NPR : E-Mail Encryption Rare in Everyday Use

[markus reichelt]

* Greg Black <cryptography at mail.gbch.net> wrote:

> On 2006-02-24, Peter Saint-Andre wrote:

> > Personally I doubt that anything other than a small percentage of
> > email will ever be signed, let alone encrypted (heck, most people
> > on this list don't even sign their mail).

My personal experience differs. The people that have set up some kind
of encryption to protect their privacy will use it at best and
advertise such a possibility at the very least. Be it via kludges,
email headers, footers, inline signatures, word of mouth (websites).
The important fact is they do something.

I did a little research on my email of the past month, both public
mailinglists and private mail. The vast majority of private email was
signed (and encrypted with both sender and recipient being part of
the WoT), with public mailings showing a slightly increasing number
of signed mailings. I realize that's far from being representative,
but that's really the way it should be.


> That's at least partly because too many mailing lists either reject
> signed messages out of hand or, worse, have subscribers who use
> providers that reject signed messages and then spam you with their
> idiotic bounce messages.

That's too true. Emails with signatures as attachements are often
blocked (or with attachements removed altogether) because of the
omnipresent virus-hype; I strongly believe that coping with possible
virus threats is definitely not the job of a mailinglist software.
But there's still the possibility of inline signatures.

As to the ISP issue, it would make perfect sense to me to switch ISPs
because of such bounce messages. However, I personally know of some
that are better not mentioned by name, and sadly don't regret their
practice. Net-neutrality has to be existent!

Back to topic; e.e. both mutt, and its recent offspring mutt-ng,
easily allow to adapt, as do other mail user agents out there. I
strongly recommend to use such features if present. In the past I've
seen forged signatures added to SPAM mails, so it's about time to
sharpen the public's view on the matter.

On a sidenote: From what I've heard, most banks don't bother much
with encryption and solely focus on message integrity. Well, even if
one shares the rather naive viewpoint of having nothing to hide (but
still doesn't run naked; I wonder why...) it just can't hurt of
having integrity added to ones own messages.

I'm going to repeat soon: It doesn't have to be the full package
right from the start. And with phishing attacks becoming more and more
sophisticated it's only a matter of time until the public has to
deal with the whole issue of integrity.


> Keeping track of which lists allow signed email and which don't is
> impractical if you subscribe to hundreds of lists, so the simple
> thing is to tick the "don't sign" box on list messages.

Sad but true. However, IMHO, that's also equal to "I give up <sigh>"
and clearly the wrong path one could possibly choose. Nonetheless, I
guess it's safe to assume the ordinary user to have only a handful of
mailinglists subscribed; granted, some people receive tens of
mailinglists, but hundreds? Let's don't forget the time involved. I
subscribed to 30 mailinglists, and to my licking there is not a
single one lacking the more or less occasional signed mailings.

One could argue with the list admins to allow signatures; that's
usually an up-hill battle that still can be won by inline signatures.
Of course, it's a hassle in terms of getting a working setup but it
is far worse to leave the battlefield to the enemy. By doing so one
gives the masses a wrong impression of the actual ease, once locally
implemented, of being able to add integrity to one's messages. And
that's only one step short of the actual much needed privacy, imho.

Veryfing the integrity of a message lies at the receiving end, after
all. That's where one has to start. It doesn't have to be the whole
thing about encryption, message signing, WoT, etc. right from the
start, curiosity will do the rest.

In essence: A barbeque about such a topic will suffice. In my
experience I can proudly point to some bowling/poker events that did
the trick for some people. "It's not wrong, it's a start..."


> In this case, since Peter's message was signed, I know this list
> allows signatures.  So I'll sign this message.

Add me to the list (and forgive the pun please). Even if this list
would not, with the sig added as attachement, I would do so via
inline signature.

So, why not always sign messages to a list that permits signatures? 


> But the signature will be of limited utility, as not one of the
> several email addresses on my signature is a match for the email
> address I am sending this from.  Again, lists being what they are,
> I use a different address for most lists and my PGP key would
> become absurd if I added several hundred addresses to it.

That's why I use a sole key for mailinglists and related encrypted
mailings, additionally to my private and work keys. Works like a
charm ever since. To avoid confusion I only permit my private and
work keys to be signed.


> I personally would prefer to sign every email I send.  I'd also
> prefer to encrypt all non-public messages.  I am fully competent in
> the use of the current technology, but it turns out to be not
> practical to use.

I agree that there's much work ahead. Still, I sign almost every
message, be it private or public, and if possible sign and encrypt.
That's personal taste of course, but I'd like to see such a pattern
much more often in modern daily life.

Quite frankly, I wouldn't have thought this topic would emerge the
way it has on a cryptography mailinglist. Maybe it's about time to
publish my article "Why Cryptography Is Important In Modern Life"
after all (don't hold your breath; with me being pretty busy it's not
due until after eastern).

-- 
left blank, right bald
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20060228/0b7fea4a/attachment.pgp>