[Cryptography] What ever happened to end-to-end email encryption?
Jerry Leichter
leichter at lrw.com
Mon Aug 23 11:45:59 EDT 2021
> I think the actual solution is the Paypal approach. All of the actual
> messaging happens on a web site, and the mail only says there's something
> new on the web site, take a look.
>
> For example, that is how I exchange messages with my doctor. It works pretty well.
Same here - but I can’t agree, in general, on the “it works pretty well” comment.
The system my doctor uses- I think developed by the large practice she’s part of and integrated quite well with their web site - mainly does the job. It’s inherently disruptive and time-wasting to go back and forth between two systems, and some integrations between mail and other systems (appointments) aren’t there and would require a whole special implementation where for mail that’s already been done - but it’s OK.
A couple of years back, I refinanced my mortgage, and the bank (BofA) had me set up a private mailbox for this purpose. It’s the same bank I already had accounts with - but the systems are completely disjoint. Still, for this limited purpose - mainly exchanging a couple of documents - it worked pretty well.
On the other hand, my accountant a couple of years ago used some 3rd party system that as I recall worked pretty well. Then he dropped it and went back to regular email. Last year, he subscribed to another secure mail system - which I find it unusable. Half the time it won’t let me even log in.
And, of course, God only knows just how secure these systems really are.
> I think that actual secure mail would be swell, but after 30 years of it not
> happening, I'm not holding my breath.
Sad to say, I have to agree. Meanwhile, the existence of these external “private email” systems confirms that there’s a real need for *something* in this direction. The lack of standards or even any really good proprietary solutions is a continuing annoyance. Kind of a Gresham’s law at work, I think.
Email isn’t a big money-maker for anyone other than Microsoft, and businesses that use Exchange seem to feel the security it provides is good enough for even quite sensitive discussions - certainly within one company, but typically even between companies.
Is there a OSS/startup possibility here? What would might it look like? I'm not suggesting a complete solution, as SMIME and PGP tried (and failed) to be; rather something that's intended for specialized circumstances like those "you get a regular email telling you to go log in to a separate account in a (separate) browser window to see your message" but better integrated with existing mail operations.
Of course if PHB's Mesh takes off this might all become academic - but I'm not holding my breath. It's not that it *couldn't* succeed. Look at how quickly Wireguard took off and gained support by all the common OS's and many of the larger VPN services, despite a huge established base for TLS-based VPN's. (Which in turn displaced IPSec-based VPN's, but those had all kinds of issues.) Getting an understanding of why Wireguard succeeded would be important to understanding how any new protocol/approach can succeed in the current environment. Most new ideas never gain traction.
-- Jerry
More information about the cryptography
mailing list