Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do Slashdotters Encrypt Their Email?

Posted by Unknown on from the translate-it-to-navajo dept.

An anonymous reader writes "Many years ago when I first heard of PGP, I found an add-on that made it fairly simple to use PGP to encrypt my email. Despite the fact that these days most people know that email is a highly insecure means of communication, very few people that I know ever use any form of email encryption despite the fact that it is pretty easy to use. This isn't quite what I would have expected when I first set it up. So, my question to fellow Slashdotters is 'Do you encrypt your email? If not, 'Why not?' and 'Why has email encryption using PGP or something similar not become more commonplace?' The use of cryptography used to be a hot topic once upon a time."

52 of 601 comments (clear)

  1. No by Anonymous Coward · · Score: 5, Insightful

    Nor does anyone else. Unfortunate, but true.

    1. Re:No by Anonymous Coward · · Score: 5, Interesting

      I think it's largely pointless anyway...

      Most people (myself included) use a web based email client, where the plain text form of the email would be easily snatchable by the one party with any likely chance to actually intercept an email.

      Cryptographic signing has a place, but even that falls into the cryptogeek fantasy realm, but If you're into that sorta thing.. you can always join the Debian community.

    2. Re:No by pclminion · · Score: 4, Informative

      Encrypted PDF is tricky. Only the string and stream data of the document is actually encrypted -- all the structural information of the document remains in plain text. The number of pages, the presence of images, size of those images, amount of text on each page can all be easily determined.

      If you want to encrypt a PDF, use a file encryption tool, not PDF encryption. It doesn't work quite how you assume it does.

    3. Re:No by ZorinLynx · · Score: 5, Funny

      "cryptogeek fantasy realm" indeed. Reminds me of this comic that tells it like it is.

      http://xkcd.com/538/

    4. Re:No by hedwards · · Score: 4, Insightful

      Precisely, when news reports surface of emails being leaked or stolen, rarely if ever do those reports refer to emails being stolen en route. Almost always they're leaked by somebody with access to either the mail server for that domain or the person's own computer.

      Sure one could catch an email en route, but in practice that's hit or miss without having control of the networks to which either the sending or receiving server connects and full knowledge that the email is coming. Without that it's not likely to be profitable to do so as you'd never know which emails to collect.

    5. Re:No by EdIII · · Score: 5, Insightful

      Most people are lazy and don't feel they have the need to encrypt their communications. If they are willing to post the shit they do on Facebook, they are already a lost cause from a privacy/anonymity viewpoint.

      Setting up email to send encrypted payloads is not easy for most people, and the people that know how, quickly lose interest after spending an hour to set up one person.

      Now, all of my emails *are* encrypted, and not just in transit. I use a special IMAP connector for Outlook that encrypts all traffic with SSL to the mail server. The web portal for my email server is encrypted with SSL as well. Where *possible* my mail server will negotiate a secure connection to a remote server, but that is pretty damn rare. On my personal computer the message store is located on a TrueCrypt drive, so if my computer is lost or stolen, I am not worried about the message store, which is temporary anyways since the email is stored on the server.

      All of it is pointless if the other party is not doing the same exact thing, which is most of the time. So I never send anything in the clear that I don't want analyzed, categorized, and used by private corporations and government.

      For correspondence that needs to remain secure I usually set up an email account on the same server. That way everything is encrypted down to the message store and emails sent between domains hosted on the same mail server are just internally routed.

      This is the same reason why truly secure phone calls are next to impossible in systems that must be able to perform call setups to any other phone. Too many intermediary points that cannot handle it. ZRTP, while interesting, is a long way from implementation, and will never address insecure endpoints like landlines and cell phones.

      It's the other end that is problem, just as you say, but it is also the points in between. As long as there are free services that won't waste the CPU cycles to negotiate encryption between mail servers, it does not make that much sense.

      Bottom line, I am secure where I need to be, not through encryption specifically, but choosing what I say, when I say it, and what communications medium I choose.

    6. Re:No by mellon · · Score: 5, Insightful

      Turns out that a lot of email leaks to typo domains. So in fact encrypting the email would have been a really good idea in these cases.

      The reason encryption hasn't taken off is that it's not done by default, and can't be enabled by clicking a checkbox.

    7. Re:No by Hadlock · · Score: 5, Interesting

      I wonder; if I am using gmail, and send an "email" to another gmail user -- both users are required to use https to connect to gmail, does that mean we're in effect using encrypted (RC4_128 according to gmail/chrome) email?

