[Cryptography] What ever happened to end-to-end email encryption?

Jerry Leichter leichter at lrw.com
Mon Aug 23 11:45:59 EDT 2021 

> I think the actual solution is the Paypal approach.  All of the actual
> messaging happens on a web site, and the mail only says there's something
> new on the web site, take a look.
> 
> For example, that is how I exchange messages with my doctor.  It works pretty well.
Same here - but I can’t agree, in general, on the “it works pretty well” comment.

The system my doctor uses- I think developed by the large practice she’s part of and integrated quite well with their web site - mainly does the job.  It’s inherently disruptive and time-wasting to go back and forth between two systems, and some integrations between mail and other systems (appointments) aren’t there and would require a whole special implementation where for mail that’s already been done - but it’s OK.

A couple of years back, I refinanced my mortgage, and the bank (BofA) had me set up a private mailbox for this purpose.  It’s the same bank I already had accounts with - but the systems are completely disjoint.  Still, for this limited purpose - mainly exchanging a couple of documents - it worked pretty well.

On the other hand, my accountant a couple of years ago used some 3rd party system that as I recall worked pretty well.  Then he dropped it and went back to regular email.  Last year, he subscribed to another secure mail system - which I find it unusable.  Half the time it won’t let me even log in.

And, of course, God only knows just how secure these systems really are.

> I think that actual secure mail would be swell, but after 30 years of it not
> happening, I'm not holding my breath.
Sad to say, I have to agree.  Meanwhile, the existence of these external “private email” systems confirms that there’s a real need for *something* in this direction.  The lack of standards or even any really good proprietary solutions is a continuing annoyance. Kind of a Gresham’s law at work, I think.

Email isn’t a big money-maker for anyone other than Microsoft, and businesses that use Exchange seem to feel the security it provides is good enough for even quite sensitive discussions - certainly within one company, but typically even between companies.

Is there a OSS/startup possibility here?  What would might it look like?  I'm not suggesting a complete solution, as SMIME and PGP tried (and failed) to be; rather something that's intended for specialized circumstances like those "you get a regular email telling you to go log in to a separate account in a (separate) browser window to see your message" but better integrated with existing mail operations.

Of course if PHB's Mesh takes off this might all become academic - but I'm not holding my breath.  It's not that it *couldn't* succeed.  Look at how quickly Wireguard took off and gained support by all the common OS's and many of the larger VPN services, despite a huge established base for TLS-based VPN's.  (Which in turn displaced IPSec-based VPN's, but those had all kinds of issues.)  Getting an understanding of why Wireguard succeeded would be important to understanding how any new protocol/approach can succeed in the current environment.  Most new ideas never gain traction.

                                         -- Jerry

More information about the cryptography mailing list