[Cryptography] What ever happened to end-to-end email encryption?
Brian Gladman
brg at gladman.plus.com
Mon Aug 23 04:21:51 EDT 2021
On 20/08/2021 02:44, R Perlman wrote:
> Despite PGP and S/MIME having been designed zillions of years ago, it
> seems like end-to-end email encryption/integrity protection are not
> widely used. Which of the following is reasonably close to the truth?
[snip list]
Having been in the information security business for 40+ years, one of
the principles I believe in is that, in contemplating systems involving
functionality, security and scale, we can have at most two of these
three properties.
And the sad fact is that people consistently prefer functionality over
security and this means that anything that is only effective if deployed
at scale will inevitably be insecure (in the sense of achieving a high
level of security).
We see this all the time. For example, when mobile phones were
introduced they were necessarily deployed at scale but they had very
limited functionality and could have achieved a reasonable level of
security if users had wanted it. But it was functionality that phone
users wanted and we have now ended up with mobiles that exhibit all the
security weaknesses of personal computers.
And email systems exhibit the same evolutionary path towards increased
functionality at the expense of their potential to offer security.
And if this wasn't bad enough, we then have the actions of governments,
most of which don't want 'security for the masses' and some of which
actively act to undermine it.
Brian Gladman
More information about the cryptography
mailing list