      --
      moox. for a new generation.
    8. Re:No by Vrtigo1 · · Score: 5, Informative

      Not entirely - as you pointed out SSL would secure the connection between the your computer and your server, however the connection between your server and the remote server, as well as the connection between the recipients computer and their mail server would remain unencrypted, so effectively you only have encryption on 1 of 3 links.

      Message encryption makes transport encryption unnecessary. I.E. you don't care if someone grabs the body of the e-mail because it's useless if you can't decrypt it. Although I do recognize that I, along with most of the rest of the world I think, consider e-mail an inherently insecure communication tool and treat it as such. If you need to send something secure through e-mail, throw it in a password protected rar file and send it as an attachment.

    9. Re:No by PopeRatzo · · Score: 5, Funny

      Nor does anyone else. Unfortunate, but true.

      Are you kidding? I don't even talk to my wife without a Feistel cipher. My daughter's first words were via a one-time pad.

      We're careful in my house.

      Did I ever tell my story (this part is true) about the Bletchley Park alum that my wife worked with when she first got a tenure track position? I don't want to use his name because he passed not too long ago, but when he had office hours for his students, he'd show up in pajama bottoms with burnholes from the pipe he always kept stoked in his mouth. He was a sweet old dude, but you'd wonder how he made it out of the house every morning. In his final few years he was convinced that someone was out to get him and eventually it turned into unnamed Jews who were planning his demise. He was a British subject and there were stories of the stuff he did a Bletchley during the war when he was like 17 or 18 so what do I know? Maybe the Jews were out to get him.

      Anyway, naw, I don't encrypt anything. I have a hard enough time communicating in open text. All of my passwords are my dog's name. I just say the opposite of everything I mean to throw off the New World Order. So when I email my wife, I'll write, "Don't meet me at the 5:10pm train and don't pick up my shirts at the laundry." Neat, huh?

      --
      You are welcome on my lawn.
    10. Re:No by Oswald · · Score: 5, Informative

      I believe that would be a "no" unless you consider parading your message past Google, who probably keeps a bigger file on you than any other entity, private. And it might be a worse than that--saying it's only Google that sees the message assumes that Google doesn't decrypt the message in one facility, send it from that data center to another in the clear, then re-encrypt and send to your recipient. Whose to say your mail server is in the same facility as his just because both accounts are with Google?

    11. Re:No by mr100percent · · Score: 4, Informative

      That's why there are S/MIME browser plugins like Penango for GMail.

    12. Re:No by Hadlock · · Score: 4, Insightful

      Whoever has access to your google information, probably has physical access to whatever server your email would sit on otherwise*. I guess it's not an 100% effective means, but in terms of point-to-point email encryption, it's probably the easiest and/or most widely used email encryption scheme avalible to the general public.
       
      *The old rule that if they have physical access to your machine, your software security is already nullified

      --
      moox. for a new generation.
    13. Re:No by Anonymous Coward · · Score: 4, Insightful

      Though we should point out, in both cases the message contents still aren't protected from anyone with administrative access. The transports alone are protected.

    14. Re:No by Anonymous Coward · · Score: 5, Funny

      Anyway, naw, I don't encrypt anything. I have a hard enough time communicating in open text. All of my passwords are my dog's name. I just say the opposite of everything I mean to throw off the New World Order. So when I email my wife, I'll write, "Don't meet me at the 5:10pm train and don't pick up my shirts at the laundry." Neat, huh?

      Same here. The only problem is that our dog does not come when I call. It seems that dogs have a problem recognizing names that are 41 random characters...

    15. Re:No by DeBaas · · Score: 4, Funny

      So when I email my wife, I'll write, "Don't meet me at the 5:10pm train and don't pick up my shirts at the laundry." Neat, huh?

      You're probably one of the very few dudes that has a wife that listens..

      --
      ---
    16. Re:No by man_ls · · Score: 4, Informative

      Pretty sure that's S/MIME, not PGP. Which in my opinion is the most correct of the email encryption options, and has the least support.

