Bristol-based software developer James Stanley, who used to work at Netcraft, shares how encrypted emails, something which was first introduced over 25 years ago, is still difficult to setup and use for even reasonably tech savvy people. He says he recently tried to install Enigmail, a Thunderbird add-on, but not only things like GPG, PGP, OpenPGP were -- for no reason -- confusing, Enigmail continues to suffer from a bug that takes forever in generating keys. From his blog post: Encrypted email is nothing new (PGP was initially released in 1991 -- 26 years ago!), but it still has a huge barrier to entry for anyone who isn't already familiar with how to use it. I think my experience would have been better if Enigmail had generated keys out-of-the-box, or if (a.) gpg agreed with Enigmail on nomenclature (is it a secring or a private key?) and (b.) output the paths of the files it had generated. My experience would have been a lot worse had I not been able to call on the help of somebody who already knows how to use it.

  • Encrypted email is not âoeuser friendlyâ for the average Joe because for the most part, people arenâ(TM)t interested in it, and so brain-dead easy apps generally have not been developed. Encryption for business and government is the focus, while most âoeregularâ people â" excluding those with paranoia â" just donâ(TM)t seem to think it adds anything for them.

    Having said that, my employer, the Department of Defense, uses Outlook and a card with a chip in it that stores

    • Re:Low Interest In The Public (Score:4, Interesting)

      by schneidafunk ( 795759 ) on Monday February 13, 2017 @11:48AM (#53857123)

      Not only this, but as 'tech savvy' people, I know of only two people using PGP for personal email purposes. I think the future of encrypted email needs to be lead by someone like Google implementing it into gmail by default, generating keys easily for common folk, etc.

      • Re: (Score:3)

        by ruir ( 2709173 )
        The concept of using PGP is privacy in your private messages. That concept goes out of the window once google is managing your keys.

      • After the snowden reveal, I switched to it exclusively when communicating with a friend of mine. I use a really strong set of ECDSA keys I generated for us, and physically exchanged in person.

        I laugh at the idea of the NSA wasting the CPU cycles needed to decode our harmless exchanges of adorable kitten pics.

         

        • After the snowden reveal, I switched to it exclusively when communicating with a friend of mine.

          The NSA is not interested in your cat videos.

          • Re: (Score:2)

            by suutar ( 1860506 )

            ah, but do they know they're just cat videos?

          • After the snowden reveal, I switched to it exclusively when communicating with a friend of mine.

            The NSA is not interested in your cat videos.

            But if they are encrypted, they don't know they are cat videos. One of the points of encryption, like document shredding is to "do" everything, if you only 'do' the important things the Snoops will know what is important and what isn't. Decrypting, like reassembling shredded documents is very expensive, make them spend on junk mail and cat videos and they won’t be able to afford your important stuff.

          • After the snowden reveal, I switched to it exclusively when communicating with a friend of mine.

            The NSA is not interested in your cat videos.

            That may be...but they'd have to decrypt it first to determine that...

    • Re: (Score:3)

      by gnick ( 1211984 )

      Having said that, my employer, the Department of Defense, uses Outlook and a card with a chip in it that stores my credentials, and I can encrypt an email simply by clicking on a button.

      At my last position, with the Department of Energy, we used Entrust along with Lotus Notes and credentials stored on the chip on our badge. It was very straightforward even for the non-tech-savvy among us.

    • Rubbish.

      Not even the most non-techie user would turn down "encryption" if it was offered.

      The real problem is the stupid email software writers who insist on using "certificates", rings of trust, etc. I'm looking at you, PGP.

      Secure mass communications doesn't need all that, all they need is a way to exchange keys automatically and a way for people to compare key fingerprints if they suspect a man-in-the-middle. Whatsapp have managed it perfectly.

      It only takes a small percentage of the population comparing fi

      • Rubbish.

        Not even the most non-techie user would turn down "encryption" if it was offered.

        The real problem is the stupid email software writers who insist on using "certificates", rings of trust, etc. I'm looking at you, PGP.

        Secure mass communications doesn't need all that, all they need is a way to exchange keys automatically and a way for people to compare key fingerprints if they suspect a man-in-the-middle. Whatsapp have managed it perfectly.

