Web Informant #104, 11 March 1998:
Trying to secure your email? Forget it!


The state of secure Internet email standards and products is best described as a sucking chest wound. There are no technologies that are multi-vendor; interoperable; and, approved or endorsed by the Internet's standardization body.

That's the sad state of reality today. I've been working with several of the most current products lately, and after testing them I felt like I had to go home and take a long hot shower and cleanse myself of an imagined putrid odor. Why are things so grim? Several reasons.

First off, the so-called "standards" are in a state of flux. There are two different sets, of course: one called Secure MIME (S/MIME) and another around a product called Pretty Good Privacy (PGP). They really aren't standards in the sense of the typical Internet context: neither group has been completely endorsed by the requisite international standards bodies yet. You know you're not in Kansas anymore when you go to the S/MIME Central web site and find that it carries banner advertisements.

Second, the products suck, to put it mildly. I had trouble up and down the secure product food chain, starting at trying to obtain a certificate to my email software and ending up trying to exchange encrypted messages between different products. Certificates are used by all products to authenticate your identity to your correspondents and to encrypt and decrypt your messages.

To make encryption work, you need to be able to trust each other's certificates and determine whether or not they are valid. Of course, there are different mechanisms for establishing this trust relationship. One way is to use an independent certificate authority such as Verisign and Thawte.

The latest browsers from Netscape and Microsoft come with special routines that will take you to these and other web sites and allow you to either get a certificate for free or for a small fee. You can obtain certificates from them and they will verify that you are who you say you are.

But getting your certificates in order is just the beginning. There is actually a rather involved multiple-step process to make encrypted email work:

  1. Choose which of the two competing technologies (and specific email software) you wish to use for your encrypted correspondence.
  2. Choose whether you want to just digitally sign your messages, or encrypt their entire contents, or both.
  3. Choose either an enterprise certificate authority and set up the appropriate server software, or to obtain a certificate from a public authority.
  4. Enroll with this certificate authority and obtain an encryption certificate or key for a particular machine and a single email address.
  5. Exchange keys with your correspondents, and manage where these keys are stored on your machine.
  6. Encrypt and decrypt messages.

I had all sorts of trouble getting two different products to recognize each other's encryption methods, directory entries, and other things that supposedly are "standard." And I was not alone: Dan Backman of Network Computing magazine had similar trouble when he tested these products.

This brings up my next issue: the initial software setup is excruciating. In one case, I was never able to get the certificate to work properly from within my browser, although the software said it worked successfully and my credit card was charged the requisite $9.95! And to add insult to injury, Verisign will continue to charge me $9.95 each year, unless I can get this certificate cancelled or working, which ever comes first.

Third, cryptographic algorithms have gradually evolved over time, as computers have gotten better at cracking them. The US government has muddied the waters by placing restrictions on what kinds of algorithms could be exported outside of the US and as a result products have had to offer different versions: one for domestic use and one for non-US use. All government agencies aren't necessarily singing the same tune when it comes to cryptography, with differing points of view on how to properly encrypt messages. This has created all kinds of confusion, and trying to keep track of which version you can use legally is a chore for user and vendor alike.

Fourth, encrypted messages which pass through email gateways may get mangled because the gateway doesn't understand the encoding and tries to convert the message into something else, inadvertently corrupting the message and making it undecipherable by the recipient. This is complicated even further by the situation that today's messages are no longer simply text and contain graphics, HTML markup tags, and video that can complicate how they get encoded and decoded.

Self-promotions dep't

You might think I am just getting started here about these issues, and indeed that is the case: this essay is drawn on a book on Internet messaging that Marshall Rose and I have been writing since the beginning of the year. We hope to see it in print by this summer care of Prentice Hall, and I'll keep you posted as to its progress. Here is a link to buy the book. And here is a link to a longer excerpt on secure email from Cisco's Internet Protocol Journal.

It will be my first published book, and I am very excited about it. Marshall is an old hand at writing books, although he hasn't done one in a few years, so he is excited about that as well.

It will be an unusual book in that we provide practical solutions to real email problems: we'll have chapters on how to deal with attachments that don't detach, addresses that are invalid, error reports that don't make sense, and getting your email when on the road. I'll tell you more about it as we get closer to the publication date.

David Strom
+1 (516) 944-3407
back issues
entire contents copyright 1998 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office