    17. Re:No by Pi1grim · · Score: 5, Interesting

      There is also that: most of people I communicate with use GMail and as the message does not leave the server and server-client communication is over ssl, so it eliminates the third, unencrypted link in the communication chain.
      As for GPG — only a small percentage of even IT inclined people I know have bothered to generate a key and setup encryption/decryption solution. Mostly those, that have to deal with very sensitive material from time to time.
      Although there is a government issued smartcard that allows for a widely adopted solution for asymmetric encryption that has software mostly on every computer, which kind of makes the situation a little better (I don't have to get into details explaining about the encryption, public and secret keys or explain how to install the software). Keys are government-issued opensc compatible crypto cards, pubkeys are available online if you know a person's name. So in case of emergency I can always encrypt files with that, given that almost everyone has them now.
      P.S. That is about Estonia.

    18. Re:No by wanzeo · · Score: 5, Insightful

      I am tired of seeing this comic used as a dismissal of encryption, it is a joke. If you actually think someone is going to drug you or hit you with a wrench, then you have reached a level of paranoia far more ridiculous than the idea of using 4096 bit encryption.

      I use the very user friendly disk encryption that the Fedora installer provides, and I feel much more at ease taking my laptop out in public.

      As for email, no I don't encrypt them, but I might be willing to learn if the summary had more info than a wikipedia article for PGP.

    19. Re:No by jakuaii · · Score: 5, Informative

      The main problem with OpenPGP on mail for me is that due to the unique key per recipient, if you add more than one recipient or cc, you have to encrypt the mail for each and every one of them. If you add some attachments it's pretty sure that you will hit the maximum allowed mail size of some mail server along the way.

      Uh, no. It's called "session keys". The content is encrypted with a random number (the session key), and this random number is in turn encrypted with the recipients' private keys. As the content is usually compressed too before encryption, the result may even be a smaller e-mail than without...

    20. Re:No by neyla · · Score: 5, Insightful

      Indeed. This argument does nothing to diminish the usefulness of crypto.

      Yes people can force you to do various things, but the likeliness of that is lower than the chance that they'll do the same thing secretly if they can get away with it.

      Just because someone can hit you with a wrench and take your card-key, it doesn't follow that locking your house is useless. Just because someone can hit you with a wrench until you give up your PIN-code, it doesn't follow that having the card be pin-protected is useless.

      That something doesn't protect against -all- threaths, doesn't make it useless. It's still useful if it protects against *some* threaths.

    21. Re:No by DarwinSurvivor · · Score: 5, Insightful

      *The old rule that if they have physical access to your machine, your software security is already nullified

      That depends on what you are trying to protect. No, software will not prevent them from controlling the machine, copying the HDD, etc, but it CAN prevent them from being able to USE any of that data. Encryption is the ONLY weapon software has against physical access, but it's a VERY effective one if used properly.

    22. Re:No by growse · · Score: 5, Insightful

      Interestingly, the comic isn't making a commentary on the usefulness (or not) of cryptography. It's making fun of people who don't properly evaluate all their threats when they design security systems.

      --
      There is nothing interesting going on at my blog
    23. Re:No by allo · · Score: 4, Insightful

      you think, when google links two computing centers, they use an unencrypted connection via internet? Either they have their own physical link, or they encrypt their data.

    24. Re:No by gadget+junkie · · Score: 4, Funny

      So when I email my wife, I'll write, "Don't meet me at the 5:10pm train and don't pick up my shirts at the laundry." Neat, huh?

      You're probably one of the very few dudes that has a wife that listens..

      It's not a wife. It's an encrypted husband.

      --
      "If a boss demands loyalty, give him integrity. But if he demands integrity, give him loyalty." (John Boyd, 1927-1997)
    25. Re:No by Defenestrar · · Score: 4, Insightful

      Getting the other user to use encryption has always been the problem. If you only encrypt some items it's not a habit, and until you get every eight year old nephew and your mother in law using a client on the other end, it's not going to happen. And that's not going to happen until encryption comes default, and runs almost invisibly on every web based system and OS default mail client.

      Encryption is fundamentally opposite to the primary function of email (share information). Privacy of email is a secondary function, and already guaranteed by wiretapping laws in most countries. There's nothing inherently secure about postal mail; just because you send postal mail in an envelope doesn't mean someone can't steam it open, parse it, and seal it back up before it reaches the intended recipient. In some ways electronic mail is inherently more secure than an envelope which sits in a metal box in front of someone's house while they're at work all day. Although, being electronic, it's possible for someone to read a lot more mail in shorter time spans (or check out what's going through the "post office" while wearing an invisibility cloak).

      So until either confidentiality becomes of equal importance to the content one is communicating, or encryption happens invisibly and effortlessly; encryption is not going to be main stream.

