Slashdot Mirror
Do Slashdotters Encrypt Their Email?
An anonymous reader writes "Many years ago when I first heard of PGP, I found an add-on that made it fairly simple to use PGP to encrypt my email. Despite the fact that these days most people know that email is a highly insecure means of communication, very few people that I know ever use any form of email encryption despite the fact that it is pretty easy to use. This isn't quite what I would have expected when I first set it up. So, my question to fellow Slashdotters is 'Do you encrypt your email? If not, 'Why not?' and 'Why has email encryption using PGP or something similar not become more commonplace?' The use of cryptography used to be a hot topic once upon a time."
I think it's largely pointless anyway...
Most people (myself included) use a web based email client, where the plain text form of the email would be easily snatchable by the one party with any likely chance to actually intercept an email.
Cryptographic signing has a place, but even that falls into the cryptogeek fantasy realm, but If you're into that sorta thing.. you can always join the Debian community.
In our business, I routinely communicate with customers using s/mime mail. We set it up as part of the contract (not in the terms, just as part of the meet-n-greet kickoff), so anything related to the contract work goes through encrypted.
Crypto is our business... so it only makes sense.
I said no... but I missed and it came out yes.
I was negotiating a mortgage a few years ago, and the bank happily was transitioning from faxes to email. So I sent them all the somewhat sensitive docs they requested, encrypted by hushmail/web. I sent them decryption instructions out of band.
The pretty simple decryption procedure baffled the hell out of them, at first. Then they figured out it was a great excuse to delay the loan. After a few weeks they came back saying they couldn't follow the hushmail retrieval procedure because they had no internet access.
Finally I just faxed everything.
gpg: Signature made Mon Dec 19 21:46:40 2011 CST using DSA key ID 98EF9A49 ........
gpg: Good signature from
Not posting the rest, but you can get the name and email address from the signature. :) I'd be surprised if any spammers know how to do that though.
I wonder; if I am using gmail, and send an "email" to another gmail user -- both users are required to use https to connect to gmail, does that mean we're in effect using encrypted (RC4_128 according to gmail/chrome) email?
moox. for a new generation.
When it comes down to it, there is no one program that can truly automate good security. At some point, users cannot be spoon fed and have to do it themselves. CAs can be spoofed, trusted introducers can be hacked or bribed, and so on.
In reality, if you want security these days (I mean actual security, not some pretty spiffy lock icon promising security), then one will have to go out and pack your own parachute, just as people did in the early 1990s.
It is easier now than it was back then -- gpg and the commercial PGP versions can encrypt and decrypt clipboard contents, both Android and the iPhone have implementations of this. It also easier that the specter of encryption being outlawed is not over our heads as it was back in the days of the Clipper Chip.
So, it boils to a social issue more than technical now. Do people want to do proper keysigning gatherings, stick their PGP IDs and signatures on their business cards, and have this info as much a part of their contact info as their E-mail address and FB contacts? If we can get people to understand this and the concept of a web of trust, security in general will be much improved.
There is also that: most of people I communicate with use GMail and as the message does not leave the server and server-client communication is over ssl, so it eliminates the third, unencrypted link in the communication chain.
As for GPG — only a small percentage of even IT inclined people I know have bothered to generate a key and setup encryption/decryption solution. Mostly those, that have to deal with very sensitive material from time to time.
Although there is a government issued smartcard that allows for a widely adopted solution for asymmetric encryption that has software mostly on every computer, which kind of makes the situation a little better (I don't have to get into details explaining about the encryption, public and secret keys or explain how to install the software). Keys are government-issued opensc compatible crypto cards, pubkeys are available online if you know a person's name. So in case of emergency I can always encrypt files with that, given that almost everyone has them now.
P.S. That is about Estonia.