        So really what you're saying is that the whole Web-of-Trust support needs a little more automation...there's lots of public places that can store the public side of a GPG/PGP key that can be easily retrieved. The problem is that many - especially new - PGP/GPG users don't know to use them, or how. If that was automated by Enigmail (and others) then it would just work...though it'd still be best if you exchanged fingerprints in person to verify you got the right key from the keyservers.

        Any CA involved is

      • I disagree. If it takes one extra tap or mouse click people will call it inferior, they DONT CARE that it's an external problem to the encryption itself, and will just see it as another complicated thing that is a pain in the ass.

        Source, former helpdesk tech that answers a few calls still now and again.

  • Giving credit where credit is due. mail.app and keychain make it a breeze. You can drag and drop public keys, sign email, use 3rd party sources or generate keys all with a gui that is rather intuitive.

    • Of course, since this is in mail.app, which I use constantly, this is the first I've heard about it.

      I wonder how many great features in Apple products people miss simply because Apple refuses to provide sensible documentation and instead relies on users to "discover" features organically or via message boards.

      -Chris

      • There's a button in the 'compose email' window to turn it on, and there's online help for how to import a signing cert. Keychain will create a cert for you and a CSR, but it's then up to you to have it signed. The most important part of the grandparent's point is nothing to do with Apple though. Thunderbird also supports S/MIME out of the box, as does Outlook. The author of TFA decided to try two third-party add-ons for encrypting his mail, instead of the industry standard one that's built into the mail

      • Re: (Score:2)

        by jbolden ( 176878 )

        I would agree consistent documentation is not the strong suit. That being said the help topic in mail, "Sign or encrypt messages for increased security" is there.

  • Tools and movements (Score:4, Interesting)

    by PeeAitchPee ( 712652 ) on Monday February 13, 2017 @11:47AM (#53857111)
    EFF has done a great job with their "Encrypt the Web" campaign and gotten a lot of big websites to switch to https as their default protocol. The difference is that people running those servers are usually more technically minded (they're admins), so the implementation goes a lot easier. When dealing with non-technical end users, you can't expect them to do anything extra to set it up for them; it's just gotta become the default and get pushed to them. Anything else is a recipe for non-adoptance.

    • Re:Tools and movements (Score:4, Insightful)

      by TWX ( 665546 ) on Monday February 13, 2017 @12:00PM (#53857243)
      It also has to be supportable. If joe schmoe loses all of his e-mail because of problems with remembering keys or keychain files then not only is he going to stop using it, he's going to continue to have problems with people e-mailing to him with his now-broken public key.

    • Re: (Score:2)

      by Sloppy ( 14984 )

      You simply can't have people not do "anything extra" while also being resistance to MitM. Part of HTTPS' success story is that it's easy enough to set up, but at the cost of being extremely vulnerable (by PGP standards) to MitM. So to anyone who knows how it works, it's "insecure" but people actually bother to use it, so it's about a trillion times more secure against totally passive attacks, than plaintext is. Thus, on average for all persons, the web is more secure than email.

      PGP email needs some kind of

  • I'd like to recommend mailvelope [mailvelope.com] It's a plug-in based solution that works for all popular webmail clients. It's ease of use and integration makes using encrypted mail, and key handling easy.

  • Only difficult because computer users are idiots (Score:3, Insightful)

    by wierd_w ( 1375923 ) on Monday February 13, 2017 @11:51AM (#53857153)

    No. Really.

    The average user has difficulty clicking on a UI element that says "Generate key" and figuring out what it does.

    Let alone understanding the differences between key types, and why some are better than others. (like why you shouldn't trust the RSA algo.)

    • Re: (Score:1)

      by Anonymous Coward

      >like why you shouldn't trust the RSA algo

      I'm very curious. Why shouldn't I?
      I generally am skeptical of the public-key infrastructure system which requires 3rd parties, but I "trust" RSA for pretty much all https requests I do. I also understand that the RSA company's BSAFE library is considered compromised but this is not mean "RSA algo."

