Moving Away From Webmail: Why?

Monday, 2012-January-09 at 04:55 5 comments

Back in the late 1990s, I encountered webmail services. I quickly signed up for accounts with every service I knew:

  • Yahoo! mail—sponsored by Yahoo!, which had a top-notch human-curated search engine directory
  • Mailexcite—later known as Excite mail—at that time sponsored by Excite and Webcrawler search engines
  • Hotmail—before it became a Microsoft property
  • and over time, various services that went by names like Warmmail, Coolmail, Coldmail, and CoolEmail—these services came and went and sometimes came back under completely different owners

What I liked about them was that I could go to the local college, the state college, or to friends’ homes and still check my e-mail without having to set up client software for each computer I used. This was before we knew a lot of the things we have learned about online security. Passwords were often restricted to 4-6 characters, often either all lower-case or all numeric.

If you forgot the password you used on site ‘X’, you would click ‘Send my password’ and check the relevant webmail account where the password would be sent.

Over time, things changed. Passwords started to require a mix of upper and lower case, along with one or more numeric digits. Then special characters were added. Passwords became longer. And ‘forgot my password’ started taking you through one or more secret questions before sending a password reset link to your e-mail. (No more mailing your password.)

It became more and more time consuming to log into a website, scroll through your new and existing messages to find the ones you choose to read, and write responses as necessary. This would be enough to make me switch back to the convenience of using client software to handle my e-mail messages (at the small cost of more complicated set-up than just typing a name and password into a couple of boxes on a webpage). But this is not even really the problem.

You see, in some areas, we have never advanced. We call it electronic mail, but it is really more like electronic postcards. This means that anyone, anywhere along the chain between you and the other party (or parties) could easily and quickly read your messages. That contract to buy a retirement property in Hawaii? Someone could have grabbed a copy, whipped out their word processor, and read everything in it. Same with that e-mail to your kid’s school about her grades. Didn’t you say they use Social Security numbers as student ID numbers?

You may say that you don’t do anything illegal and you don’t use e-mail to conduct financial transactions, therefore you have nothing to worry about. That is not so. You cannot know in 2012 whether information you “leak” today will become useful to someone who decides to use it against you in 2017 or 2022.

What is the answer? PGP. PGP (or Gnu Privacy Guard, which is a freedom-preserving implementation of OpenPGP). PGP puts your e-mail messages into an envelope, making it more difficult for someone to snoop on your message. Since the message is electronic, the envelope is also electronic, a type of public-key encryption.

Now, there are some who believe that anyone who encrypts data is doing it because they are doing something wrong or illegal. Those people are wrong. I personally believe that it is patriotic to encrypt your data. First of all, I do not believe that the government would have permitted its use if they had not figured out how to penetrate the encryption, if they are willing to devote enough time and computing power to do so. This means that encryption is not going to protect spying or terrorism. Our government will still be able to see what evil deeds such people are planning.

However, for unimportant people like you and I, people who may occasionally speed on the freeway, but do not otherwise break the law, the government is not likely to invest the effort. Our lives are too boring. There is nothing to be gained. I cannot imagine Jon and Ponch showing up at your door to write you a ticket because you admitted in an e-mail message that you drove 70 in a 65 zone.

I should point out that I have no evidence that our security agencies can read your encrypted messages. It is purely my opinion that they would still be trying to suppress PGP is some security agency had not figured out how to penetrate it. (Disclaimer: I work for a federal agency, but I don’t speak for them and they don’t speak for me.)

On the other hand, using encryption gives you some privacy. While I firmly believe the government can read your encrypted messages, the average computer criminal cannot. And more importantly, the casual observer who inadvertently is exposed to your message is not able to read it. The beat cop who is trying to make his quota cannot read it. The junior high kid down the street cannot read it.

So you and I should be using PGP (or the open source implementation, GPG) for most of our messages. Remember that an envelope only protects its contents in transit. If you’ve got the unencrypted contents sitting on your hard drive, or if the person on the other end has them, all that anyone has to do is gain access to that computer.

It is sometimes convenient to think of encryption like a vault. The locks on 1920s-era vaults probably would not slow modern criminals very much. The locks on current bank vaults are probably sufficient to slow down the majority of criminals long enough for the police to arrive. If you think encryption will protect your secret treasure map forever, you’re mistaken.

