Secure Email is Still the Pits

My friend Fred Avolio has been making me feel guilty about not trying
to use secure email. In his latest essay (Fred is an independent
network security consultant and he also writes a regular series of
essays), he encourages his readers to start using digital signatures
and encrypt their message traffic. He claims, and I completely
agree, if we continue treating our electronic correspondence as
worthless, then eventually our businesses will suffer.

So, how hard can it be? Well, after trying several different
technologies, I have come to a conclusion: secure email is still the
pits. Sorry Fred, much as I'd like to follow your shining example, I
just can't get anything to work here at Strom HQ. For the time being,
my email is still going out in the clear, unencrypted form it always
has been.

When I last wrote about this topic a few years ago, Marshall Rose and I
were deep into research for our book "Internet Messaging". You can read
the original essay here (http://strom.com/email), as well as find links
to a longer excerpt that appeared in Cisco's Internet Protocol Journal
on the topic. And copies of the book are still available too (including
a wonderful preface written by Penn of Penn and Teller fame)!

Not much has changed in the two-and-a-half years since I wrote that
essay. Standards are no help whatsoever; indeed, as more products
support S/MIME, more implementation issues crop up. Products are
difficult to use and setup (I'll get to that in a moment). And keeping
track of your cryptographic infrastructure can drive anyone nuts.
Truly, only the most motivated paranoid could persevere and really use
these products anyhow.

First I tried a regular digital certificate and Microsoft Outlook.
After retrieving my certificate (I created one years ago but never used
it) and I imported it into Outlook. Outlook 2000 has a zillion
different security settings, and I am still not sure that I set things
up properly. One clue: whenever I try to send a message with a cert
attached, Windows tells me that there has been some protection
violation by Outlook. So much for that path.

So I tried a few other products that claim to be dirt simple to use.
Well, they got the first word right -- they are pretty dirty. I took a
look at three of them:

* SecureDelivery.com has a web-based client, in addition to working
with Yahoo Mail and Outlook
* CertifiedMail.com has Web, Outlook and Notes software
* Safe-Mail.com has just a Web client

The SecureDelivery add-on to Yahoo Mail is the easiest to use. You just
click on a button while composing a message and send it. That's about
the easiest thing I can imagine.

By Web client, I mean that you ultimately have to read and or compose
your secure messages inside your Web browser. Yes, you do have a
secured (SSL) session, which does encrypt the conversation between you
and their Web server over the wire. So there is some encryption
involved. Now, realize that I am talking about using the browser here --
not any email client like Outlook or Netscape Messenger. Even with a
browser, lots of problems exist with these products and they
really don't offer ironclad security.

First off, by using Yahoo's mail client, you have to trust that some
nefarious person isn't monitoring the path between Yahoo and
SecureDelivery's servers. Second, the SecureDelivery system, like Safe-
Mail and CertifiedMail, don't actually deliver email messages to your
recipients. Instead, they deliver a notification message that includeds
a URL pointing to a secure Web site where you can retrieve your
encrypted message.

For both SecureDelivery and CertifiedMail, all of your recipients have
to open an account to read your messages. Opening an account involves a
few steps and going back and forth from your browser to your email
client before you get everything working. Safe-Mail sends a
notification message with a temporary ID and password; while making
message retrieval easier, it is also less secure since someone could
intercept the notification message and sign in as you.

Speaking of trust, all of these systems require you trust these
companies' data centers are up to snuff, their procedures are solid,
and they really know what they are doing. It doesn't do you any good if
someone mistakenly copies your messages and leaves them on a public
directory, for example. A good security consultant (like my friend
Fred) would audit all of their procedures before signing off on any
assessment of their security service.

For these three products, even though they try to make things simple,
the whole process is still harder than it should be -- involving far
too many steps involved in exchanging messages. You still need
extensive understanding of public key infrastructure, certificate
management, and how your email client works. For example, these
products provide a very misleading dialog box indicating the message
has been sent. In reality, it's just hanging out in your outbox queue.
Fred had trouble using these products too, and he knows tons more about
secure email than yours truly.

Another limitation of these products concerns email attachments. Of
course, you'd expect these products should support attachments,
but SecureDelivery can't include attachments if you use their Web
client. If you use Yahoo Mail or their Outlook plug-in, then it works
just fine.

Safe-Mail offers the most flexibility of the trio. In addition to
sending the notifications to anyone, you can also send ordinary
unencrypted email or only send secure messages to known recipients.
Nice, but your recipients have to be using its system.

Can you track what happens to your messages? CertifiedMail, like its
name implies, provides the best message tracking features of the three.
You can view when your message was opened and if it was tampered with
along the way, although I am not sure I trust their system to tell me
the complete truth about the latter. The others offer some tracking
features as well.

Numerous other products out there claim to help you with securing your
email. PrivacyX.com, for example, provides an anonymous certificate for
encrypting your messages if you can figure out how to use it with your
email program. Products like Interosa, Sigaba and Disappearing also can
be used to secure your messages.

In short, the whole lot is just trouble. For the time being, I am still
in the dinosaur age of unencrypted email. Maybe if I have a few spare
hours some day, I will try to get those certs working with Outlook so
at least I can sign my messages. But I won't bet on it happening
anytime soon. That doesn't mean that I won't still feel guilty about it.