      My prediction is that digital signatures (and time stamps) have a far better chance of hitting popularity than whole email encryption. There's a lot of people who want to do things electronically while their legal departments still force the paper and fax modality. Once identity and time are of equal (or better) verification status (i.e. subpoena of phone records), then there's a chance that electronic documents will make further progress. But that means every entrenched legal department will have to embrace a new way of doing things - and while I love the tech-savvyness of those awesome dudes over at the EFF, it has not been my experience that they represent the norm among lawyers.

  2. No Need.... by superflit · · Score: 4, Insightful

    Mostly emails I received are senseless..

  3. well by hjf · · Score: 5, Funny

    I don't. I use GMail. I might as well use "1234" as a password.

    1. Re:well by NonUniqueNickname · · Score: 5, Funny

      May I suggest changing your password to "12345"? It is an order of magnitude safer.

    2. Re:well by s4m7 · · Score: 5, Funny

      So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

      --
      This comment is fully compliant with RFC 527.
    3. Re:well by Grishnakh · · Score: 4, Insightful

      Seriously speaking, at least with Gmail (or pretty much any other email system out there), you actually have the option of having a password longer than 4 numerical digits, even though it's just for your email. Same goes for most websites; you can have a nice, long secure password on Facebook even though it's only protecting your account where you make inane posts and show stupid pictures of yourself that no one cares about.

      But for protecting your financial transactions, your debit/ATM card limits you to those 4 numerical digits. I think there's something wrong with this picture.

    4. Re:well by Haeleth · · Score: 5, Insightful

      The 4-digit PIN normally only applies to buttons that you push with your finger, where brute-force attacks are not really an option. If your bank has ATMs that permit 10,000 attempts before they swallow the card, or uses a 4-digit PIN as a password for their online services, I suggest you take your money elsewhere.

  4. No (First Post?) by Mitreya · · Score: 4, Insightful

    No.
    We email to people who wouldn't know PGP from ABC

    1. Re:No (First Post?) by flaming+error · · Score: 5, Interesting

      I was negotiating a mortgage a few years ago, and the bank happily was transitioning from faxes to email. So I sent them all the somewhat sensitive docs they requested, encrypted by hushmail/web. I sent them decryption instructions out of band.

      The pretty simple decryption procedure baffled the hell out of them, at first. Then they figured out it was a great excuse to delay the loan. After a few weeks they came back saying they couldn't follow the hushmail retrieval procedure because they had no internet access.

      Finally I just faxed everything.

    2. Re:No (First Post?) by mcelrath · · Score: 4, Insightful

      More importantly, we email people who's mail server admins don't know PGP from ABC.

      Many years ago I found that my GPG signed mails were getting quarantined by brain-dead spam and virus filters, because my mails contained a "suspicious attachment". That was the death knell for my use of GPG. Not knowing whether your mail will be received is not really acceptable. Of course that's they way it is with all mail these days...but that's the fault of incompetent law enforcement being unable to shut down spam/trojan/botnets.

      PGP was defeated by stupidity.

      --
      1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
    3. Re:No (First Post?) by langelgjm · · Score: 4, Informative

      Exactly. Several years ago, I used to sign e-mails with PGP (not encrypt, just sign). At the time, some Outlook Express clients would red flag this, and display a large, glaring warning to readers about PGP-signed e-mails. Despite the fact that the bug was due to Outlook Express, I stopped using PGP... it's not like I could force all my recipients to a better mail client.

      --
      "Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
  5. Nope by halo1982 · · Score: 4, Insightful

    Because no one else does either.

  6. No. by Alrescha · · Score: 5, Insightful

    Slashdotters who know enough to have encrypted such things simply don't send that sort of thing in email.

    A.

    --
    ...bringing you cynical quips since 1998
  7. I don't use it for the encryption by digitalderbs · · Score: 5, Insightful

    I've been using PGP for a few years, and on the odd occasion, I'll send an encrypted email to myself. Part of the problem is that no one knows how to use PHP. I've been sending email to thousands of people in an academic setting, and I've only encountered one other person using PGP.

    The reason I keep using PGP, however, is because of digital signing: there's a good guarantee that signed messages were actually sent by me. Headers are fairly trivial to spoof. With PGP, a 'hacker' can only impersonate me if they have access to the private key, which requires physical or ssh access, and he or she must be able to decrypt that key.

    That said, I wish more people would encrypt their messages. This should be a no-brainer in a lot of fields, including human rights and for health and human services, and I think the barrier to commit to email encryption is still too great.

