×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Do Slashdotters Encrypt Their Email?

Unknown Lamer posted more than 2 years ago | from the translate-it-to-navajo dept.

Encryption 601

An anonymous reader writes "Many years ago when I first heard of PGP, I found an add-on that made it fairly simple to use PGP to encrypt my email. Despite the fact that these days most people know that email is a highly insecure means of communication, very few people that I know ever use any form of email encryption despite the fact that it is pretty easy to use. This isn't quite what I would have expected when I first set it up. So, my question to fellow Slashdotters is 'Do you encrypt your email? If not, 'Why not?' and 'Why has email encryption using PGP or something similar not become more commonplace?' The use of cryptography used to be a hot topic once upon a time."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

601 comments

No (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38429792)

Nor does anyone else. Unfortunate, but true.

Re:No (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38429848)

I think it's largely pointless anyway...

Most people (myself included) use a web based email client, where the plain text form of the email would be easily snatchable by the one party with any likely chance to actually intercept an email.

Cryptographic signing has a place, but even that falls into the cryptogeek fantasy realm, but If you're into that sorta thing.. you can always join the Debian community.

Re:No (2)

cshark (673578) | more than 2 years ago | (#38430220)

How is it unfortunate? That people aren't buying into transit encryption anymore? It's not the movement of the email you need to worry about. It's what happens when it gets there. If someone steals your computer, email encryption is the least of your worries.

No Need.... (4, Insightful)

superflit (1193931) | more than 2 years ago | (#38429796)

Mostly emails I received are senseless..

Re:No Need.... (2, Insightful)

Spritzer (950539) | more than 2 years ago | (#38429866)

Exactly! And most that I send. Why would I want to encrypt my email? Then I'd just have to explain to everyone on my contact list how to decrypt a grocery list, joke, forwarded Viagra-gram etc.

well (5, Funny)

hjf (703092) | more than 2 years ago | (#38429798)

I don't. I use GMail. I might as well use "1234" as a password.

Re:well (5, Funny)

NonUniqueNickname (1459477) | more than 2 years ago | (#38429898)

May I suggest changing your password to "12345"? It is an order of magnitude safer.

Re:well (5, Funny)

s4m7 (519684) | more than 2 years ago | (#38430026)

So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:well (1)

Kjella (173770) | more than 2 years ago | (#38430114)

Oh no, they told me I should never use the same combination twice and I already use that on my luggage! (How many security WTFs is that rolled into one?)

Re:well (4, Insightful)

Grishnakh (216268) | more than 2 years ago | (#38430136)

Seriously speaking, at least with Gmail (or pretty much any other email system out there), you actually have the option of having a password longer than 4 numerical digits, even though it's just for your email. Same goes for most websites; you can have a nice, long secure password on Facebook even though it's only protecting your account where you make inane posts and show stupid pictures of yourself that no one cares about.

But for protecting your financial transactions, your debit/ATM card limits you to those 4 numerical digits. I think there's something wrong with this picture.

Re:well (5, Insightful)

Haeleth (414428) | more than 2 years ago | (#38430210)

The 4-digit PIN normally only applies to buttons that you push with your finger, where brute-force attacks are not really an option. If your bank has ATMs that permit 10,000 attempts before they swallow the card, or uses a 4-digit PIN as a password for their online services, I suggest you take your money elsewhere.

Re:well (0)

Anonymous Coward | more than 2 years ago | (#38430218)

for added security, change the "1" to an "i" as well

Re:well (0)

Anonymous Coward | more than 2 years ago | (#38429910)

Hey thats the same number as my luggage!

No (First Post?) (4, Insightful)

Mitreya (579078) | more than 2 years ago | (#38429800)

No.
We email to people who wouldn't know PGP from ABC

Re:No (First Post?) (3, Insightful)

erikjwaxx (2013612) | more than 2 years ago | (#38429824)

This, unfortunately. I encrypt all mail with PGP that it is feasible to encrypt, taking into account the recipient. So that's, literally, one email message, ever.

Re:No (First Post?) (3, Insightful)

LoadWB (592248) | more than 2 years ago | (#38429876)

This. Encrypting email to those who don't know how to decrypt it is useless. And for those who do, email certificates in Outlook work just fine.

