledge that the email is coming. Without that it's not likely to be profitable to do so as you'd never know which emails to collect.

    2. Re:No by EdIII · · Score: 5, Insightful

      Most people are lazy and don't feel they have the need to encrypt their communications. If they are willing to post the shit they do on Facebook, they are already a lost cause from a privacy/anonymity viewpoint.

      Setting up email to send encrypted payloads is not easy for most people, and the people that know how, quickly lose interest after spending an hour to set up one person.

      Now, all of my emails *are* encrypted, and not just in transit. I use a special IMAP connector for Outlook that encrypts all traffic with SSL to the mail server. The web portal for my email server is encrypted with SSL as well. Where *possible* my mail server will negotiate a secure connection to a remote server, but that is pretty damn rare. On my personal computer the message store is located on a TrueCrypt drive, so if my computer is lost or stolen, I am not worried about the message store, which is temporary anyways since the email is stored on the server.

      All of it is pointless if the other party is not doing the same exact thing, which is most of the time. So I never send anything in the clear that I don't want analyzed, categorized, and used by private corporations and government.

      For correspondence that needs to remain secure I usually set up an email account on the same server. That way everything is encrypted down to the message store and emails sent between domains hosted on the same mail server are just internally routed.

      This is the same reason why truly secure phone calls are next to impossible in systems that must be able to perform call setups to any other phone. Too many intermediary points that cannot handle it. ZRTP, while interesting, is a long way from implementation, and will never address insecure endpoints like landlines and cell phones.

      It's the other end that is problem, just as you say, but it is also the points in between. As long as there are free services that won't waste the CPU cycles to negotiate encryption between mail servers, it does not make that much sense.

      Bottom line, I am secure where I need to be, not through encryption specifically, but choosing what I say, when I say it, and what communications medium I choose.

    3. Re:No by mellon · · Score: 5, Insightful

      Turns out that a lot of email leaks to typo domains. So in fact encrypting the email would have been a really good idea in these cases.

      The reason encryption hasn't taken off is that it's not done by default, and can't be enabled by clicking a checkbox.

    4. Re:No by v1 · · Score: 3, Insightful

      The reason encryption hasn't taken off is that it's not done by default, and can't be enabled by clicking a checkbox.

      Mac OS X's Mail client automatically supports PGP email certificates on both send and receive. You have to go sign up for one at some place like comodo, and download the cert. Double click and keychain assistant opens up and asks if you want to import it. Setup is complete.

      Now go to your mail app and you will see an open padlock. Any email you send will be automatically signed, and recipients with intelligent email clients will automatically and transparently import your public key into their user's keychain for later use, for both verification of additional received emails and encryption of mail back to you.

      If that person clicks reply, they will also have a padlock available, since their system now has your public key, so they can then send an encrypted reply back to you. If they also have a key pair in their keychain, their reply also includes their public key, allowing you to send them encrypted email in the same way. Of course for maximum security you'd need to have a more personal, direct key exchange rather than email, because a tinfoil hat would argue a skilled black hat could be in between you two when you are trying to exchange keys, and be feeding you two false keys. That's where key-signing parties come in. ;)

      Incredibly easy to use and built-in. Only takes a little effort to go download a free cert from comodo or someone else. What got me into it at first is a previous employer required me to email in my mileage reports for reimbursement, and required me to sign them.

      So at least for the mac users, it's ready by default, and is just a check box away. :)

      --
      I work for the Department of Redundancy Department.
    5. Re:No by Hadlock · · Score: 4, Insightful

      Whoever has access to your google information, probably has physical access to whatever server your email would sit on otherwise*. I guess it's not an 100% effective means, but in terms of point-to-point email encryption, it's probably the easiest and/or most widely used email encryption scheme avalible to the general public.
       
      *The old rule that if they have physical access to your machine, your software security is already nullified

      --
      moox. for a new generation.
    6. Re:No by Anonymous Coward · · Score: 4, Insightful

      Though we should point out, in both cases the message contents still aren't protected from anyone with administrative access. The transports alone are protected.

    7. Re:No by wanzeo · · Score: 5, Insightful

      I am tired of seeing this comic used as a dismissal of encryption, it is a joke. If you actually think someone is going to drug you or hit you with a wrench, then you have reached a level of paranoia far more ridiculous than the idea of using 4096 bit encryption.

      I use the very user friendly disk encryption that the Fedora installer provides, and I feel much more at ease taking my laptop out in public.

      As for email, no I don't encrypt them, but I might be willing to learn if the summary had more info than a wikipedia article for PGP.

    8. Re:No by neyla · · Score: 5, Insightful

      Indeed. This argument does nothing to diminish the usefulness of crypto.

