E-Mail Encryption: Why Isn't Everyone Doing It?

Peter Schuller peter.schuller@infidyne.com
Wed Oct 23 17:45:02 2002


> The interface is too confusing for the "average-home" user.  It's like
> asking them to perform a tune-up on a car. They just don't know or care to
> know.  Encryption is a great idea, but because of user interface issues it's
> still for power-users or better.

I don't agree.

In order to achieve secure communication, there are certain steps that
MUST be taken. It cannot happen automatically, because if it does it is
by definition not secure.

Granted, one could use a finger print device or similar to rid oneself
of the passphrase problem, but the fundamental principles of secure
communication is still there.

It works exactly the same as any "real world" communication. If I'm
given a phone number to John Doe and call him up - I have no way of
knowing I am really talking to John Doe, nor that he possesses the role
that someone else claims he does.

If one were to try, I believe one could come a LONG way just through
social engineering.

E-Mail is also like postal mail. You have no way of knowing who sent it
- unless you trust a return address which can be faked as easily as it
can be real. You also have no way of ensuring that only the intended
recipient reads the message - unless you take certain steps to do so.

The one thing that makes electronic communication different is the level
at which insecurities can be exploited. Tasks can be automated, etc.

If you get into a company building through social engineering you might
be able to sneak out with a PDA or two. You can't empty the entire
building without being noticed.

If you get into a server, you can easily delete everything on the hard
drive - or worse, plant a trojan. Once you are in a position to exploit
a vulnerability in a piece of software or in the way communication is
being carried out, you have a helluva opportunity to exploit it,
compared to non-computerized similar situations.

For that reason, security in the digital world is often more important
(or at least, the lack thereof is more disastrous) than in the physical
world.

I believe users (and others...) must be taught to respect security and
understand the basic principles of trust that are a fact of life - with
or without computers.

(There are other importans issues aswell of course, such as E-Mail
clients acting properly to protect the user, development of appropriate
standards, etc. But at the very core of all issues is awareness.
Automatic and therefore transparent security is seldom possible, even
theoretically.)

-- 
/ Peter Schuller, InfiDyne Technologies HB

PGP userID: 0xE9758B7D or 'Peter Schuller <peter.schuller@infidyne.com>'
Key retrival: Send an E-Mail to getpgpkey@scode.org
E-Mail: peter.schuller@infidyne.com Web: http://www.scode.org