      • Re: (Score:3)

        by grnbrg ( 140964 )

        When the standards for eliptic curve signatures were being developed, the NSA, in response to the submission recommended (without, I believe, much explanation) a slight different set of constants used to define the curves, and those recommendations made it into the standard.

        Did they suggest the new constants, because they knew the initially proposed ones had weaknesses? Or because the ones they suggested had properties that would allow the NSA to break those signatures?

    • Let alone understanding the differences between key types, and why some are better than others. (like why you shouldn't trust the RSA algo.)

      The end user has no need for understanding that. They even shouldn't need to care.

      The only way we'll ever see e-mail encryption if it's as transparent as WhatsApp's end-to-end encryption or https transfers. The moment you have to bother the user with manual key management there's an issue. If the user has to choose what key to use, it's a disaster. He shouldn't have to know why to trust or not to trust RSA or other key algorithms. That's for the application writer to figure out, and only offer suitable prot

  • It's a pain because recovery has to be an option (Score:5, Insightful)

    by H3lldr0p ( 40304 ) on Monday February 13, 2017 @11:54AM (#53857173) Homepage

    People forget things all the time. At some point you are going to forget where or what the key is for your encrypted email, so what to do? Recovery of that key is going to be necessary. Which leads to an entire host of other problems, many of which are security related.

    So yeah, until memory becomes infallible we're stuck with encrypted emails having a certain amount of pain that comes along with them.

    • a message that can be read by somebody other than the intended recipient, is not worthy of being called secure.

      A message that can have the key derived from the data stream is a message that fails to prevent somebody other than the intended recipient from reading it.

      The two are mutually exclusive.

    • Re: (Score:2)

      by TWX ( 665546 )
      Yeah. I'm already facing this with passwords, and ironically it's home equipment that I have the biggest issues remembering simply because I don't have to reconfigure it often.

      Some big automotive enthusiast forums company got breached and set draconian rules for passwords for the users (who themselves did nothing wrong) as a result. twelve characters, mixed case, numbers, and non-letter-number characters, must be changed monthly. Screw that. I don't need to talk about four by fours enough to bother w

      • twelve characters, mixed case, numbers, and non-letter-number characters

        Hmm, those contraints rather limit the set of possible passwords, thus weakening the security of the system.

        Ignoring the 12 character limit, would be better if mixed case, numbers, and non-letter-number characters were ALLOWED, but not required.

        As to the character limit, I think I may have used a password that short this decade by personal choice. Maybe. Of course, passwords for websites (online bill pay, that sort of thing) freque

    • That is not the pain .

      Where I work it is the clueless clients who send us (another company) encrypted emails and then demand an answer ASAP and blame IT when it doesn't work.

      Cisco iron mail is horrible! Requires outdated Java and times out on our network. MBAs have no idea the work required. Just to penelize my users if they don't respond ASAP with no warning

    • Re: (Score:2)

      by zifn4b ( 1040588 )

      People forget things all the time. At some point you are going to forget where or what the key is for your encrypted email, so what to do?

      Use Keepass?

    • Why storing it in encrypted form? It only has to be encrypted while in transmission to be secure.

      You receive an e-mail, your client automatically decrypts it (of course at some point in time you unlocked the key with a password or so), and then stores it in your local storage unencrypted. You may of course in turn encrypt your hard disk if you want. Same for sent e-mail: the moment you press Send, the client encrypts the mail before delivering it to the SMTP server, and at the same time stores an unencrypt

    • This is why I maintain that we need identity/security providers that will manage the keys and encryption schemes for you. The real problems are:

      * Slashdot nerds (and the like) get all freaked out about the idea of a 3rd party managing people's keys. In order to be truly secure, it's necessary that only you can ever possibly get access to your keys, which means that you need to manage them yourselves. Therefore, any scheme that requires trusting a 3rd party gets rejected.
      * Each vendor/developer wants to

  • PKI itself is the culprit (Score:4, Interesting)

    by david.emery ( 127135 ) on Monday February 13, 2017 @11:56AM (#53857195)

    I've had to mess with PKI encrypted email (as a job requirement) many times over the last 15 years. In my experience, the problem is the underlying PKI support. It's really hard to load & manage certificates, deal with revoked certificates (including preserving emails when a certificate expires), etc. Some of that is, I believe, due to the complexity of PKI itself, and some of it is due to poor (at least from a user experience perspective) support by the OS vendors. Much of my experience is with DoD PKI, including their huge chains of PKI certificate/trust.