Now, once you decide to encrypt your e-mail, you’ll immediately be faced with two big issues. First of all, none of the big webmail providers supports using PGP through their websites. So unless you can get FireGPG working, you cannot do the prudent thing. Secondly, installing and configuring PGP/GPG is somewhat complicated. It isn’t really–some of the most tech-adverse people I know today set up similarly-complex software on their computers back in the 1990s–but it isn’t as easy as it could or should be.

Enter GPG4Win. GPG4Win comes with a lightweight mail client (Claws Mail), the GPG and Kleopatra and GPA software to manage the process from creating keys to uploading to public key to a keyserver to signing keys of others whom you know in person, a file encryption plugin (GpgEX), and an optional encryption plugin for Outlook. Mac users can use GPGTools instead of GPG4Win. BSD, Hurd, and Gnu+Linux users can use a somewhat less polished version or KDE’s Kleopatra.

Clearly, though, the process of using PGP and GPG needs to be simplified and streamlined. However, even in their current condition, you and I should be using PGP / GPG. And that means, given that the webmail providers have not figured out how to support it in their interfaces, that I need to pull back from using webmail for most of my messages.

I should also point out that you have to remember your passphrase, or you will not be able to use PGP / GPG. You should probably not create keys that are valid for more than a year or two. I am still learning about it, so I am by no means an expert. It just seems to me that if you forget your passphrase, you want a quick expiration, rather than waiting for years.

Entry filed under: Computers, Encryption, Networks, Open Standards, Software. Tags: , , , .

2011 in review On SOPA, PIPA, and Copyright Maximalism: How We Must Respond

5 Comments

  • 1. atomicules  |  Monday, 2012-January-09 at 10:46

    I still think email encryption, as it is currently, is too involved for the majority of people. I’ve had my GPG key in my email signature for years now. No one has ever used that to send me an encrypted email, in fact if someone now did, it would probably take me a bit to recall what I need to do to read it.

    • 2. lnxwalt  |  Tuesday, 2012-January-10 at 00:16

      atomicules, Yes, you are right that it is too involved. It isn’t so involved that people cannot use it. It is just easier to keep using what they are already using than it is to change things.

      The funny thing is, I see people using MSOffice’s built-in encryption tools, so they can attach documents and spreadsheets with personal information to their messages. That means that they could easily use the existing PGP/GPG tools to do a better job of protecting their messages. Several years ago, when Internet Explorer was the buggiest and least secure browser, the tech community launched an effort to get people to start using alternative browsers. It took years of concerted effort, but we began to see people start to change. More importantly, we started to see Microsoft get serious about fixing their browser, and even launch their own effort to get people to upgrade from IE6 to a more modern browser.

      In other words, people are never going to spontaneously start using PGP. You and I have to work hard to inform people and to lead by example. Hopefully, over time, we can raise people’s awareness and get them to change their actions the same way the browser effort changed people’s actions.

      Thank you for your comment.

  • 3. pip010  |  Monday, 2012-January-09 at 13:30

    most web client (e.g. gmail) uses SSL so no-one can spy on your messages.
    encrypting the email body however will render all email not searchable!? or at-least slow and hard for full-text search
    right!?

    • 4. lnxwalt  |  Tuesday, 2012-January-10 at 00:01

      pip010, Actually, most of them only use SSL during login. But even so, you want to encrypt everywhere between you and the person you are communicating with. Gmail’s SSL from their site to your browser is only part of the path from you to the other person.

      Thanks for commenting.

  • 5. atomicules  |  Thursday, 2012-January-12 at 23:45

    So this prompted me to go and look: It appears my keys have disappeared from the keyservers. My keys definitely haven’t expired and were published, but they are no longer out there now. I’ve no idea when they disappeared as I haven’t thought to check for a couple of years. So that might be a reason why I’ve not received any encrypted mail (although I doubt it – as still no one has asked/mentioned they couldn’t find my public key).


RSS Slingshot

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Owner Managed Business

  • An error has occurred; the feed is probably down. Try again later.

Archives

Recent Posts

Blog Stats

  • 596,472 hits

SUBSCRIBE


%d bloggers like this: