Web Informant #227, 1 December 2000:
Secure email is still the pits


My friend Fred Avolio has been making me feel guilty about not trying to use secure email. In his latest essay (Fred is an independent network security consultant and he also writes a regular series of essays), he encourages his readers to start using digital signatures and start encrypting their message traffic. He claims, and I completely agree with him, that if we continue to treat our electronic correspondence as worthless, then eventually our businesses will suffer.

So, how hard can it be? Let me tell you, after trying several different technologies, I have come to the conclusion: secure email is still the pits. So sorry Fred, much as I'd like to follow your shining example, I just can't get anything to work here at Strom HQ. For the time being, my email is still going out in the clear, unencrypted form that it has always been.

When I last wrote about this topic a few years ago, Marshall Rose and I were deep into doing the research for our book "Internet Messaging". You can read the original essay here, as well as links to a longer excerpt that appeared in Cisco's Internet Protocol Journal on the topic. And there are still copies of the book available too (including a wonderful preface written by Penn of Penn and Teller fame)!

Not much has changed in two and a half years since I wrote that essay. Standards are no help whatsoever: indeed, as more products support S/MIME, more implementation issues crop up. Products are difficult to use and setup (I'll get to that in a moment). And keeping track of your cryptographic infrastructure can drive anyone nuts. Truly, only the most motivated paranoid will be able to persevere to really use these products anyhow.

First I tried to use a regular digital certificate and Microsoft Outlook. I first had to retrieve my certificate (of course, I had created one years ago but never used it, so first I had to track it down) and import it into Outlook, that wasn't too obvious. Outlook 2000 has a zillion different security settings, and I am still not sure that I set things up properly. One clue: whenever I try to send a message with a cert attached, Windows tells me that there has been some protection violation by Outlook. So much for that path.

So I tried a few other products that claim to be dirt simple to use. Well, they got the first word right -- they are pretty dirty. I took a look at three of them: SecureDelivery.com has a web-based client, in addition to working with Yahoo Mail and Outlook. CertifiedMail.com has web, Outlook and Notes software. And Safe-Mail.com has just a web client.

The easiest to use is the SecureDelivery add-on to Yahoo Mail. You just click on a button while you are composing a message in your browser and send it. That's about the easiest thing I can imagine.

By web client, I mean that ultimately you have to read and or compose your secure messages inside your web browser. Yes, you do have a secured (SSL) session, which does encrypt the conversation between you and their web server over the wire. So there is some encryption involved. Now, realize that I am talking about using the browser here -- not any email client like Outlook or Netscape Messenger. Even with a browser, there are lots of problems with these products, and they really don't offer ironclad security.

If you use Yahoo's mail client, you have to trust that first off, some nefarious person isn't monitoring the path between Yahoo and SecureDelivery's servers. Second, the SecureDelivery system, like the ones from Safe-Mail and CertifiedMail, don't actually deliver email messages to your recipients. Instead, they deliver a notification message in the clear. Included in the message is a URL that will point you to a place on a secure web site that you can go and retrieve your encrypted message.

For both SecureDelivery and CertifiedMail, all of your recipients have to open an account to read your messages. (That involves a few steps and going back and forth from your browser to your email client before you get everything working.) Safe-Mail sends a notification message with a temporary ID and password included: while this is easier to retrieve messages, it is also less secure since someone could intercept the notification message and sign in as you.

Speaking of trust, you have to trust these companies that their data centers are up to snuff, that their procedures are solid (it doesn't do you any good if someone by mistake makes copies of your messages and leaves them on a public directory for example), and that they really know what they are doing. A good security consultant (like my friend Fred) would audit all of their procedures before signing off on any assessment of their security service.

For these three products, even though they try to make things simple the whole process is still harder than it should be. There are still far too many steps involved in exchanging messages. You still need to understand lots about public key infrastructure, certificate management, and enough about how your email client works. For example, with these products you get a very misleading dialog box that tells you the message has been sent, when it really is just hanging out in your outbox queue. Fred had trouble using these products too, and he knows tons more about secure email than yours truly.

Another limitation of these products concerns email attachments. Of course, you'd expect that these products should support attachments, but SecureDelivery can't include attachments if you use their web client. If you use Yahoo Mail or their Outlook plug-in, then it works just fine.

Safe-Mail has the most flexibility of the trio I tried: in addition to sending the notifications to anyone, you can also send ordinary unencrypted email to anyone, or only send secure messages to known recipients. That's nice, but your recipients have to be using its system.

Can you track what happens to your messages? CertifiedMail, like its name implies, has the best message tracking features of the three: you can view when your message was opened and if it was tampered with along the way, although I am not sure I trust their system to tell me the complete truth about the latter. The others offer some tracking features as well.

There are numerous other products out there that claim to help you with securing your email: PrivacyX.com, for example, will provide you an anonymous certificate that you can use to encrypt your messages, provided you can figure out how to use it with your email program. And products like Interosa and Disappearing also can be used to secure your messages.

But the whole lot is just trouble. For the time being, I am still in the dinosaur age of unencrypted email. Maybe if I have a few spare hours some day, I will try to get those certs working with Outlook so at least I can sign my messages. But I won't bet on it happening anytime soon. That doesn't mean that I won't still feel guilty about it.

To subscribe, send a blank email to

To be removed from this list, send a blank email to

David Strom
+1 (516) 944-3407
back issues
entire contents copyright 2000 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.