    If the PKI infrastructure worked well, encrypting/decrypting email should be easy. But if the PKI infrastructure makes it really hard to manage certificates, there's nt a lot the mail user agent can do about that!

    • Re: (Score:2)

      by sl3xd ( 111641 )

      But if the PKI infrastructure makes it really hard to manage certificates, there's not a lot the mail user agent can do about that!

      I've been using PKI infrastructure for about as long, and my experience has been very different, even with non-technical users.

      I'm curious what issues you're running into that makes it "really hard to manage certificates." Perhaps your definition of difficult differs greatly from mine..

      • I could see it being rather difficult to manage certificates if there's no assumed trustworthy central authority to manage them. It's easy for a megacorp to sign their own certs and manage them (and have others accept them), but a small shop or individual would likely run into difficulty somewhere.

      • Finding, installing, handling revocations/expiration. Loading parent/certificate chains, -particularly when the certificate chains themselves (root and intermediate) change-. In a perfect world, this would all be handled automagically. But when something goes wrong, figuring out what happened, and then trying to fix it, has been At Least One Bridge Too Far.

  • This is much easier to manage, and it is not clear that encrypting the email itself is that much better.

    • Re: (Score:2)

      by sl3xd ( 111641 )

      You get a gold star for independently coming up with the industry standard solution!

      Encrypting the attachments is exactly what PGP/MIME and S/MIME have done for at least a decade now.

  • The problem is that most of the public still uses web-based email (GMail, Yahoo, etc) and mobile. Gmail won't support even the most basic of encryption because their entire business model depends on reading other people's emails.

    What GMail COULD do is put some sort of header on GPG-signed emails saying that this is certified as from an account.

    • Re: (Score:2)

      by b0bby ( 201198 )

      Like the author I found Enigmail on Thunderbird to be a pain. The Mailvelope plugin on gmail/Chrome is what I use when I need to use encrypted mail. It's still a bit of a pain, but not too bad.

    • What's the problem with that for gmail and other web mail services? In order to present the e-mail in a web page to the user, they have to be able to decrypt it, it's not like that can be done so easily at the user's end in the browser (how to deal with keys etc, when the user switches computers?).

  • Given up (Score:3)

    by Rumagent ( 86695 ) on Monday February 13, 2017 @12:17PM (#53857401)

    I have given up on GPG. It is a great program and in principle it is all you need. Until you have tried setting it up for your parents, spouse or friends.

    It cannot and will not work. It is too complicated. The best solution I have come up with is using tutanota (others exists as well) . It is not perfect, but now must of my family use encryption without really realising it:)

  • Nowadays all connections between your client and your server is encrypted. And connections between email servers are encrypted as well using TLS. The only hole is if your email server uses Verizon as an ISP, because they strip the request secure transit bits [eff.org] off of the server connection. So far none of the big email providers have felt like blocking off all Verizon customers. Once that hole is plugged, there won't be a single point where an email isn't encrypted.

    • Except the part where it's stored unencrypted on every server during the trip. You don't know how long it stays on the server as there could be a long queue of outgoing mail or the receiver isn't responding. Then it could be caught up on backups. All available to be read unless you have encrypted it yourself.

    • Re: (Score:2)

      by Chrisq ( 894406 )
      I think the point is that it is not end-to-end encryption, and it could be intercepted by mail providers either end, or by governments with access, etc.

    • You're talking about transit. Emails in transit may be encrypted but they may not be at the endpoint. It's like entering your bank details into some random site that looks like your bank with only the confidence that you're using HTTPS and without actually knowing if the other party is your bank or not.

    • Re: (Score:2)

      by Nkwe ( 604125 )

      Once that hole is plugged, there won't be a single point where an email isn't encrypted.

