E-mail Security: Why Don't We
Avolio Consulting, Inc., firstname.lastname@example.org
Secure e-mail software has
been around for about 10 years. Why do most of us still
send unsigned e-mail in the clear?
E-mail transmissions are vulnerable to attack in 4
specific ways. First, e-mail is vulnerable to
eavesdropping. As it is transmitted across the Internet
or as it sits on a mail relay system or e-mail post
office, unintended "recipients" can read
e-mail. Second, the sender of e-mail is easily
"spoofed," just like with postal mail. Third,
the real creator or sender of a message can disavow the
message. Finally, a legitimate message can be resent -
replayed - multiple times.
Encrypted e-mail has provided solutions to all of the
above vulnerabilities for a decade. Encrypted e-mail
supports confidentiality, authentication, and
non-repudiation. Encrypted e-mail is available for every
popular computer hardware and software platform. It is
also available as supported product and unsupported
"freeware" for individual as well as corporate
use. So, again, what's holding us back?
The Barriers, Real and
There are barriers to the use and deployment, some real,
some imaginary. These are the main reasons we don't
bother to encrypt our e-mail. We'll look at some of them
and separate truth from fiction.
- There are no
standards, or there are too many. There are
actually two "standards" - in progress
or established, PGP/MIME and S/MIME. One vendor
and many freeware applications support PGP/MIME.
Many vendors and many freeware applications
support S/MIME. Also, there are proprietary
solutions that provide secure e-mail in a manner
that is completely transparent to the end user.
Standards compliance is nice, but it is not the
The issue is interoperability. Unfortunately,
PGP/MIME and S/MIME do not interoperate.
Proprietary solutions operate only with
However, this may be sufficient. Think about it.
For many of us, the e-mail we need to protect the
most is e-mail with other employees in our
company. Interoperability is more easily achieved
in a single organization.
- It is difficult
for end users to use. While it may be true
that the concept of digital signatures is
difficult for many to understand, encryption of
e-mail is not so difficult to deal with. Further,
many secure e-mail solutions work in conjunction
with the same e-mail programs already in use
(e.g. Netscape Messenger, Outlook, Eudora). There
is nothing new to learn except how to use the
added functionality of encrypting and digitally
- It is not
supported. The free products are not
commercially supported - though they are
"supported" by the user community - but
the commercial products are.
- We would need a
PKI. A Public Key Infrastructure is needed if
we want to be able to exchange encrypted or
digitally signed e-mail with people we have never
met. This is a very good ultimate goal, but as
stated under number 1, we still gain a lot even
if we are limited to exchanging encrypted e-mail
with those in our company, or those we have met.
- I'll have to deal
with digital certificates. Well,
that is true for PGP/MIME and S/MIME solutions.
But some software solutions come with a mechanism
for generating certificates. We can also purchase
individual certificates on the Internet. Or we
can generate our own "self signed"
certificates. While this may seem kind of like me
carrying around a self-created driver's license,
it really is different. The certificate may only
be used for confidential communications between
acquaintances. Another alternative is to have
your company sign all employee digital
- People will forget
their passwords and, so, not be able to read
their encrypted e-mail or sign e-mail to others.
Again, yes. There are relatively secure solutions
around this, everything from having the user
write it down and store it at home, to encrypting
it on a disk the user keeps with a password
someone else (sys admin) knows, to encrypting
everything with a company decryption key
(supported by some commercial software).
- It's illegal.
This is a tricky issue, while I am not a lawyer,
I can state that there are countries where the
use of encryption products in e-mail is illegal.
If this is the case where you live, then I
suggest that you not use them. On the other hand,
if the option is available to you, then avail
yourself of it. In the U.S. it is my
understanding that encryption products can be
used and taken out of the country with relative
impunity as long as they are not sold without a
license. The policies of the U.S government as
well as those of many other nations regarding
encryption usage seems to be in a constant state
of flux. If you are uncertain of what the local
regulations are, check with your legal council or
other competent authority. [This paragraph is
based on the writer's shaky knowledge of US law
and is not to be construed as legal advice]
There is one other reason - really, the main reason - we
don't bother to encrypt our e-mail. It is because we
don't think our communications are of interest to anyone
else. And we may be correct. If our business is
worthless, if we never have a good idea, if there is
nothing about what we do that anyone else would want,
then we may be correct. However, that is not a
description of our business, at least not for most of us.
As stated last year in an article I wrote about deploying
cryptography, start signing your e-mail messages with
your digital certificate (the software gets you started
on this). Test it with others in the organization. Use it
when confidentiality is important (which is a good deal
of the time, is it not?). Start asking people for their
digital certificate so you can send them confidential
e-mail. Just start using it.