Although, while at a conference I came upon a really nice package call Encryptix (or Encryptics, can't recall which.) It packages up the email, including attachments, encrypts the package, then sends it as an attachment with a link to the viewer. It's trusted by government, so take that for what it's worth to you. And it's not free (yearly subscription, but reasonable) so take that for what it's worth to you.

Is PGP that easy these days? Haven't touched it in years due to reasons already mentioned.

Re:No (First Post?) (2, Informative)

niftydude (1745144) | more than 2 years ago | (#38429936)

I sign all my email with a PGP signature. No one has ever used it to send me an encrypted email.

Re:No (First Post?) (5, Interesting)

flaming error (1041742) | more than 2 years ago | (#38430124)

I was negotiating a mortgage a few years ago, and the bank happily was transitioning from faxes to email. So I sent them all the somewhat sensitive docs they requested, encrypted by hushmail/web. I sent them decryption instructions out of band.

The pretty simple decryption procedure baffled the hell out of them, at first. Then they figured out it was a great excuse to delay the loan. After a few weeks they came back saying they couldn't follow the hushmail retrieval procedure because they had no internet access.

Finally I just faxed everything.

Re:No (First Post?) (1)

Joce640k (829181) | more than 2 years ago | (#38430178)

What we need is clients that do it all seamlessly in the background - the first few emails you send to anybody are used to do key exchange then after that it's encrypted. All the extra gobbledegook attached to the email is stripped off before you see it.

Microsoft could easily have put it into Outlook by default and the world would have followed.

I don't normally go in for conspiracy theories but in this case I think the reason that this isn't being done really is down to visits by the guys in the black SUVs.

Yes (1)

MacDork (560499) | more than 2 years ago | (#38430196)

Between the server and my box, the message in encrypted. I can read my email on an open wifi without concern someone else in the vicinity is snooping. Between my recipient and I, I sign the message with an s/mime certificate. There are a handful of people on the nerdy mailing lists to which I am subscribed that also sign their messages. On the occasion that I need to mail one of them directly, my message is encrypted. Usually though, the message is just to the list or to non-nerds I know IRL, so it's just signed for them.

Nope (1)

Anonymous Coward | more than 2 years ago | (#38429802)

Nothing I send over email is that sensitive (does someone really care who is in charge of Christmas night snacks?)

Because (1)

Anonymous Coward | more than 2 years ago | (#38429808)

Nobody cares what you say in your e-mail communication. And lawyers can subpoena anything they want, unless you delete it first.

nope (1)

jaymz666 (34050) | more than 2 years ago | (#38429812)

Nobody does. Mail with stupid backgrounds and embedded photos abound, but even a signed pgp message never comes across my way

No (0)

Anonymous Coward | more than 2 years ago | (#38429814)

...but I might attach encrypted file(s) if I really wanna keep something super-secret!.

Re:No (3, Informative)

ColdWetDog (752185) | more than 2 years ago | (#38429894)

...but I might attach encrypted file(s) if I really wanna keep something super-secret!.

Yes, this. If I'm sending anything semi sensitive, I just encrypt a file, usually a PDF, and send the password via another method. I wouldn't use this for anything extremely sensitive such as my recurring fantasy to nuke Washington DC from orbit - but for routine stuff it's fine.

And other people can deal with it. PGP encrypted emails - no way.

Re:No (4, Informative)

pclminion (145572) | more than 2 years ago | (#38430030)

Encrypted PDF is tricky. Only the string and stream data of the document is actually encrypted -- all the structural information of the document remains in plain text. The number of pages, the presence of images, size of those images, amount of text on each page can all be easily determined.

If you want to encrypt a PDF, use a file encryption tool, not PDF encryption. It doesn't work quite how you assume it does.

Re:No (0)

ILongForDarkness (1134931) | more than 2 years ago | (#38430034)

Why nuke from orbit. The subway would be a lot of fun. Since the US doesn't have a manned space program anymore I think it would be more ironic to save he orbit nukes for Cape Canaveral.

Yeah, but (0)

Anonymous Coward | more than 2 years ago | (#38429834)

I do from time to time, still only few of my friends have PGP keys, so it's kinda hard.