      In transit perhaps, but not at rest. When your email sits in the inbox (or any folder) on your email provider's server, it is either not encrypted or your provider has the ability to decrypt it. Otherwise your email provider would not be able to display it / transfer it to you. This means that your provider can read your email, they can show it to the government, and if someone hacks your provider, the attackers and read your email as well. Unless you are running your own email server, transport protection

      • it is either not encrypted or your provider has the ability to decrypt it.

        Lots of providers do encrypt the email at rest. True, the servers will need the data in an unencrypted form at some point to serve you the data, etc. But then that gets down to how much you trust the provider. Don't trust the provider? host your own email server.

        Encryption in transit protects you a lot.

  • Has anyone else tried Virtru? Simple (Score:4, Interesting)

    by reezle ( 239894 ) on Monday February 13, 2017 @12:25PM (#53857471) Homepage

    I was sent a message encrypted by https://www.virtru.com/ [virtru.com] and it wasn't a problem to open it on my end, no account required.
    I liked the idea and took about 5 minutes to get it setup on my end so I could send encrypted email, too.
    It's about the simplest setup I've seen yet, and only downside is a couple of second lag opening an email (time it takes to decrypt)

  • DuckDuckGo (Score:3)

    by mrchaotica ( 681592 ) * on Monday February 13, 2017 @12:37PM (#53857609)

    The article says "I DuckDuckGo'd for keywords like GPG..."

    I feel like the idiom should be "I DuckDuckWent" instead.

  • Security requires personal attention. (Score:5, Insightful)

    by mmell ( 832646 ) <mike.mell@gmail.com> on Monday February 13, 2017 @12:39PM (#53857627)
    No matter how dumbed-down you make it, ultimately security requires an intentional decision by the end user. Encryption is a highly complex subject and the instant you reveal this, nearly all end users don't just decide it's not for them, they decide it's no good at all.

    Try talking your non-techie friends into a Linux desktop. Even after you show them that the "Start button" is right where they expect it to be, and that the email and browser clients work just like they're used to and that they can do what they've been doing as easily as they've been doing it, there will be concerns. It all falls apart when they say "Can I buy a disk and install my own software?" and you say "No, but here's an easier way to install software from a vast repository of packages", they're done. They don't even ask what's available or how it works, their eyes glaze over and they hold up a CD-ROM of Cute Kitteh Pics and proclaim that they can't live without that version of that software - and it has to look exactly like they expect it to look. Anything else might require their direct attention.

    Now, back on subject - you say "encrypt your email". They say, "okay, how?". You install and configure it for them, you make sure they only have to click one button to encrypt any given email. They say "Cool! And my grandma will be able to read this, right?"

    You start explaining how this will work. Their eyes glaze over and they say they'd like to encrypt emails to their friends when they discuss their legal but oh-so-risqué lives, but if they can't email grandma it won't work. It's too late to tell them they got it wrong because their eyes have already got that hundred yard stare thing going on. You made somebody think about something and rather than believe they can understand it, they take the easier path of not even trying.

    Bottom line - you're not trying to teach a behavior, you're trying to change a behavior. I've go GPG implemented. It's completely unused because nobody I know cares. They're not afraid of the government reading their emails and they accept that Google, Apple and Microsoft won't do anything worse than target advertising at them. Even after I offer to make it one-click convenient for them, most of my associates don't want it.

    • Re: (Score:2)

      by gtall ( 79522 )

      " You made somebody think about something and rather than believe they can understand it, they take the easier path of not even trying."

      And that, in a nutshell, is what describes people living in their interwebs echo chambers. Their beliefs are easier to understand than someone else's, and they take the easier path of not even trying.

    • It all falls apart when they say "Can I buy a disk and install my own software?" and you say "No, but here's an easier way to install software from a vast repository of packages", they're done.

      What's in a "package?" Is it ready-to-run? Where do I find clear and detailed product descriptions, reviews and screen shots?

      Steam is successful because Valve knows how to sell software on line.

    • you're not trying to teach a behavior, you're trying to change a behavior. I've go GPG implemented. It's completely unused because nobody I know cares.

      It's actually worse than that. You're not trying to change your behavior. You're trying to change everyone else's behavior. Your GPG implementation relies on everyone sending emails to you to cooperate.

