A few months back Sven-S. Porst shot me an email:
I am planning to make a post on my site touching the topic of e-mail encryption once more. While the software for encryption is in place for everybody using Mail (or Mozilla based mail applications), the main problem that keeps us from having encrypted e-mails is that very few people have the certificates that are required to do the encryption.
Being that Sven and I correspond with some regularity (he has quite a knack for calling bullshit when he knows I’m wrong about something), and that he has a reputation for the depth of his software reviews, I knew it’d be worth a look. After checking the link he provided to a very useful (though slightly out-of-date) how-to for getting a free mail certificate, I promised I’d have a play and wait for his post on the matter to add my two cents.
Digital signatures and encryption aren’t exactly contentious issues — everyone agrees they’re a good idea. Email is typically sent in the clear: easy to intercept, easy to interfere with, and impersonating someone else is (to a point) as easy as changing the right field in your email client’s Account Setup window.
You can even do it in Gmail these days. How many chain emails have you received from “firstname.lastname@example.org” anyway? The problem with deployment isn’t just the difficulty of obtaining a certificate though (or rather, the inconvenience), it’s the overhead you then suffer trying to use them. That is, assuming you aren’t an asshole, the overhead you suffer trying not to annoy everyone else in the world who happens to be running a shitty mail client. And that’s a lot of people.
Digital signatures are attachments, after all. And if your mail client doesn’t interpret those attachments the way it’s supposed to (that is: by making you aware that this email is signed, and hiding the implementation details) it’ll just show them as attachments. Small, oddly-named attachments. And people get kinda nervous about receiving small, oddly-named attachments in the mail. It screams virus, even if nothing could be further from it.
Thus it becomes your job as a non-asshole to turn off digital signing when dealing with shitty mail clients, turning it back on when you’re dealing with a known-adequate recipient, and turning it off or on during a bulk mailout… to taste, naturally.
It might be worth noting here that when I say “shitty mail client” I don’t (for once) mean Outlook Express; it handles them with aplomb, at least according to Microsoft’s web site. What I do mean is webmail: Hotmail, Gmail, Yahoo, SquirrelMail… you name it. And since a quick review of my Sent folder tells me that upward of 80% of my regular correspondence is with webmail users, I’m up shit creek on this one. I don’t want them to think I’m sending them viruses. I don’t want them to have to ask what the attachment is for. I just want it to work. And it’s a damn shame it doesn’t.
One would hope, given that Gmail’s signup process is somewhat less than anonymous to dissuade scammers and spammers, that Google will have the nounce to integrate certificate handling and start doling out the certificates themselves. Apple’s .Mac service is already doing this for Secure iChat, and users have already discovered that the certificate can be extended to their .Mac email addresses too. If Gmail alone handled certificates, I’d be able to sign upward of 90% of my outgoing mail (enough to tell the remainder to get a fucking clue) and encrypt almost as much… it would be the tipping point we’ve all been waiting for in secure email, and it’s long overdue.
Not having tested Gmail’s “change the From header” feature myself (as great as Gmail is, I still prefer ‘rich client’ applications and do my Gmailing by POP), I have to thank Tomas Jogin for pointing out that Google is crazy smart and actually requires you verify your identity/ownership before being allowed to use a different outgoing email address.
Now, about those certificates…