      Yes people can force you to do various things, but the likeliness of that is lower than the chance that they'll do the same thing secretly if they can get away with it.

      Just because someone can hit you with a wrench and take your card-key, it doesn't follow that locking your house is useless. Just because someone can hit you with a wrench until you give up your PIN-code, it doesn't follow that having the card be pin-protected is useless.

      That something doesn't protect against -all- threaths, doesn't make it useless. It's still useful if it protects against *some* threaths.

    9. Re:No by DarwinSurvivor · · Score: 5, Insightful

      *The old rule that if they have physical access to your machine, your software security is already nullified

      That depends on what you are trying to protect. No, software will not prevent them from controlling the machine, copying the HDD, etc, but it CAN prevent them from being able to USE any of that data. Encryption is the ONLY weapon software has against physical access, but it's a VERY effective one if used properly.

    10. Re:No by growse · · Score: 5, Insightful

      Interestingly, the comic isn't making a commentary on the usefulness (or not) of cryptography. It's making fun of people who don't properly evaluate all their threats when they design security systems.

      --
      There is nothing interesting going on at my blog
    11. Re:No by allo · · Score: 4, Insightful

      you think, when google links two computing centers, they use an unencrypted connection via internet? Either they have their own physical link, or they encrypt their data.

    12. Re:No by Defenestrar · · Score: 4, Insightful

      Getting the other user to use encryption has always been the problem. If you only encrypt some items it's not a habit, and until you get every eight year old nephew and your mother in law using a client on the other end, it's not going to happen. And that's not going to happen until encryption comes default, and runs almost invisibly on every web based system and OS default mail client.

      Encryption is fundamentally opposite to the primary function of email (share information). Privacy of email is a secondary function, and already guaranteed by wiretapping laws in most countries. There's nothing inherently secure about postal mail; just because you send postal mail in an envelope doesn't mean someone can't steam it open, parse it, and seal it back up before it reaches the intended recipient. In some ways electronic mail is inherently more secure than an envelope which sits in a metal box in front of someone's house while they're at work all day. Although, being electronic, it's possible for someone to read a lot more mail in shorter time spans (or check out what's going through the "post office" while wearing an invisibility cloak).

      So until either confidentiality becomes of equal importance to the content one is communicating, or encryption happens invisibly and effortlessly; encryption is not going to be main stream.

      My prediction is that digital signatures (and time stamps) have a far better chance of hitting popularity than whole email encryption. There's a lot of people who want to do things electronically while their legal departments still force the paper and fax modality. Once identity and time are of equal (or better) verification status (i.e. subpoena of phone records), then there's a chance that electronic documents will make further progress. But that means every entrenched legal department will have to embrace a new way of doing things - and while I love the tech-savvyness of those awesome dudes over at the EFF, it has not been my experience that they represent the norm among lawyers.

  2. No Need.... by superflit · · Score: 4, Insightful

    Mostly emails I received are senseless..

    1. Re:No Need.... by Spritzer · · Score: 2, Insightful

      Exactly! And most that I send. Why would I want to encrypt my email? Then I'd just have to explain to everyone on my contact list how to decrypt a grocery list, joke, forwarded Viagra-gram etc.

  3. No (First Post?) by Mitreya · · Score: 4, Insightful

    No.
    We email to people who wouldn't know PGP from ABC

    1. Re:No (First Post?) by erikjwaxx · · Score: 3, Insightful

      This, unfortunately. I encrypt all mail with PGP that it is feasible to encrypt, taking into account the recipient. So that's, literally, one email message, ever.

    2. Re:No (First Post?) by LoadWB · · Score: 3, Insightful

      This. Encrypting email to those who don't know how to decrypt it is useless. And for those who do, email certificates in Outlook work just fine.

      Although, while at a conference I came upon a really nice package call Encryptix (or Encryptics, can't recall which.) It packages up the email, including attachments, encrypts the package, then sends it as an attachment with a link to the viewer. It's trusted by government, so take that for what it's worth to you. And it's not free (yearly subscription, but reasonable) so take that for what it's worth to you.

      Is PGP that easy these days? Haven't touched it in years due to reasons already mentioned.

    3. Re:No (First Post?) by mcelrath · · Score: 4, Insightful

      More importantly, we email people who's mail server admins don't know PGP from ABC.

      Many years ago I found that my GPG signed mails were getting quarantined by brain-dead spam and virus filters, because my mails contained a "suspicious attachment". That was the death knell for my use of GPG. Not knowing whether your mail will be received is not really acceptable. Of course that's they way it is with all mail these days...but that's the fault of incompetent law enforcement being unable to shut down spam/trojan/botnets.

      PGP was defeated by stupidity.