  • PGP has pretty much been abandoned. The companies that need to securely deliver messages do so by sending an email with a link that requires you to authenticate and then view the actual contents in a secure browser session. I find it absolutely hilarious that Slashdot has been persistent for so many years in resurrecting this topic every so often even though it's clearly dead, Jim.

  • So, I'm thinking this through a bit further, and I'm wondering whether encrypted e-mail still makes sense...

    How many people actually-communicate via e-mail anymore? Yes, e-mail is still necessary as it's a de facto identification method - virtually every sign-up form uses e-mail addresses in this manner, but it's highly irregular that I send an e-mail to another human after I leave work. Most of that communication takes place via Facebook (known insecure) or WhatsApp/Viber/Kik/Line/BBM/SMS, and most of that

  • It really isn't a pain, use S/MIME (Score:1)

    by Anonymous Coward

    S/MIME is built into every major email client, just import your cert (you can get a free email one from just about any trusted certificate authority) and it'll work out of the gate. You have to use 3rd party software for gmail.

  • Lack a use case (Score:3)

    by thegarbz ( 1787294 ) on Monday February 13, 2017 @12:42PM (#53857667)

    The general wide spread use of email encryption lacks a use case. The situations where an ordinary person would require encrypted email is incredibly rare and it's most definitely not worth the hassle. Think of the use case for email: You're trying to send a message to someone. Like a letter it could be intercepted and read, but in general it's still just plain text. Like a letter we can take basic precautions such as encrypting attachments or sending separately documents to prevent accidental collection, but fundamentally it is still something that for the most part in general needs to be read.

    I personally wouldn't have enabled email encryption if I didn't need to on a very rare occasion have to handle sensitive information, but even then it's simply easier to often send an encrypted attachment.

  • Because end-to-end secured email is a pain, why not just use WhatsApp or one of the other messaging systems [techtimes.com] which provide end-to-end encryption?

    • Is there a good reason I should trust the authors of "WhatsApp"? And even if I did trust them, is there any measure of assurance that they couldn't be compelled to give up my data?

  • I would use PGP encrypted email if they'd make it easier for everyone else to use. Is it stands, I unfortunately know too many people that don't even know what Thinderbird is, let alone Enigmail. So, what would the point of encryption be if they can't even open it via PGP. They do make an app for iOS called iPGMail, but it's not easy to use either. There is a service called Protonmail that I like a lot. I'm not sure if the emails themselves are encrypted (maybe for Protonmail to Protonmail users), but I kno
  • If you use gmail and chrome there is a extension named mailvelope that is super easy to use. Just saying not all PGP email encryption is hard.
  • Took us over two years, but we did it right. https://www.securemyemail.com.... [www.securemyemail.com] Works with your current email address(es). Simple enough for anyone and everyone but with advanced PGP key management features for those that like that sort of thing. You can even import your current key as well as invite legacy PGP buddies w/o them having to use. Easy inviting and optional updated web of trust using social networks is built-in. Android and Thunderbird are available now. iOS, our own simple clients for Mac and

  • ...netcraft confirms it!

    Sorry. Flashbacks.

  • Bristol-based software developer James Stanley, who used to work at Netcraft, shares how encrypted emails, something which was first introduced over 25 years ago,

    Got enough commas in there?

    is still difficult

    Uh, what? Emails is still difficult?

    but not only things like GPG, PGP, OpenPGP were -- for no reason -- confusing

    "Not only were things like..." would've been easier to parse, though this is borderline cromulent.

    Enigmail continues to suffer from a bug that takes forever in generating keys.

    The bug takes forever "in generating" keys?

    Look, if English isn't the submitter's first language, that's no big deal. But somebody, somewhere, should be responsible for editing submissions if you want people to actually think you're a professional news aggregator.

  • As an Enigmail user, I have to disagree. I've found it relatively easy to implement. Similarly on a Web interface, there are ample extensions for implementing public key encryption. The problem is a lack of good encryption education. Unfortunately, people either try to educate too much or don't try at all. Just as people need to understand "lock the door" and not the intricacies of a 5-pin tumbler lock, we don't need to drown people in the the math of cryptography as much as the importance of a having keys

