December 06, 2000, 12:00 AM — My friend Fred Avolio has been making me feel guilty about not trying
to use secure email. In his latest essay (Fred is an independent
network security consultant and he also writes a regular series of
essays), he encourages his readers to start using digital signatures
and encrypt their message traffic. He claims, and I completely
agree, if we continue treating our electronic correspondence as
worthless, then eventually our businesses will suffer.
So, how hard can it be? Well, after trying several different
technologies, I have come to a conclusion: secure email is still the
pits. Sorry Fred, much as I'd like to follow your shining example, I
just can't get anything to work here at Strom HQ. For the time being,
my email is still going out in the clear, unencrypted form it always
When I last wrote about this topic a few years ago, Marshall Rose and I
were deep into research for our book "Internet Messaging". You can read
the original essay here (http://strom.com/email), as well as find links
to a longer excerpt that appeared in Cisco's Internet Protocol Journal
on the topic. And copies of the book are still available too (including
a wonderful preface written by Penn of Penn and Teller fame)!
Not much has changed in the two-and-a-half years since I wrote that
essay. Standards are no help whatsoever; indeed, as more products
support S/MIME, more implementation issues crop up. Products are
difficult to use and setup (I'll get to that in a moment). And keeping
track of your cryptographic infrastructure can drive anyone nuts.
Truly, only the most motivated paranoid could persevere and really use
these products anyhow.
First I tried a regular digital certificate and Microsoft Outlook.
After retrieving my certificate (I created one years ago but never used
it) and I imported it into Outlook. Outlook 2000 has a zillion
different security settings, and I am still not sure that I set things
up properly. One clue: whenever I try to send a message with a cert
attached, Windows tells me that there has been some protection
violation by Outlook. So much for that path.
So I tried a few other products that claim to be dirt simple to use.
Well, they got the first word right -- they are pretty dirty. I took a
look at three of them:
* SecureDelivery.com has a web-based client, in addition to working
with Yahoo Mail and Outlook
* CertifiedMail.com has Web, Outlook and Notes software
* Safe-Mail.com has just a Web client
The SecureDelivery add-on to Yahoo Mail is the easiest to use. You just
click on a button while composing a message and send it. That's about
the easiest thing I can imagine.
By Web client, I mean that you ultimately have to read and or compose
your secure messages inside your Web browser. Yes, you do have a
secured (SSL) session, which does encrypt the conversation between you
and their Web server over the wire.