Needs publicity (0)

Anonymous Coward | more than 2 years ago | (#38429844)

If GMail, Yahoo, Hotmail...etc, made it a standard feature then people would use it. But as it is today, nobody knows about it.

Re:Needs publicity (1)

Anrego (830717) | more than 2 years ago | (#38429906)

Would have to be done on the client side somehow to be of much value. If you do the decryption on someone elses server.. you are basically giving them a plain text copy.

Not that I particularly distrust gmail.. but if I'm going to be paranoid enough to encrypt my email, I think it's more realistic that my email provider might grab my secret message vice someone at my ISP or via man in the middle attack...

Re:Needs publicity (4, Informative)

Alrescha (50745) | more than 2 years ago | (#38429952)

Both PGP and S/MIME are end-to-end encrypted. Not very useful for webmail users.

A.

Why would we? (1)

Nidi62 (1525137) | more than 2 years ago | (#38429846)

Does anyone here encipher their paper mail?

Re:Why would we? (5, Insightful)

xpwlq (2222992) | more than 2 years ago | (#38429914)

Does anyone here encipher their paper mail?

No, but I also don't leave the envelopes unsealed either.

Re:Why would we? (1)

pclminion (145572) | more than 2 years ago | (#38430066)

The seal of an envelope is not security, it is privacy. If the postman wanted to open your letter, he easily could. He could probably also reseal it such that you wouldn't know he'd opened it (unless you took deliberate precautions against that -- but if you were that worried you wouldn't be using the postal service in the first place).

You simply trust the postman not to open your letters. You trust the ISP not to read your email. There's no difference.

Re:Why would we? (1)

jhantin (252660) | more than 2 years ago | (#38430202)

Communication security is a combination of integrity, authentication, and optionally privacy. You also trust the postman not to modify what you write or forge your signature on your postcards, even though there is no privacy provided by a postcard.

Re:Why would we? (2)

Haeleth (414428) | more than 2 years ago | (#38430150)

Does anyone here encipher their paper mail?

lgnge nfiax paavb fxvzv abval agrrh rcjnf zvarp rnrfy agrgj
zvpju rrgrr rnirr qfvvy bfrcn pbfun lgbur oofqf ffbqp vggrz
hrwug vfprn tcagp pupee buegr vnrnf nxpty lhrau nyoay oheva

A better question is... (1)

Anonymous Coward | more than 2 years ago | (#38429850)

Why bother?

Not me. (1)

pro151 (2021702) | more than 2 years ago | (#38429854)

Just like all of my posts here, my e-mails have no worth and no one in their right mind would want to read them in the first place.

Web Based mail (1)

Anonymous Coward | more than 2 years ago | (#38429858)

I do where possible, but sadly most smartphone email clients and web based email (gmail etc) cannot read S/MIME messages without a browser plugin.

The concensus is "No" (1)

TheRealMindChild (743925) | more than 2 years ago | (#38429870)

and unless you are emailing Richard Stallman with exchanged PGP keys, there are countless systems that look at your emails between here and there. Expecting privacy just doesn't register.

Re:The concensus is "No" (1)

jbeaupre (752124) | more than 2 years ago | (#38430088)

I just avoid the "here" and "there". Use gmail to email people with gmail accounts, yahoo for yahoo, and so on. Nothing ever traverses an external network.

Some of the .gov and .mil addresses are harder to come by. But the security is worth it.

No. (5, Insightful)

Alrescha (50745) | more than 2 years ago | (#38429878)

Slashdotters who know enough to have encrypted such things simply don't send that sort of thing in email.

A.

I don't use it for the encryption (5, Insightful)

digitalderbs (718388) | more than 2 years ago | (#38429880)

I've been using PGP for a few years, and on the odd occasion, I'll send an encrypted email to myself. Part of the problem is that no one knows how to use PHP. I've been sending email to thousands of people in an academic setting, and I've only encountered one other person using PGP.

The reason I keep using PGP, however, is because of digital signing: there's a good guarantee that signed messages were actually sent by me. Headers are fairly trivial to spoof. With PGP, a 'hacker' can only impersonate me if they have access to the private key, which requires physical or ssh access, and he or she must be able to decrypt that key.

That said, I wish more people would encrypt their messages. This should be a no-brainer in a lot of fields, including human rights and for health and human services, and I think the barrier to commit to email encryption is still too great.

