Secure Email is Still the Pits

My friend Fred Avolio has been making me feel guilty about not trying

to use secure email. In his latest essay (Fred is an independent

network security consultant and he also writes a regular series of

essays), he encourages his readers to start using digital signatures

and encrypt their message traffic. He claims, and I completely

agree, if we continue treating our electronic correspondence as

worthless, then eventually our businesses will suffer.

So, how hard can it be? Well, after trying several different

technologies, I have come to a conclusion: secure email is still the

pits. Sorry Fred, much as I'd like to follow your shining example, I

just can't get anything to work here at Strom HQ. For the time being,

my email is still going out in the clear, unencrypted form it always

has been.

When I last wrote about this topic a few years ago, Marshall Rose and I

were deep into research for our book "Internet Messaging". You can read

the original essay here (, as well as find links

to a longer excerpt that appeared in Cisco's Internet Protocol Journal

on the topic. And copies of the book are still available too (including

a wonderful preface written by Penn of Penn and Teller fame)!

Not much has changed in the two-and-a-half years since I wrote that

essay. Standards are no help whatsoever; indeed, as more products

support S/MIME, more implementation issues crop up. Products are

difficult to use and setup (I'll get to that in a moment). And keeping

track of your cryptographic infrastructure can drive anyone nuts.

Truly, only the most motivated paranoid could persevere and really use

these products anyhow.

First I tried a regular digital certificate and Microsoft Outlook.

After retrieving my certificate (I created one years ago but never used

it) and I imported it into Outlook. Outlook 2000 has a zillion

different security settings, and I am still not sure that I set things

up properly. One clue: whenever I try to send a message with a cert

attached, Windows tells me that there has been some protection

violation by Outlook. So much for that path.

So I tried a few other products that claim to be dirt simple to use.

Well, they got the first word right -- they are pretty dirty. I took a

look at three of them:

* has a web-based client, in addition to working

with Yahoo Mail and Outlook

* has Web, Outlook and Notes software

* has just a Web client

The SecureDelivery add-on to Yahoo Mail is the easiest to use. You just

click on a button while composing a message and send it. That's about

the easiest thing I can imagine.

By Web client, I mean that you ultimately have to read and or compose

your secure messages inside your Web browser. Yes, you do have a

secured (SSL) session, which does encrypt the conversation between you

and their Web server over the wire. So there is some encryption

involved. Now, realize that I am talking about using the browser here --

not any email client like Outlook or Netscape Messenger. Even with a

browser, lots of problems exist with these products and they

really don't offer ironclad security.

First off, by using Yahoo's mail client, you have to trust that some

nefarious person isn't monitoring the path between Yahoo and

SecureDelivery's servers. Second, the SecureDelivery system, like Safe-

Mail and CertifiedMail, don't actually deliver email messages to your

recipients. Instead, they deliver a notification message that includeds

a URL pointing to a secure Web site where you can retrieve your

encrypted message.

For both SecureDelivery and CertifiedMail, all of your recipients have

to open an account to read your messages. Opening an account involves a

few steps and going back and forth from your browser to your email

client before you get everything working. Safe-Mail sends a

notification message with a temporary ID and password; while making

message retrieval easier, it is also less secure since someone could

intercept the notification message and sign in as you.

Speaking of trust, all of these systems require you trust these

companies' data centers are up to snuff, their procedures are solid,

and they really know what they are doing. It doesn't do you any good if

someone mistakenly copies your messages and leaves them on a public

directory, for example. A good security consultant (like my friend

Fred) would audit all of their procedures before signing off on any

assessment of their security service.

For these three products, even though they try to make things simple,

the whole process is still harder than it should be -- involving far

too many steps involved in exchanging messages. You still need

extensive understanding of public key infrastructure, certificate

management, and how your email client works. For example, these

products provide a very misleading dialog box indicating the message

has been sent. In reality, it's just hanging out in your outbox queue.

Fred had trouble using these products too, and he knows tons more about

secure email than yours truly.

Another limitation of these products concerns email attachments. Of

course, you'd expect these products should support attachments,

but SecureDelivery can't include attachments if you use their Web

client. If you use Yahoo Mail or their Outlook plug-in, then it works

just fine.

Safe-Mail offers the most flexibility of the trio. In addition to

sending the notifications to anyone, you can also send ordinary

unencrypted email or only send secure messages to known recipients.

Nice, but your recipients have to be using its system.

Can you track what happens to your messages? CertifiedMail, like its

name implies, provides the best message tracking features of the three.

You can view when your message was opened and if it was tampered with

along the way, although I am not sure I trust their system to tell me

the complete truth about the latter. The others offer some tracking

features as well.

Numerous other products out there claim to help you with securing your

email., for example, provides an anonymous certificate for

encrypting your messages if you can figure out how to use it with your

email program. Products like Interosa, Sigaba and Disappearing also can

be used to secure your messages.

In short, the whole lot is just trouble. For the time being, I am still

in the dinosaur age of unencrypted email. Maybe if I have a few spare

hours some day, I will try to get those certs working with Outlook so

at least I can sign my messages. But I won't bet on it happening

anytime soon. That doesn't mean that I won't still feel guilty about it.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon