Republished with permission from WatchGuard Technologies, Inc.

Written May 31, 2000

  WatchGuard LiveSecurity

E-mail Security: Why Don’t We Bother?
Fred Avolio, 
Avolio Consulting, Inc.,
fred@avolio.com

Secure e-mail software has been around for about 10 years. Why do most of us still send unsigned e-mail in the clear?

The Problem
E-mail transmissions are vulnerable to attack in 4 specific ways. First, e-mail is vulnerable to eavesdropping. As it is transmitted across the Internet or as it sits on a mail relay system or e-mail post office, unintended "recipients" can read e-mail. Second, the sender of e-mail is easily "spoofed," just like with postal mail. Third, the real creator or sender of a message can disavow the message. Finally, a legitimate message can be resent – replayed – multiple times.

The Solution
Encrypted e-mail has provided solutions to all of the above vulnerabilities for a decade. Encrypted e-mail supports confidentiality, authentication, and non-repudiation. Encrypted e-mail is available for every popular computer hardware and software platform. It is also available as supported product and unsupported "freeware" for individual as well as corporate use. So, again, what’s holding us back?

The Barriers, Real and Imagined
There are barriers to the use and deployment, some real, some imaginary. These are the main reasons we don’t bother to encrypt our e-mail. We’ll look at some of them and separate truth from fiction.

  1. There are no standards, or there are too many. There are actually two "standards" – in progress or established, PGP/MIME and S/MIME. One vendor and many freeware applications support PGP/MIME. Many vendors and many freeware applications support S/MIME. Also, there are proprietary solutions that provide secure e-mail in a manner that is completely transparent to the end user. Standards compliance is nice, but it is not the issue. 

    The issue is interoperability. Unfortunately, PGP/MIME and S/MIME do not interoperate. Proprietary solutions operate only with themselves. 

    However, this may be sufficient. Think about it. For many of us, the e-mail we need to protect the most is e-mail with other employees in our company. Interoperability is more easily achieved in a single organization.

  2. It is difficult for end users to use. While it may be true that the concept of digital signatures is difficult for many to understand, encryption of e-mail is not so difficult to deal with. Further, many secure e-mail solutions work in conjunction with the same e-mail programs already in use (e.g. Netscape Messenger, Outlook, Eudora). There is nothing new to learn except how to use the added functionality of encrypting and digitally signing messages.

  3. It is not supported. The free products are not commercially supported – though they are "supported" by the user community – but the commercial products are.

  4. We would need a PKI. A Public Key Infrastructure is needed if we want to be able to exchange encrypted or digitally signed e-mail with people we have never met. This is a very good ultimate goal, but as stated under number 1, we still gain a lot even if we are limited to exchanging encrypted e-mail with those in our company, or those we have met.

  5. I’ll have to deal with digital certificates. Well, … yes, that is true for PGP/MIME and S/MIME solutions. But some software solutions come with a mechanism for generating certificates. We can also purchase individual certificates on the Internet. Or we can generate our own "self signed" certificates. While this may seem kind of like me carrying around a self-created driver’s license, it really is different. The certificate may only be used for confidential communications between acquaintances. Another alternative is to have your company sign all employee digital certificates.

  6. People will forget their passwords and, so, not be able to read their encrypted e-mail or sign e-mail to others. Again, yes. There are relatively secure solutions around this, everything from having the user write it down and store it at home, to encrypting it on a disk the user keeps with a password someone else (sys admin) knows, to encrypting everything with a company decryption key (supported by some commercial software).

  7. It’s illegal. This is a tricky issue, while I am not a lawyer, I can state that there are countries where the use of encryption products in e-mail is illegal. If this is the case where you live, then I suggest that you not use them. On the other hand, if the option is available to you, then avail yourself of it. In the U.S. it is my understanding that encryption products can be used and taken out of the country with relative impunity as long as they are not sold without a license. The policies of the U.S government as well as those of many other nations regarding encryption usage seems to be in a constant state of flux. If you are uncertain of what the local regulations are, check with your legal council or other competent authority. [This paragraph is based on the writer’s shaky knowledge of US law and is not to be construed as legal advice]

Advice
There is one other reason – really, the main reason – we don’t bother to encrypt our e-mail. It is because we don’t think our communications are of interest to anyone else. And we may be correct. If our business is worthless, if we never have a good idea, if there is nothing about what we do that anyone else would want, then we may be correct. However, that is not a description of our business, at least not for most of us.

As stated last year in an article I wrote about deploying cryptography, start signing your e-mail messages with your digital certificate (the software gets you started on this). Test it with others in the organization. Use it when confidentiality is important (which is a good deal of the time, is it not?). Start asking people for their digital certificate so you can send them confidential e-mail. Just start using it.