Web Informant #228, 12 December 2000:
One man's simple secure email solution


My comments about secure email being too tough for mere mortals brought lots of responses. Perhaps the most common thread was that I forgot to mention PGP-based solutions. So, sorry, now I have mentioned them. But if you want to take a look at one rather elegant alternative, here is one from consultant Jim Heath all the way from Perth, Australia. Take it away, Jim.

Yes, encryption systems are too hard to use. Yes, most people have given up. But no, it is not hopeless. Not at all. Things are looking up!

Who dares make that cheery assertion? Me, a seasoned encryption user. I jumped right into the first PGP versions. I read the manual. I read supplementary books on cryptography. I even relished the PGP commands you had to type in - like "pgp -kxa xs4all pubring". I encrypted even harmless chit-chat to PGP chums. It was like a club.

That part was fun, not to say educational. The dismal part was trying to get my business clients to use PGP. With certain documents we both felt we should do something. The document was sensitive but needed to be emailed. But when I started briefing them about PGP, the client would experience a chill... Er, maybe the document isn't that sensitive after all? Maybe we can just send it by ordinary email? And frequently: "We've never had any trouble before."

So I'd move to my easy-does-it method: how about using Pkzip encryption? We could agree on a password by phone (a messy and safe one like ZerKK828#bogworth3) and use that in Pkzip's built-in encryption. I'd warn them that Pkzip encryption is much weaker than PGP's. But almost everyone has a copy of Pkzip and can use it. Nothing to install or learn. They usually said yes. It was better than doing nothing. And it worked.

Yes, I know: browsers also have built-in email encryption systems. What about using those? Well, no client ever suggested that. And I sure wouldn't suggest it! It's too hard to walk someone through the zigzagging setup process.

What else is there? There are third-party email security systems that use the web, like SecureDelivery and Sigaba. But Web Informant #227 summed up their annoyances, roadblocks, and risks. Agreed. That's how matters stand today.

Except my hopes are brightening: a few businesses now use their secure website forms for receiving messages, not just for collecting credit-card details. This is practical.

Let's say you want to send a confidential message to Terrashake Earthmoving. The company has a website with a secure-message form. You click to that form, and a reassuring notice says "You have requested a secure link" (or something similar). Your browser's little padlock icon snaps shut. So the connection is now encrypted. You type your private message into their form. (Or maybe attach a confidential file too, if that option has been set up.) Then press SEND. You don't have to know anything to do this. No new software to load. No ungainly passwords.

The security of the message you send ranges from adequate to awe-inspiring. I won't get into details (I do that here). But I want to say this: if Terrashake runs its own secure server and has correctly set up its internal email-forwarding system, and if your browser is up-to-date and isn't crawling with trojans, then your message will be encrypted with a strength that equals PGP's. All with no sweat for you.

Now comes the hard part. What if Terrashake wants to send a message back to you securely? Stuck. Unless you happen to have a secure web-page too. Then Terrashake can just type their message into your secure form and press SEND. All done.

In short: for two-way secure communication between two companies, each company only needs a secure-message form. Then that's it. The more companies that put secure-message forms on their websites, the more pairs of companies can use the system. (The number of two-way combinations increases as the square of the number of companies.)

I can assure you that people will use secure-message forms. They like them. My own business form sure gets used. Strom just used it to pay me for this essay.

Give it time. People may come to expect that there'll be a secure-message form somewhere on any business website. Remember the spread of the fax machine? At first, a me-first gadget enthusiast, with bulging pockets, managed the few companies that had faxes. There wasn't anyone to send a fax to, except maybe to his or her own branch office. The fax market grew ploddingly. No one noticed. But the year came when you had to have a fax machine, or you weren't seriously in business. It seemed so sudden. Customers called, wanting to send you a fax now. It could happen like that with secure-message forms.

Self-promotions dep't

Thanks, Jim. I think the secure message form is a good idea, and it certainly is simple to use.

Check out more commentary on my blog here.

David Strom
entire contents copyright 2000 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.