topher

Mozilla recently announced that they were going to stop actively working on their Thunderbird email client. At the time, someone said on Twitter “Hasn’t the problem of email been solved? Do we really need email clients anymore?”

That bothered me a little, because there are lots of things email clients can still do better, and one that is near and dear to my heart is encryption. Does your email client handle encryption? That fact that you probably don’t even know is an indication that the tech community at large doesn’t care.

Here’s why you should care, especially if you work in technology.

People have long thought of email like a letter you mail. You put it in an envelope and mail it. In reality it’s like a post card. Everything you have to say is available to be read by everyone who handles it, as well as anyone who has an interest in tracking it down and seeing what you have to say.

There are two kinds of emails to be concerned about. One is normal emails to people like your mom or your friends that it’s rude to read, and possibly damaging. Another is emails that actually contain information that should be secret, like the password to your web site.

I’m not going to talk too much about the first kind. If you actually believe that because you have nothing to hide then anyone should be able to read your email I’m not going to convince you of the danger therein.

The second is easy to make a case for. Would you post the password to your web site to Facebook? How about your social security number? Then you shouldn’t email it in the clear. It’s readable by anyone who cares while it’s in transit, and if you use an email service like gmail then it’s stored forever.

“But who could read that email?”, you ask. Lots of people. There have already been instances of Google employees abusing email, China has stolen lots of gmail, and the government rifles through it at will.

Email encryption is not very hard as long as your email client supports it. Outlook makes it difficult, and AppleMail makes it practically impossible. It used to be pretty easy to do with webmail, but Google went out of their way to make it very very hard in gmail, so most people making ecryption clients for it gave up. Google doesn’t want you to encrypt your email, because then they couldn’t read it. If they couldn’t read everyone’s email it probably wouldn’t be worth their while to run gmail.

If you care at ALL about internet security (your own web site, your client’s web sites, your own email account etc), please please don’t post your login credentials in the clear, over email, instant messenger, or social media.

My typical recommendation for people is to use Thunderbird. It’s free, full featured, makes encryption easy, and works on all common platforms.

7 thoughts on “Thoughts on Email and Encryption

  1. The problem with encryption is that both ends have to know how to handle it. When Gmail, Yahoo, and Hotmail don’t support it via their web interface, you’re pretty much hosed. With that said, do you have a suggestion for a Thunderbird replacement on the desktop? Also I do maybe 25% of my email on my Android device, so I’d require an app that can also handle encrypted email. It is sad, but I see it as a lost battle at this point.

  2. I don’t have a suggestion actually. I’d suggest using thunderbird as long as you can (which should actually be a really long time).

    I too was terribly disappointed to see that there’s NO option for mobile email encryption.

  3. I actually use GPGMail with Apple Mail. It gives me the full GPG/PGP encryption right in my email client. Of course they ran in to some bumps with Mountain Lion, but they just released a beta that is supposed to work… I haven’t quite installed it yet, but I have faith they’ll figure it out again. More information at:

    https://gpgtools.org

  4. I also use the postcard analogy when explaining the insecure nature of email. Unfortunately, even if you use an encrypted connection to your mail server, people can still send you sensitive data in the clear. You can ask them to send via encrypted email clients or encrypted websites, but you can’t force them. The problem is more behavioral than technical.

  5. “I too was terribly disappointed to see that there’s NO option for mobile email encryption.”

    Not even S/MIME? You can get a free certificate from StartSSL. It is kind of crappy that you need to deal with a CA, but I can use that same certificate across mutt, Thunderbird, and iPhone Mail.

  6. Yep. The CA’s site instructs your browser to generate a key pair locally, and then the public key is sent over to the CA for signing. You can then export it from your browser and import it into whatever mail clients need it. (I just remembered that it works with Outlook, too; I generated another certificate for work back in August.)

    Authentication of the certificate signatures works the same way SSL does on websites, which is why the CA bit is important. The upshot is that anyone who trusts StartSSL (it seems everyone does, at least indirectly) will trust that my certificate belongs to matt@zigg.com, which is nice.

    Of course, nobody actually sends me anything encrypted! Shock, surprise. But at least they can verify my signature with little fuss. Happens automatically most places.

Leave a Reply

Your email address will not be published. Required fields are marked *