    1. Re:I don't use it for the encryption by antifoidulus · · Score: 4, Funny

      Part of the problem is that no one knows how to use PHP

      While that's true, I don't see how it relates to email encryption

      --
      Monstar L
  8. Re:Why would we? by xpwlq · · Score: 5, Insightful

    Does anyone here encipher their paper mail?

    No, but I also don't leave the envelopes unsealed either.

  9. Re:Needs publicity by Alrescha · · Score: 4, Informative

    Both PGP and S/MIME are end-to-end encrypted. Not very useful for webmail users.

    A.

    --
    ...bringing you cynical quips since 1998
  10. Well yeah... by Panaflex · · Score: 4, Interesting

    In our business, I routinely communicate with customers using s/mime mail. We set it up as part of the contract (not in the terms, just as part of the meet-n-greet kickoff), so anything related to the contract work goes through encrypted.

    Crypto is our business... so it only makes sense.

    --
    I said no... but I missed and it came out yes.
  11. and then.... by lkcl · · Score: 5, Insightful

    @BEGIN PGP SIGNED
    ... facebook happened.

    @END PGP SIGNED

  12. I'd love to ! by mystik · · Score: 4, Informative

    My sig (since 2002/2001) on /. has been "Why arn't you encrypting your email?".

    The answer is simple -- there was never a critical mass of people exchanging keys nor was there an easy-to-explain web of trust, nor was there a simple, free reliable certificate authority.

    In 2002, Outlook Express offered integrated s/mime encryption + digital signatures. Once you installed your certificate (which, was simply double clicking a .p12 file, and entering your import password), you could encrypt or sign email going out, with a single click. It verified signatures in inbound email too, all in an integrated UI.

    No one I knew used it.

    Even today; Windows Live mail + Thunderbird offer integrated s/mime encryption. Maybe 1 or 2 of my technically literate friends use it. And of those 2, i think only one persists using it to this day.

    Back then, when all I had was my Palm Pilot IIIxe, I thought "Whoa. I hold in my hand a portable computer that I can use to exchange digital signatures with". I even kept my pgp key in a note I could beam to someone, given the chance. Never happened.

    Nowadays, even AGP on Android doesn't let me exchange keys with someone meet on the street, on the off change they happen to use it. Secure key exchange would be a trivial problem for today's smart phones (provided the carrier isn't using carrieriq to swipe your data....), but there still is no critical mass to make this worthwhile.

    And, with most folks using webmail, You'd have to come up with a hackish way to encrypt mail client side (pgp copy/paste to the clipboard? w/ Rich text? attachments?), or just hand your keys to your provider. Doing the encryption server side would make the service provider an easy target for legal and hacking threats.

    It's a tough nugget to crack, and it's not going to be solved until mail encryption is as easy to use as Facebook.

    --
    Why aren't you encrypting your e-mail?
  13. You had me at "highly insecure" by Angst+Badger · · Score: 4, Insightful

    Email is simply not a medium I would even consider using for sending sensitive information precisely because there are countless places between me and my correspondents where a message could be intercepted. In such circumstances, encrypting my email would simply alert anyone watching that something sensitive is being transmitted. And since the only "anyone watching" that I'd worry about is the government, why bother attracting the attention? If they want to know what I'm sending, all they have to do is wait for me to go to work, enter my house, and install a keylogger on my box. It's not like they even need warrants nowadays for that crap.

    If I was going to do something I wanted to hide from the government -- and let's face it, that would almost have to be a major federal felony -- and if I absolutely had to have documentation and accomplices, none of it would be in electronic form to begin with, never mind transmitted over the public internet. Encryption is useful for governments and major corporations that are basically above the law. It's not terribly useful for private citizens unless you're just trying to hide your porn folder from your roommate.

    --
    Proud member of the Weirdo-American community.
  14. I don't by Anonymous Coward · · Score: 5, Funny

    If I encrypted it the government would start reading it.