Re:I don't use it for the encryption (1)

Anrego (830717) | more than 2 years ago | (#38430046)

This of course assumes the person receiving the spoofed email bothers to read the dialog telling them the signature did not match (and that's assuming their client even checking).

Re:I don't use it for the encryption (1)

sco08y (615665) | more than 2 years ago | (#38430140)

The reason I keep using PGP, however, is because of digital signing: there's a good guarantee that signed messages were actually sent by me. Headers are fairly trivial to spoof. With PGP, a 'hacker' can only impersonate me if they have access to the private key, which requires physical or ssh access, and he or she must be able to decrypt that key.

But a hacker can spoof you by sending an unauthenticated email just as easily for everything you could want to do online. I've never worked with a business that would take a public key. Without an agreement with the recipient that they only accept authenticated email, you gain nothing.

And I never use that feature when I'm on a network (using e.g. Outlook's secured mail) that offers it unless we're all forced to, which I've never seen. If most people are sending stuff unsigned and unauthenticated, the standard of evidence winds up being "if you've got a copy of what they wrote and what you wrote." So if I keep copies of my email, that's plenty. My digital authentication, in most circumstances, just seems to a potential source of confusion or, worse, ammo for an unscrupulous person to use against me.

pretty much nope (1)

KingAlanI (1270538) | more than 2 years ago | (#38429882)

the place I worked this summer had it set up (it was an option at my level, maybe it was more mandatory/more necessary elsewhere in the organization
so I used it on some work email.

other than that, no.
not that paranoid, didn't want to set it up, recipients aren't set up to deal with it (even at the office, some recipients had trouble, especially when readign email on their blackberries)

setup, key exchange (1)

Anonymous Coward | more than 2 years ago | (#38429886)

IF the setup, key exchange etc would me easy as 1-2-3 or ie as Skype does in background... Then everybody would use it.
Currently it's just too hard to use for average user.

Because it's hard for people to understand. (2)

bmo (77928) | more than 2 years ago | (#38429916)

Encryption is easy

Getting the people in your address book to encrypt their email is another story. They think that their internet provider's terms of service and privacy policies mean their email is private. This does not take into account other service providers, pipes, and countries along the way that have other ideas about unencrypted streams of text.

Instant messaging over ssl or other end-to-end encryption (like skype) is more secure, as a result.

--
BMO

Re:Because it's hard for people to understand. (0)

Anonymous Coward | more than 2 years ago | (#38430028)

Why do you trust Skype?

Re:Because it's hard for people to understand. (1)

bmo (77928) | more than 2 years ago | (#38430070)

Oh boy, talk about putting words in my mouth. I don't "trust" skype any more than I trust any other company. However, it's better than nothing.

Go read it again, bright boy.

--
BMO

Opportunistic encryption (1)

nickovs (115935) | more than 2 years ago | (#38429920)

Ultimately decisions about email encryption come down to what threats you think you might be protecting yourself against. I have a PGP key, and on occasion I use it to sign and decrypt emails when I think it matters. The rest of the time I send mail, over SSL, through my own mail server, which will use SMTP's 'startTLS' command whenever possible. Most people I know read their mail either using SSH on the machine that runs the mail server or over some SSL-protected IMAP or webmail interface. Thus, for most cases, the mail is encrypted in transit but never encrypted on the servers. If the threat is one of people eavesdropping then this keeps me safe; if the threat is one of hackers targeting one of the mail servers then it doesn't. Most of my mail doesn't warrant any more effort to achieve any more security.

Re:Opportunistic encryption (0)

Anonymous Coward | more than 2 years ago | (#38430112)

: If the threat is one of people eavesdropping then this keeps me safe; if the threat is one of hackers targeting one of the mail servers then it doesn't.

It leaves you open to anyone with privileged access to any mail server on the path. You may control your own server, but what about the recipient's server? Companies that do not respect client privacy, or dishonest employees, are possibly a more serious concern than "hackers". Then there are governments, some of which might lean rather hard on server owners.

