Tuesday, April 11, 2006

Email security made simpler

I've written about email security occasionally, but I realize that it might be intimidating to think about finding, installing, and learning to use the various pieces. It's not really that hard; if you use Thunderbird, you only need to install Enigmail and then follow their instructions.

Now there's also gpg4win, a package designed to make life simpler for you, if you're a Windows user who is just getting started. While I haven't tried it, all the material I've seen makes it look like one-stop shopping (almost) for getting encryption and email signing running on your computer.

There are two pieces that may be missing (you can check out the manual after you download it): setting a passphrase and using the Web of Trust. Check out Diceware for creating a secure passphrase, and check out the GNU Privacy Handbook for information on the web of trust. Being a responsible member of a web of trust means you don't sign another person's public key to indicate it's valid unless you really have identified who that person is. If you haven't known them for a long time, you ideally verify their identity with two physical pieces of identification—a passport, driver's license, or the like.

You can browse a few links I've found helpful, too.

Now give it a try! If you want, use my public key to send me an encrypted email as a demonstration that you can do it!



Blogger Scott said...

I tried a bunch of solutions. In my small busienss, I don't need signing, and I'm not a terrorist so I'm not completely paranoid. But sometimes I need to send a contract or personal info to a client. Yet people are unwilling to install special software to get my encrypted emails.

The solution i settled on was MessageLock (www.encryptomatic.com). It simply takes my email and files at puts them into an encrypted zip file, accessible to anyone with a winzip or other zip reader. All they need is a common zip reader and the password, so it solves the biggest obstacle: the special reader.

I feel I get about 98% of the benefit that is important to me, with only about 1/50th the hassle of setting up a certificate or "publickey" infrastructure.

17 April, 2006 06:48  
Blogger Bill Harris said...

Scott, thanks for the tip! Getting people to install the software is not easy, so a solution such as MessageLock looks promising. It appears to be designed for Outlook users, though, while I use Gnus. http://www-cse.ucsd.edu/users/tkohno/papers/WinZip/ indicates that an encrypted zip file might not be as secure as one encrypted using gnupg, although those problems may have been fixed. Do you know?

Your note did remind me that there is a way to do so-called symmetric encryption in GnuPG (use the command 'symmetric'). That way, the recipient doesn't have to worry about public keys; they just need to download and install GnuPG, perhaps via gpg4win.

17 April, 2006 18:15  

Post a Comment

<< Home