  15. I DO, like every DD by GPLHost-Thomas · · Score: 5, Insightful

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Like every of the ~800 Debian developer in this world, I do use
    encryption, and know how to handle PGP keys. My private key is encrypted
    in a dm-crypt partition of 2 of my laptop, and I have a revoke
    certificate handy burnt on a CD. My GPG fingerprint is also written on
    my business card, so that everyone who I met can fetch my private key
    from any of the major key servers, and check its fingerprint. My public
    key is signed by about a dozen different people, mostly other Debian
    developers, which is a strong "web of trust". If everyone was printing
    his GPG key on a business card, I could also send encrypted emails, but
    I've seen only other DDs doing it.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iEYEAREDAAYFAk7wBSAACgkQl4M9yZjvmklYVACfXYV3ncJnZuKosZJ8k0ZSzc3t
    SpQAn0eYtQCIrQeTcBgA1b+Yz58OVqCJ
    =EQHO
    -----END PGP SIGNATURE-----

    1. Re:I DO, like every DD by mortonda · · Score: 4, Interesting

      gpg: Signature made Mon Dec 19 21:46:40 2011 CST using DSA key ID 98EF9A49
      gpg: Good signature from ........

      Not posting the rest, but you can get the name and email address from the signature. :) I'd be surprised if any spammers know how to do that though.

  16. Very rarely, alas. by gessel · · Score: 5, Informative

    I use GPG/OpenPGP for some mail and "secure" web mail for other applications. I do not use third party web mail (such as gmail) because I can't control the dissemination or privacy (or longevity) of my mail and while my life is generally boring enough to fit within Eric Schmidt's idea of privacy ("If you have something that you don't want anyone [someone] to know, maybe you shouldn't be doing it in the first place [at least not though a google property]."), I occasionally write a personal opinion of someone I wouldn't want them to be able to Google later or share a business detail that could be economically damaging or embarrassing (or is subject to NDA) and gMail and all other web mail services are effectively public.

    I've used PGP (and eventually GPG) since about '94 and my keyring has about 20 people on it: more than 1 new key a year! Alas, 25% of those keys expired in the late 90s. My address book has about 1500 entries. Why so few keys? As the OP pointed out, it isn't all that difficult.

    The answer for me is that the model for encouraging encryption has to be more like S-WAN than GPG-like. I'd love to turn on "encrypt everything" and forget it, but I'd get an error message for 99% of my correspondents, so obviously that isn't going to happen. So I set my prefs to reply to encrypted messages with encryption, which is fine, but it means I rarely (almost never) initiate an encrypted thread.

    What I'd like is an opportunistic encryption mode where any message to an address in my keyring is encrypted by default. Any message to anyone I don't have a key for gets a nice little .sig file with a brief notice that their mail is insecure and effectively public and a link to further instructions for getting GPG set up.

    One annoying problem is that encrypted mail is not searchable. To solve that, I want my client to extract a keyword list on decryption then upload that keyword list to (my own) server as an unencrypted header to enable searching (implemented, of course, with a stop list for words you wouldn't want to appear in the clear even out of context or perhaps particularly out of context).

    For the truly paranoid, this list could be a hash list, though you could still fairly effectively dictionary hash fish, but it would provide some security and reduce the easy availability of information. In fact, all headers could be hashed and still generally be searchable (except maybe date ranges).

    I also want my server to store my public key and encrypt all incoming mail with it. Of course it is already transported in the clear, but it makes my server less vulnerable. Once the mail has had an index extracted and the body encrypted, someone cracking into my IMAP server would, at least, not find a historical trove of clear-text data. And my friends without keys would get annoying sig files evangelizing encryption.

    1. Re:Very rarely, alas. by mlts · · Score: 4, Interesting

      When it comes down to it, there is no one program that can truly automate good security. At some point, users cannot be spoon fed and have to do it themselves. CAs can be spoofed, trusted introducers can be hacked or bribed, and so on.

      In reality, if you want security these days (I mean actual security, not some pretty spiffy lock icon promising security), then one will have to go out and pack your own parachute, just as people did in the early 1990s.

      It is easier now than it was back then -- gpg and the commercial PGP versions can encrypt and decrypt clipboard contents, both Android and the iPhone have implementations of this. It also easier that the specter of encryption being outlawed is not over our heads as it was back in the days of the Clipper Chip.

      So, it boils to a social issue more than technical now. Do people want to do proper keysigning gatherings, stick their PGP IDs and signatures on their business cards, and have this info as much a part of their contact info as their E-mail address and FB contacts? If we can get people to understand this and the concept of a web of trust, security in general will be much improved.

  17. PGP won't catch on, S/MIME will by mr100percent · · Score: 4, Informative

    I've had PGP for over 10 years, but I'm putting it aside and getting behind S/MIME.

    S/MIME has great enterprise support, is built into mail clients like Outlook, OS X Mail, Mozilla Thunderbird, iPhones, iPads, and even has browser plugins for GMail. PGP has none of this, sadly.