There is very little that needs to be (0)

Anonymous Coward | more than 2 years ago | (#38429922)

Because there is very little reason to actually encrypt most emails.
The only situation that I can think of that would require encryption is if I wanted to send someone sensitive material, and we both had the infrastructure to handle it. Most cases this won't be an ongoing requirement so it is cheaper and easier to pay for a courier and/or a lock-box.

What would be more useful is not encryption, but digital signatures for authentication and integrity. At work I am required to sign all emails with a two factor authentication method and I know 90% of my emails originate from work.

Nope (0)

Anonymous Coward | more than 2 years ago | (#38429926)

No one else I deal with has the proper certificate. I cannot encrypt any emails to others without the certificate. And good luck getting someone else to set up OpenPGP and exchanging keys that way.

Another problem with doing that is that you have to make your public key available, which means that anyone, anywhere can access your email address. No more security by obscurity for all of the mail addresses. Why make them guess common addresses or munge them when they can just look?

No Need (-1)

Anonymous Coward | more than 2 years ago | (#38429928)

I use Gmail so Google already has access to them, and has searched them already. My password is "123456". Wait no that is the combination for my luggage. Its "password"

If it was not for WebMail, I would use S/MIME (0)

Anonymous Coward | more than 2 years ago | (#38429932)

PGP is actually quite a pain.
S/MIME is way easier to use if you have a dedicated email client.
And indeed I have use S/MIME from time to time at work when I need to communicate anything sensitive.

Unfortunately, when communicating with family and friends, S/MIME is not an option because they use Webmail (yahoo & gmail);
you cannot really encrypt anything there.
(without painful separate step of decrypting it outside the browser)
But this is the best you can get for free.

igor

What's the point (1)

Anonymous Coward | more than 2 years ago | (#38429938)

Encryption can only deal with the body of text. But who you are talking to cannot be encrypted, and that is almost as valuable as the contents.

Nyup (0)

Anonymous Coward | more than 2 years ago | (#38429942)

F-Costs a lot and To: dont know how to read.
U-Got no time to mess with that which no one
C-will read anyway. I.e., don't waste my
K-time, dude.

It depends (1)

lazycam (1007621) | more than 2 years ago | (#38429944)

Like most of us here, if someone was eavesdropping in on my communications they would not learn much. I've messed around with PGP in the past but quit using it after I thought about how silly it was to encrypt things like my grocery list. I pitty the poor NSA analyst who after several long months of breaking my key simply learns that I had run out of milk and tampons. Going back to reality, I have found it necessary in the past to go through the trouble encrypting my instant messaging traffic. If most people are like me, my messaging behavior is significantly less formal and I would be very embarrassed if some of these discussions surfaces. Fortunately, most standard messaging software uses built in encryption or have plugins. I think encrypting email traffic is generally a good thing, but unless you work for a company where serious consequences for information disclosures I do not suspect PGP as a standard will ever catch on.

Prerequisites to Widespread Encryption Use (1)

divide overflow (599608) | more than 2 years ago | (#38429948)

I've used it with a few friends. Until both mail client software and popular webmail services implement PGP and make its use trivially easy then email encryption will remain a rarity.

Well yeah... (4, Interesting)

Panaflex (13191) | more than 2 years ago | (#38429954)

In our business, I routinely communicate with customers using s/mime mail. We set it up as part of the contract (not in the terms, just as part of the meet-n-greet kickoff), so anything related to the contract work goes through encrypted.

Crypto is our business... so it only makes sense.

Ubiquity (1)

bazald (886779) | more than 2 years ago | (#38429966)

There isn't enough incentive to get ordinary users on board. Without recipients' use of PGP/GnuPG, I have no public keys to use and cannot encrypt my e-mails. I sign 99.9% of my e-mails, but nobody ever checks the signatures. Sometimes people ask me what the headers are about, and I'm happy to explain it to them. They usually don't end up caring. Again, to be more blunt, ordinary users see no incentive to get on board.

If your of interest (2, Informative)

AHuxley (892839) | more than 2 years ago | (#38429970)

Your computer will be software or hardware bugged.
Carrieriq showed the plain text deep state joy of https efforts on your average open or closed US mobile device.
Sending encrypted mail will just make the NSA more curious.
Sit down with your family, friends, faith group, business associates and work out a few simple comments that can flow into any text.

