[Cryptography] What ever happened to end-to-end email encryption?

John Kemp stable.pseudonym at gmail.com
Sun Aug 22 08:00:41 EDT 2021 

> On Aug 19, 2021, at 9:44 PM, R Perlman <radiajpc at gmail.com> wrote:
> 
> Despite PGP and S/MIME having been designed zillions of years ago, it seems like end-to-end email encryption/integrity protection are not widely used. Which of the following is reasonably close to the truth?
> 
> Of course they are widely used. I'm just not aware.
We gave up on *email* during the spam/ad epidemic. But e2e encryption for person-person messaging is indeed widely used, and apparently very usable. Signal, Telegram and WhatsApp are all in quite widespread use.

So, effectively, the whole notion of person-person messaging was changed.

- johnk 
> The usability issues were not worked out. How would a user obtain a public key? How would a user get a certificate? How would a user know the public key of someone they are receiving from/sending to?
> It never reached critical mass…there were never enough people who could receive encrypted email that it was worth trying to figure out how to send it.
> Big companies do not want end-to-end encryption of email. They want to have middleboxes be able to scan for phishing links and perhaps they are legally required to keep records of all email sent to or from company email addresses.
> Even individual users need middleboxes to scan for spam and other services (such as maybe warning about dangerous links)
> Ordinary users just aren't worried about having their email seen by others, at least not enough to figure out how to get an email client that can do encryption, obtain a key, etc.
> Other solutions became popular, which (I think) involve a central server that a sender requests a secret key from, the sender encrypts with that secret key, and then the receiver needs to ask the central server for the key.  I think if a big company is using such a product, it is implemented in a way that lets the company see plaintext of all email to/from that company's email addresses. 
> People don't really know what different forms of "encrypted email" mean, so central-server-secret-key-style, vs end-to-end with user public keys, vs using TLS between mail transfer agents all count as "encrypted email"
> Something else?
> Thanks,
> Radia Perlman
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210822/e25d13ac/attachment.htm>

More information about the cryptography mailing list