Security

Why email encryption is failing, and how to fix it

Email encryption is a necessity, yet the masses still aren't adopting the technology. Jack Wallen offers a solution to this urgent security problem.

Image: iStock/Balefire9

The wide adoption of email encryption isn't taking hold. Users continue to ignore the cries of the pundits to encrypt, encrypt, encrypt! The only time this level of security is applied is when a company requires it be used, and then it's done begrudgingly.

Why? So many extra steps.

And therein is the heart of the problem. The average user isn't about to adopt a technology that often stumps even the people that provide security training.

Let me take a step backward.

The real issue

I've been using encryption for a long time, and I know it's not perfect. I know encryption can be hacked with the right tools; I also know the act of hacking encryption takes time, and nothing that I send out is really worth anyone's time to crack. These days, most of what I use PGP for is digitally signing emails and the like.

SEE: There's a new Gmail phishing attack going around, and it's fooling everyone (TechRepublic)

So, why have I stepped back?

Many people have no idea what encryption is or how to use it. If I reach out to someone and say, "I want to send you an encrypted email," they say, "Okay." That's when my sighs begin.

First off, I immediately remember that I don't have their public key, and a quick search on any given key server will confirm my suspicions...they don't have a public key. Why? They don't know how to create one. They never did and never will. Second, the moment I begin instructing them on how to create a private and a public key, they stop me to say, "That's too hard! Can't you just send me the email without the extra hassle?"

No, I can't. Or, I should say, I don't want to. But the truth of the matter is simple: Encryption isn't for the masses—it never was. If encryption was for the masses, it would have been made simple long, long ago. But alas, it was not. Instead, encryption is too challenging for the average user and that, my friends, is why encryption is failing us. It's not so much the underlying technology—it's that the user-facing software is beyond the grasp of the average user.

SEE: Encryption Policy (Tech Pro Research)

Can the issue be fixed?

There is only one way to ensure that encryption finally enjoy mass adoption: make it very easy to use. I'm talking this easy:

  1. The user sets up his email account on an email client.
  2. During the setup, the email client automatically creates a public and private key pair, requiring the user to create a strong passphrase.
  3. The email client automatically uploads the public key to a key server (with the user's knowledge and permission).
  4. When the user wants to send an email to another user, the email client automatically searches the key server for the recipient's public key.
  5. If there is no matching public key, the email client informs the user the email will be sent unencrypted and, thereby, without the added bonus of security.

Is that easy enough for the average user? Would the masses finally work with encryption if the "outer layer" were made impossibly simple? I'd like to think so. And this method could remove the old issue of "This is my new key" sent by a malicious user, hoping you'll buy the story and import/use the nefarious key. All communication between the key server and email client would be handled in the background...with no required interaction on the part of the user.

That's how you fix the lack of adoption—make it part of the process. Until this happens, encryption will continue to not be adopted by the masses.

SEE: Executive's guide to mobile security (free ebook) (TechRepublic)

The problem with PGP

There are numerous reports about longtime encryption users jumping ship (read Filippo Valsorda's op-ed titled "I'm throwing in the towel on PGP, and I work in security"). When people that have used encryption for years give up, what does that say to users who are only just now seeing its value?

If you need to get a peek behind the velvet curtain and see how problematic PGP really is, take a gander at this piece, written by SecureShare. Their conclusion? Pretty Good Privacy is better than no encryption at all.

The truth is that PGP is very good protection against eavesdroppers—the main problem lies with the handling of encryption keys. Once someone has your private key, all bets are off. And since most users don't fully understand how crucial it is to protect those private keys, PGP becomes vulnerable. This issue could be fixed with the solution I outlined above.

SEE: This fake security email tries to make your PC part of a botnet (ZDNet)

Encryption is a must for personal and work email

The need for security is at an all-time high, and end users continue to shrug off that need even though it is in their best interests to adopt the technology.

The issue extends into the enterprise realm, where some users might use more than one email address. This added complication is exacerbated by having to also juggle associated encryption keys—that challenge can lead to users bypassing encryption altogether and causing a security nightmare.

Email encryption is necessary; unfortunately, the encryption solutions aren't user-friendly and foolproof enough for the masses. The email encryption problem must be fixed.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks