Do Slashdotters Encrypt Their Email?

An anonymous reader writes "Many years ago when I first heard of PGP, I found an add-on that made it fairly simple to use PGP to encrypt my email. Despite the fact that these days most people know that email is a highly insecure means of communication, very few people that I know ever use any form of email encryption despite the fact that it is pretty easy to use. This isn't quite what I would have expected when I first set it up. So, my question to fellow Slashdotters is 'Do you encrypt your email? If not, 'Why not?' and 'Why has email encryption using PGP or something similar not become more commonplace?' The use of cryptography used to be a hot topic once upon a time."

No

Nor does anyone else. Unfortunate, but true.

Re:No

[EdIII]

Most people are lazy and don't feel they have the need to encrypt their communications. If they are willing to post the shit they do on Facebook, they are already a lost cause from a privacy/anonymity viewpoint.

Setting up email to send encrypted payloads is not easy for most people, and the people that know how, quickly lose interest after spending an hour to set up one person.

Now, all of my emails *are* encrypted, and not just in transit. I use a special IMAP connector for Outlook that encrypts all traffic with SSL to the mail server. The web portal for my email server is encrypted with SSL as well. Where *possible* my mail server will negotiate a secure connection to a remote server, but that is pretty damn rare. On my personal computer the message store is located on a TrueCrypt drive, so if my computer is lost or stolen, I am not worried about the message store, which is temporary anyways since the email is stored on the server.

All of it is pointless if the other party is not doing the same exact thing, which is most of the time. So I never send anything in the clear that I don't want analyzed, categorized, and used by private corporations and government.

For correspondence that needs to remain secure I usually set up an email account on the same server. That way everything is encrypted down to the message store and emails sent between domains hosted on the same mail server are just internally routed.

This is the same reason why truly secure phone calls are next to impossible in systems that must be able to perform call setups to any other phone. Too many intermediary points that cannot handle it. ZRTP, while interesting, is a long way from implementation, and will never address insecure endpoints like landlines and cell phones.

It's the other end that is problem, just as you say, but it is also the points in between. As long as there are free services that won't waste the CPU cycles to negotiate encryption between mail servers, it does not make that much sense.

Bottom line, I am secure where I need to be, not through encryption specifically, but choosing what I say, when I say it, and what communications medium I choose.

Re:No

[mellon]

Turns out that a lot of email leaks to typo domains. So in fact encrypting the email would have been a really good idea in these cases.

The reason encryption hasn't taken off is that it's not done by default, and can't be enabled by clicking a checkbox.

Re:No

[wanzeo]

I am tired of seeing this comic used as a dismissal of encryption, it is a joke. If you actually think someone is going to drug you or hit you with a wrench, then you have reached a level of paranoia far more ridiculous than the idea of using 4096 bit encryption.

I use the very user friendly disk encryption that the Fedora installer provides, and I feel much more at ease taking my laptop out in public.

As for email, no I don't encrypt them, but I might be willing to learn if the summary had more info than a wikipedia article for PGP.

Re:No

[neyla]

Indeed. This argument does nothing to diminish the usefulness of crypto.

Yes people can force you to do various things, but the likeliness of that is lower than the chance that they'll do the same thing secretly if they can get away with it.

Just because someone can hit you with a wrench and take your card-key, it doesn't follow that locking your house is useless. Just because someone can hit you with a wrench until you give up your PIN-code, it doesn't follow that having the card be pin-protected is useless.

That something doesn't protect against -all- threaths, doesn't make it useless. It's still useful if it protects against *some* threaths.

Re:No

[DarwinSurvivor]

*The old rule that if they have physical access to your machine, your software security is already nullified

That depends on what you are trying to protect. No, software will not prevent them from controlling the machine, copying the HDD, etc, but it CAN prevent them from being able to USE any of that data. Encryption is the ONLY weapon software has against physical access, but it's a VERY effective one if used properly.

Re:No

[growse]

Interestingly, the comic isn't making a commentary on the usefulness (or not) of cryptography. It's making fun of people who don't properly evaluate all their threats when they design security systems.

No.

[Alrescha]

Slashdotters who know enough to have encrypted such things simply don't send that sort of thing in email.

A.

I don't use it for the encryption

[digitalderbs]

I've been using PGP for a few years, and on the odd occasion, I'll send an encrypted email to myself. Part of the problem is that no one knows how to use PHP. I've been sending email to thousands of people in an academic setting, and I've only encountered one other person using PGP.

The reason I keep using PGP, however, is because of digital signing: there's a good guarantee that signed messages were actually sent by me. Headers are fairly trivial to spoof. With PGP, a 'hacker' can only impersonate me if they have access to the private key, which requires physical or ssh access, and he or she must be able to decrypt that key.

That said, I wish more people would encrypt their messages. This should be a no-brainer in a lot of fields, including human rights and for health and human services, and I think the barrier to commit to email encryption is still too great.

Re:Why would we?

[xpwlq]

Does anyone here encipher their paper mail?

No, but I also don't leave the envelopes unsealed either.

and then....

[lkcl]

@BEGIN PGP SIGNED
... facebook happened.

@END PGP SIGNED

I DO, like every DD

[GPLHost-Thomas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Like every of the ~800 Debian developer in this world, I do use
encryption, and know how to handle PGP keys. My private key is encrypted
in a dm-crypt partition of 2 of my laptop, and I have a revoke
certificate handy burnt on a CD. My GPG fingerprint is also written on
my business card, so that everyone who I met can fetch my private key
from any of the major key servers, and check its fingerprint. My public
key is signed by about a dozen different people, mostly other Debian
developers, which is a strong "web of trust". If everyone was printing
his GPG key on a business card, I could also send encrypted emails, but
I've seen only other DDs doing it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEAREDAAYFAk7wBSAACgkQl4M9yZjvmklYVACfXYV3ncJnZuKosZJ8k0ZSzc3t
SpQAn0eYtQCIrQeTcBgA1b+Yz58OVqCJ
=EQHO
-----END PGP SIGNATURE-----

Re:well

[Haeleth]

The 4-digit PIN normally only applies to buttons that you push with your finger, where brute-force attacks are not really an option. If your bank has ATMs that permit 10,000 attempts before they swallow the card, or uses a 4-digit PIN as a password for their online services, I suggest you take your money elsewhere.