Well... (1)

93 Escort Wagon (326346) | more than 2 years ago | (#38429978)

I tried encrypting my mail for a while, but gave up. Bottom line - I got tired of explaining to people what they needed to do just to read my email.

Then I tried just digitally signing my email. That caused problems too, because most of our end users have Outlook and Outlook had issues with responding/forwarding when multiple people are involved. A lot of the emails that come my way end up being part of long multi-user threads.

Now I'm on Gmail, so there's not even an encryption option available. Well, technically, it's encrypted when I read it over https I guess... but that only counts if you're being pedantic.

It'd have to be worth encrypting (1)

russotto (537200) | more than 2 years ago | (#38429982)

Except for work, my email is pretty darn non-interesting to anyone. Well except the ones that contain steganographic payloads, but they don't look encrypted of course :-).

For internal work email, my employer owns the email system and I connect to it via encrypted connection. Aside from in my browser it never leaves their system. No need for additional encryption.

The most significant mail I get is commercial (1)

Anonymous Coward | more than 2 years ago | (#38429988)

And they aren't going to send stuff to me in an encrypted fashion, I'm lucky when the site is in HTTPS.

Everything else is just so much junk, if you really want to see pictures of my relatives' pets, or the various musings of random jokesters that they feel compelled to share, you are welcome to them.

Just post your email in reply to this post, and I'll forward it ALL to you.

Banking and other places needing secure messaging (0)

Anonymous Coward | more than 2 years ago | (#38430006)

I wish my online banks did.

I used to have to reset most of my bank passwords all the damn time - mainly because they used some insane combination of alphanumerics and punctuation. That usually meant them emailing me a new password I had to change the next time I logged in. I've never lost any money, or had my accounts hacked as far as I know because I've deliberately kept the window as small as possible. But it is only a matter of time.

Now a days, I keep my passwords written down in an encrypted file on my hard drive so I don't have to change them again.

I'd love to ! (4, Informative)

mystik (38627) | more than 2 years ago | (#38430010)

My sig (since 2002/2001) on /. has been "Why arn't you encrypting your email?".

The answer is simple -- there was never a critical mass of people exchanging keys nor was there an easy-to-explain web of trust, nor was there a simple, free reliable certificate authority.

In 2002, Outlook Express offered integrated s/mime encryption + digital signatures. Once you installed your certificate (which, was simply double clicking a .p12 file, and entering your import password), you could encrypt or sign email going out, with a single click. It verified signatures in inbound email too, all in an integrated UI.

No one I knew used it.

Even today; Windows Live mail + Thunderbird offer integrated s/mime encryption. Maybe 1 or 2 of my technically literate friends use it. And of those 2, i think only one persists using it to this day.

Back then, when all I had was my Palm Pilot IIIxe, I thought "Whoa. I hold in my hand a portable computer that I can use to exchange digital signatures with". I even kept my pgp key in a note I could beam to someone, given the chance. Never happened.

Nowadays, even AGP on Android doesn't let me exchange keys with someone meet on the street, on the off change they happen to use it. Secure key exchange would be a trivial problem for today's smart phones (provided the carrier isn't using carrieriq to swipe your data....), but there still is no critical mass to make this worthwhile.

And, with most folks using webmail, You'd have to come up with a hackish way to encrypt mail client side (pgp copy/paste to the clipboard? w/ Rich text? attachments?), or just hand your keys to your provider. Doing the encryption server side would make the service provider an easy target for legal and hacking threats.

It's a tough nugget to crack, and it's not going to be solved until mail encryption is as easy to use as Facebook.

Re:I'd love to ! (0)

Anonymous Coward | more than 2 years ago | (#38430086)

You would love to encrypt your email - what for ? You walk around and talk to people 'unencrypted', your phones are not encrypted - so why the email ? Especially considering 99% of emails sent have nothing sensitive in them! I still cant believe you walked around with a PGP key on your smartphone.

LOL :) you need to get back on Earth.. and get a bit grounded.

Re:I'd love to ! (1)

pinkeen (1804300) | more than 2 years ago | (#38430158)

The exchange of keys isn't that big of a problem. You just need a catalogue of e-mail addresses associated with public keys. If there was a standard for that then each mail provider could host such automatic catalogue. If you trust most e-mail providers that mostly solves the trust issue.