      --
      1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
  4. Nope by halo1982 · · Score: 4, Insightful

    Because no one else does either.

  5. No. by Alrescha · · Score: 5, Insightful

    Slashdotters who know enough to have encrypted such things simply don't send that sort of thing in email.

    A.

    --
    ...bringing you cynical quips since 1998
  6. I don't use it for the encryption by digitalderbs · · Score: 5, Insightful

    I've been using PGP for a few years, and on the odd occasion, I'll send an encrypted email to myself. Part of the problem is that no one knows how to use PHP. I've been sending email to thousands of people in an academic setting, and I've only encountered one other person using PGP.

    The reason I keep using PGP, however, is because of digital signing: there's a good guarantee that signed messages were actually sent by me. Headers are fairly trivial to spoof. With PGP, a 'hacker' can only impersonate me if they have access to the private key, which requires physical or ssh access, and he or she must be able to decrypt that key.

    That said, I wish more people would encrypt their messages. This should be a no-brainer in a lot of fields, including human rights and for health and human services, and I think the barrier to commit to email encryption is still too great.

  7. Re:Nope by kid_wonder · · Score: 3, Insightful

    exactly. now please delete all other comments and just leave the parent here. not even sure why this question needed to be asked.

    --

    "Oh, you hate your job? There's a support group for that, it's called everyone, they meet at the bar."
  8. Re:Why would we? by xpwlq · · Score: 5, Insightful

    Does anyone here encipher their paper mail?

    No, but I also don't leave the envelopes unsealed either.

  9. and then.... by lkcl · · Score: 5, Insightful

    @BEGIN PGP SIGNED
    ... facebook happened.

    @END PGP SIGNED

  10. You had me at "highly insecure" by Angst+Badger · · Score: 4, Insightful

    Email is simply not a medium I would even consider using for sending sensitive information precisely because there are countless places between me and my correspondents where a message could be intercepted. In such circumstances, encrypting my email would simply alert anyone watching that something sensitive is being transmitted. And since the only "anyone watching" that I'd worry about is the government, why bother attracting the attention? If they want to know what I'm sending, all they have to do is wait for me to go to work, enter my house, and install a keylogger on my box. It's not like they even need warrants nowadays for that crap.

    If I was going to do something I wanted to hide from the government -- and let's face it, that would almost have to be a major federal felony -- and if I absolutely had to have documentation and accomplices, none of it would be in electronic form to begin with, never mind transmitted over the public internet. Encryption is useful for governments and major corporations that are basically above the law. It's not terribly useful for private citizens unless you're just trying to hide your porn folder from your roommate.

    --
    Proud member of the Weirdo-American community.
  11. Re:well by Grishnakh · · Score: 4, Insightful

    Seriously speaking, at least with Gmail (or pretty much any other email system out there), you actually have the option of having a password longer than 4 numerical digits, even though it's just for your email. Same goes for most websites; you can have a nice, long secure password on Facebook even though it's only protecting your account where you make inane posts and show stupid pictures of yourself that no one cares about.

    But for protecting your financial transactions, your debit/ATM card limits you to those 4 numerical digits. I think there's something wrong with this picture.

  12. I DO, like every DD by GPLHost-Thomas · · Score: 5, Insightful

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Like every of the ~800 Debian developer in this world, I do use
    encryption, and know how to handle PGP keys. My private key is encrypted
    in a dm-crypt partition of 2 of my laptop, and I have a revoke
    certificate handy burnt on a CD. My GPG fingerprint is also written on
    my business card, so that everyone who I met can fetch my private key
    from any of the major key servers, and check its fingerprint. My public
    key is signed by about a dozen different people, mostly other Debian
    developers, which is a strong "web of trust". If everyone was printing
    his GPG key on a business card, I could also send encrypted emails, but
    I've seen only other DDs doing it.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iEYEAREDAAYFAk7wBSAACgkQl4M9yZjvmklYVACfXYV3ncJnZuKosZJ8k0ZSzc3t
    SpQAn0eYtQCIrQeTcBgA1b+Yz58OVqCJ
    =EQHO
    -----END PGP SIGNATURE-----

  13. Re:well by Haeleth · · Score: 5, Insightful

    The 4-digit PIN normally only applies to buttons that you push with your finger, where brute-force attacks are not really an option. If your bank has ATMs that permit 10,000 attempts before they swallow the card, or uses a 4-digit PIN as a password for their online services, I suggest you take your money elsewhere.

  14. Encrypt? Why so no one can read my email? by triceice · · Score: 3, Insightful

    The average email user doesn't even know what SSL means or why they should only enter their bank passwords after they have verified that they are on a secure site.

    So sure I could encrypt my email but no one would take the steps to actually read it then.