Slashdot Mirror
Encrypted Email Is Still a Pain in 2017 (incoherency.co.uk)
Bristol-based software developer James Stanley, who used to work at Netcraft, shares how encrypted emails, something which was first introduced over 25 years ago, is still difficult to setup and use for even reasonably tech savvy people. He says he recently tried to install Enigmail, a Thunderbird add-on, but not only things like GPG, PGP, OpenPGP were -- for no reason -- confusing, Enigmail continues to suffer from a bug that takes forever in generating keys. From his blog post: Encrypted email is nothing new (PGP was initially released in 1991 -- 26 years ago!), but it still has a huge barrier to entry for anyone who isn't already familiar with how to use it. I think my experience would have been better if Enigmail had generated keys out-of-the-box, or if (a.) gpg agreed with Enigmail on nomenclature (is it a secring or a private key?) and (b.) output the paths of the files it had generated. My experience would have been a lot worse had I not been able to call on the help of somebody who already knows how to use it.
EFF has done a great job with their "Encrypt the Web" campaign and gotten a lot of big websites to switch to https as their default protocol. The difference is that people running those servers are usually more technically minded (they're admins), so the implementation goes a lot easier. When dealing with non-technical end users, you can't expect them to do anything extra to set it up for them; it's just gotta become the default and get pushed to them. Anything else is a recipe for non-adoptance.
Not only this, but as 'tech savvy' people, I know of only two people using PGP for personal email purposes. I think the future of encrypted email needs to be lead by someone like Google implementing it into gmail by default, generating keys easily for common folk, etc.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
I've had to mess with PKI encrypted email (as a job requirement) many times over the last 15 years. In my experience, the problem is the underlying PKI support. It's really hard to load & manage certificates, deal with revoked certificates (including preserving emails when a certificate expires), etc. Some of that is, I believe, due to the complexity of PKI itself, and some of it is due to poor (at least from a user experience perspective) support by the OS vendors. Much of my experience is with DoD PKI, including their huge chains of PKI certificate/trust.
If the PKI infrastructure worked well, encrypting/decrypting email should be easy. But if the PKI infrastructure makes it really hard to manage certificates, there's nt a lot the mail user agent can do about that!
I was sent a message encrypted by https://www.virtru.com/ and it wasn't a problem to open it on my end, no account required.
I liked the idea and took about 5 minutes to get it setup on my end so I could send encrypted email, too.
It's about the simplest setup I've seen yet, and only downside is a couple of second lag opening an email (time it takes to decrypt)
Rubbish.
Not even the most non-techie user would turn down "encryption" if it was offered.
The real problem is the stupid email software writers who insist on using "certificates", rings of trust, etc. I'm looking at you, PGP.
Secure mass communications doesn't need all that, all they need is a way to exchange keys automatically and a way for people to compare key fingerprints if they suspect a man-in-the-middle. Whatsapp have managed it perfectly.
It only takes a small percentage of the population comparing fingerprints to find out of the NSA is engaged in mass e-mail manipulation. Anybody worried about privacy can simply do the fingerprint check. No certificate authorities to pay, no rings of trust needed.
If I was a conspiracy theorist I might _also_ suspect that the real reason it hasn't been implemented by major players (eg. Microsoft) is because the US government doesn't want them to.
No sig today...