If you don't care about checking authenticity, only about encryption (ex. assume that the contents of the message tell you that it's legit) then it really doesn't matter where do you get the public key from. Worst that could happen is that the recipient won't be able to read your e-mail.

no one cares (0)

Anonymous Coward | more than 2 years ago | (#38430032)

Seriously do you say anything via email that actually needs to be encrypted. Hell most of my emails probably wouldn't make much sense to most people.

You had me at "highly insecure" (4, Insightful)

Angst Badger (8636) | more than 2 years ago | (#38430038)

Email is simply not a medium I would even consider using for sending sensitive information precisely because there are countless places between me and my correspondents where a message could be intercepted. In such circumstances, encrypting my email would simply alert anyone watching that something sensitive is being transmitted. And since the only "anyone watching" that I'd worry about is the government, why bother attracting the attention? If they want to know what I'm sending, all they have to do is wait for me to go to work, enter my house, and install a keylogger on my box. It's not like they even need warrants nowadays for that crap.

If I was going to do something I wanted to hide from the government -- and let's face it, that would almost have to be a major federal felony -- and if I absolutely had to have documentation and accomplices, none of it would be in electronic form to begin with, never mind transmitted over the public internet. Encryption is useful for governments and major corporations that are basically above the law. It's not terribly useful for private citizens unless you're just trying to hide your porn folder from your roommate.

Why don't I encrypt? (0)

Anonymous Coward | more than 2 years ago | (#38430052)

I don't send anything important over email. If it's work related, that's not my problem - that's the company's problem.

work in healthcare (1)

ILongForDarkness (1134931) | more than 2 years ago | (#38430060)

Connection between nearby hospitals mail server runs through a encrypted network everything else is unencrypted and employee policy is nothing patient related goes to anyone outside of the encrypted network. Personal email: I save all my offensive remarks for /. posts my email is pretty boring actually.

Re:work in healthcare (0)

Anonymous Coward | more than 2 years ago | (#38430216)

Checkout the direct project !

No, but.. (1)

Roogna (9643) | more than 2 years ago | (#38430074)

I also consider e-mail an untrusted source and simply don't use it at all for items that would require encryption.

It'd be great if we -could- use it as a trusted and encrypted form of communication though, but it's only useful that way if it works in all cases.

I don't (5, Funny)

Anonymous Coward | more than 2 years ago | (#38430080)

If I encrypted it the government would start reading it.

Yes and no (1)

eagl (86459) | more than 2 years ago | (#38430082)

I encrypt work email whenever it includes private or sensitive information. But that is only because my company has a global email address book and every single user has published encryption certificates. My company has also mandated that every email gets digitally signed, whether it is encrypted or not.

Which brings me to my no answer, my personal email. I would encrypt all personal email if I could, but the problem is that it is unlikely I could get all of my email recipients (or even most of them) to bother to deal with keys and making sure their email client could decrypt as required. Not only that, I use webmail a lot and it's not easy to get everyone onboard the same scheme that would allow encrypted email via webmail.

If everyone did it, then heck yes I'd encrypt all of my personal email too. If it was as easy as microsoft putting a big button "enable encryption", along with another button "send public key to email correspondent", then everyone would be using encrypted email. But they won't, so I'm pretty much out of luck.

Why would I? (0)

Anonymous Coward | more than 2 years ago | (#38430108)

I encrypt things where it seems to make sense.

For example, personal data on my laptop is all encrypted, because there is a highly plausible threat scenario where my laptop is stolen and the thief uses details from my contacts database, internet history, etc. to conduct identity fraud.

My online backups are all encrypted, because there's no way I'm trusting a random online storage provider with the personal data I don't trust to be safe in my own briefcase.

I don't encrypt my email because it doesn't make sense. What would I be protecting it from? For me, as a non-dissident citizen of a non-oppressive country, what threat exists that would be countered by encrypted email?

Criminals don't have the ability to intercept email on a sufficiently wide scale for identity fraud to be a concern. Government? But I'm not a tinfoil-hat conspiracy nut, so I have no reason to believe my government is a threat to me, and in any case they would have other ways of getting past any encryption I used.

