Will we learn from the NSA eavesdropping scandal?

Having used encryption for a long time and having used PGP consequently for more than five years it seems unlikely to me that people will go the extra mile to ensure the confidentiality of their electronic correspondence.

Leaving aside the millions of netizens who divulge information voluntarily via channels like Facebook, Twitter, Flickr, Google and many others, we’re still left with a deficit in education. Most netizens, if you ask them, have not even realized the basic truth that your email is just about as secure as a postcard. Yes, not even as secure as a letter in an envelope, commonly protected by law to ensure confidentiality ((unless, that is, you live in a totalitarian country)). So what does that mean? It means that the sender can be faked in an email and the content is readable by every so-called mail-transfer agent (MTA) on the way. Even if the connection between two MTAs is encrypted using SSL/TLS, this doesn’t solve the inherent problem. Every ISP on the way between two – and there are ways to forge the path an email takes – can read the content of the email.

This is where PGP comes in. PGP stands for Pretty Good Privacy and is available as both a convenient commercial package or an equally convenient open source solution with an add-on for Mozilla and other mail clients, yes even web mailers. PGP allows you to encrypt your correspondence if, and that’s a big if, the recipient has published his or her public PGP key. Without that, you cannot encrypt anything for that recipient. Conversely another person needs to know your public key to be able to encrypt emails to you.

However, even in such case you can still sign your emails to prove they’re from you. This is similar to signing a letter.

And yes, it doesn’t take PRISM to see the need for that. It just takes a bit of skepticism concerning governmental control of all kinds of aspects of your life.

// Oliver

This entry was posted in EN, IT Security, Thoughts and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *