Reading the news recently I am getting slight paranoia communicating by Internet. I am still thinking I am nobody, and no one in the right mind would be interested with what I am writing to my friends. Still, the realisation that several governments in the world are monitoring and eavesdropping my e-mails doesn’t exactly make me comfortable. This motivated me to look into the technology to secure private Internet communications, which in my case means e-mails and instant messages. E-mail encryption sounded like the stuff of spy stories though, and I expected some difficulties.
The software for e-mail encryption is actually easily obtainable, as long as you know what to look. PGP (Pretty Good Privacy) is already quite old in Internet time. I even found reference to it in Saman, a famous Indonesian novel written by Ayu Utami. There is also another alternative: S/MIME. I have already experimented creating PGP key for use with my e-mail client in Fedora 8. Unfortunately, I don’t find anybody interested to (or, I think, understand) the concept of private e-mail yet. I am also looking into using S/MIME encryption. It is said much easier to use, and the support is already integrated to every e-mail client I have used.
Admittedly I haven’t known email encryption long enough to be able to reach any conclusion. But these are my quick impression: setting it up properly is a hassle. To use PGP (or GPG, the free implementation of it) you should install additional software other than your operating system or e-mail client. GNU/Linux systems usually already have it built-in, but it is still hard for ordinary users to set up.
It is said S/MIME is somewhat better. But, after messing around with it, I don’t agree. The support to it is built in to popular e-mail clients, but you need certificate to use it, and generally you need to obtain it from certificate authorities such as Verisign or Thawte. The latter offers free certificate, but I found the process for acquiring it rather lengthy, and can make impatient people quit before completing.
I think I prefer PGP/GPG. But to get more use I think it’d better get more exposure in popular e-mail clients. I know that Linux clients already support PGP/GPG, but they should have tighter integration. For example, when creating new accounts they should detect whether the user already have the key associated with the e-mail address. When they cannot find it they should offer to create new one (if there isn’t any key created yet), or add the e-mail address to the existing one. Users will be better exposed to encryption features in e-mail, and maybe they will be encouraged to use it.
Similar process can be created for instant messaging clients such as Pidgin. And because much of my internet communications nowadays are conducted by instant messaging, I will be very interested to use encryption for it. More than e-mails.