And there's also the little snag that as of today, using encrypted email is basically shouting out "HEY, NSA! I THINK I HAVE SOMETHING TO HIDE FROM YOU! MAYBE I'M JUST PARANOID BUT YOU REALLY SHOULD CHECK ME OUT IN CASE I'M A TERRORIST! HERE IS MY EMAIL ADDRESS AND THIS IS THE IP ADDRESS OF MY COMPUTER, SEE YOU SOON!" ... even having nothing to hide, I'm not sure why I would want to do that.

Seriously. Why the fuck would I want to encrypt my email. It's just extra hassle for everyone involved, and the benefits seem to be pretty non-evident.

I encrypt my Facebook posts (0)

Anonymous Coward | more than 2 years ago | (#38430126)

Who uses email anymore?

Don't communicate sensitive information in email! (0)

Anonymous Coward | more than 2 years ago | (#38430130)

Don't communicate sensitive information in email! whether it is encrypted or not!

I DO, like every DD (5, Insightful)

GPLHost-Thomas (1330431) | more than 2 years ago | (#38430154)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Like every of the ~800 Debian developer in this world, I do use
encryption, and know how to handle PGP keys. My private key is encrypted
in a dm-crypt partition of 2 of my laptop, and I have a revoke
certificate handy burnt on a CD. My GPG fingerprint is also written on
my business card, so that everyone who I met can fetch my private key
from any of the major key servers, and check its fingerprint. My public
key is signed by about a dozen different people, mostly other Debian
developers, which is a strong "web of trust". If everyone was printing
his GPG key on a business card, I could also send encrypted emails, but
I've seen only other DDs doing it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ [mozdev.org]

iEYEAREDAAYFAk7wBSAACgkQl4M9yZjvmklYVACfXYV3ncJnZuKosZJ8k0ZSzc3t
SpQAn0eYtQCIrQeTcBgA1b+Yz58OVqCJ
=EQHO
-----END PGP SIGNATURE-----

Yes. I've been using PGP for a long time. (3, Informative)

mortonda (5175) | more than 2 years ago | (#38430170)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Why, yes. Yes I do. At least for the few recipients that do too. And
all my messages are signed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ [mozdev.org]

iD8DBQFO8AWNUy30ODPkzl0RAr75AJ9qYq94sfL00DZxCb3e1tL/HX4uIACeLlbJ
RYRY0ZwfXoKwpyEJn0JzJ2Q=
=fy5a
-----END PGP SIGNATURE-----

Because a lot of people don't use email clients! (0)

Anonymous Coward | more than 2 years ago | (#38430172)

PGP works well with a good email client, but a lot of folks use web mail. It probably is that simple.

Secure within a single server (1)

steveha (103154) | more than 2 years ago | (#38430186)

I run my own mail server. Anyone connecting to it over the Internet must use an encrypted connection for receiving or sending mail; I don't even open the insecure ports in my firewall. A few of my friends and family members have accounts on my server.

So, when I send email to family members who are using my server, my email is encrypted while going onto the server and being pulled from the server.

This doesn't solve the general problem but it is better than having only insecure email.

The biggest secrets I send over email anyway tend to be the dates we are going on vacation; it is unlikely that anyone would intercept our email and decide to burglarize our home, but why risk it?

If we have a file with secret data we want to send, we usually just use SSH to copy it to one server or another. I'm not the only geek in my family and several of us have Linux servers running SSH.

steveha

ZxyRbcM2 (0)

Anonymous Coward | more than 2 years ago | (#38430198)

w.pozkemrkp3.,1zeQmv@aq#mxPwfo7rbclftmB4t2wao
3hp3.xirmd8301kemfuzjeiqoejpakdhqcxhpyhididsyrdy05

All the time (2)

cachimaster (127194) | more than 2 years ago | (#38430204)

If you do software remotely with a group of people, in my experience some kind of email encryption is always used even by non-programmers/managers.
I have observed technical people is more inclined to use pgp/enigmail solutions while corporate clients tend to use S/MIME.

Not everything I write is encrypted, but non-encrypted work-related sensible stuff is the exception, not the rule.

Are you actually stupid enough to send secrets (0)

Anonymous Coward | more than 2 years ago | (#38430208)

...via email?

So my question is: Do you encrypt anything else?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...