28 August 2007

The problem with secure email

It would have been convenient today for me to send someone encrypted email. The problem, however, is that they way it works, the recipient would have to have already obtained a certificate† & have sent me a copy of it. And there are very good reasons why it works that way. Getting a free secure email certificate isn't difficult, though I imagine the process could be a bit confusing if you aren't familiar with the technology. (Thawte--whom I've linked to--isn't the only authority that can issue secure email certificates, but it is the one I use.) But beyond that, most people don't even know about them, much less why they should get one.‡ Faced with the prospect of asking a recipient to go through getting a certificate & sending it to me or finding another way to get the information to them, I--of course--choose the latter. So, secure email remains unused. †A bit of an oversimplification for clarity. ‡Besides allowing people to send you encrypted email, a secure email certificate allows you to digitally sign emails you send. This increases the recipient's confidence that a email actually came from you & wasn't spoofed. Incidentally, your certificate is automatically included in a signed email message. Thus a signed message is the typical way to send someone your certificate so that they may send you encrypted email. (Incidentally, it seems that in separating Firefox & Thunderbird into separate applications, Mozilla dropped the ball here. You have to manually export your private key & certificate generated/obtained through Firefox & import them into Thunderbird. At least, I couldn't find an easier way to do it. Presumably people using Microsoft Outlook & Internet Explorer or Apple Mail & Safari have the advantage here.)


Ron-Paul-for-Prez said...

You can send an encrypted message and files to anyone with a regular email address.
There's two free ones I like: Hushmail and PrivacyHarbor

Basically, your recipient gets a notice of a waiting message and then goes to get the message and the files on a secure page. PrivacyHarbor seems more for regular business, Hushmail is more for privacy rights folks. I use both!

Robert Fisher said...

Many thanks for the recommendations!

I don't know that I really consider either a solution to the problem, but they do look like reasonable work-arounds.

Hushmail's Hushmail Express looks particularly cool.

Incidentally, in this particular case, I had considered using symmetric encryption (like Hushmail Express), but I couldn't come up with a question that only I & the recipient would know the answer to.