digg

Facebook Connect Join Digg About

How to Protect E-Mail From Prying Eyes

pcworld.com Encrypting your messages isn't the easiest thing to do, but it will ensure your privacy. E-mail is an incredible communications tool, but it isn't very private.

Who dugg this? Made popular Nov 17, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

52 Comments

show profanity settings
expand all
  • stimpack, on 11/17/2007, -0/+31PGP/GnuPG still seems easier, no having to sign up with a certificate provider.
    Biggest problem is finding someone else who also encrypts. I end up mailing my self alot :(.
  • dazparkour, on 11/17/2007, -1/+11Post his email address.

    Please.
  • chivesandbonbon, on 11/17/2007, -0/+8For windows install gpg4win or for linux install gnupg.
    After that

    Firegpg + Gmail
    Enigmail + Thunderbird
    Gpg4win+outlook/outlook express + suitable freely available plugin

    And all you need to do is generate your key and passphrase and upload public key to public key server than anyone can grab it down.

    I very much love the firepgp plugin as you can select any text in a webpage and righclick to encrypt.
  • Mysk, on 11/17/2007, -2/+10Certificates are fine and I have one myself (from Comodo), but the reality of the situation is that most people are not going to go through these steps. To most people, this will unfortunately seem "technical".

    Personally I recommend email encryption software called Ciphire Mail. It's free, and it's so easy to install and use that I suspect that even AOL users would (eventually) be able to figure it out. Secondly, Ciphire encrypts the Subject of the message as well as the To field, so it's more secure than simply encrypting the body of the message. You can get it at http://www.ciphire.com/ .

    In the end, however, people are so attached to their web-based email that it will be difficult to get them to use ANY encryption software regardless of how easy it is to use. I completely agree that encrypting email is important (because personal privacy is important), but we're not going to see wide spread adoption of encryption until Hotmail, Yahoo, and GMail all agree to adopt an encryption standard that is usable from inside of the browser (and turn it on by default).

    They can use GnuPG, there's no reason re-invent the wheel, they just all need to agree to use a standard.

    Good luck with THAT.

    Oh, there are Firefox plugins that are supposed to work with GMail to enable GnuPG encryption, but I've not had such good luck with those plugins actually working.

    -Mysk
  • Farrel, on 11/17/2007, -1/+7I am neither a developer nor a IT professional, just an end-user who happens not to be brain-dead to computing. I tried the Gmail firefox plugin for encryption and then went through the Thwate route. I found it very difficult. Then when I realized that it would need active participation by recipients I realized that the option was dead in the water.
  • dazparkour, on 11/17/2007, -0/+6Or GnuPG. http://www.gnupg.org
  • rodgy, on 11/17/2007, -1/+6Same here, no spam in Gmail.
  • dazparkour, on 11/17/2007, -0/+5I didn't know Thwate did free certs for emails, I remember they charged for SSL certs and I assumed they would charge for everything.

    I just grabbed me some. Took me five minutes.
  • natenovs, on 11/17/2007, -2/+6just a thought. if you encrypt the "To" field, then how does your message make it to the recipient?
  • cgruber, on 11/17/2007, -1/+5Email needs to be scrubbed. There's so many things wrong about it there isn't a point in continuing to try and amend things. Time to take a mulligan.
  • EdwardsNH, on 11/17/2007, -3/+7Sorry, but this is just killing me. I see "alot" a dozen times a day on digg. "Alot" isn't a word, it's "a lot".
  • Whackly, on 11/17/2007, -2/+5Wow. Is it likely he'll die in a fire? Please say yes.
  • dazparkour, on 11/17/2007, -1/+4I use GnuPG already, I will continue to use it with this. I'll use one to sign the other. The advantages of signing up with a certificate provider is that you can be verified.

    Anyone can fire up GnuPG and create a certificate for your email address. To get your name to appear with a Thawte certificate, you need to get 50 Trust points from people who have already been certified. You also need to meet someone in person with ID that proves you are who you say you are.
  • zachshmack, on 11/17/2007, -2/+5Buried for no mention of PGP! http://www.pgp.com/downloads/index.html
  • natenovs, on 11/17/2007, -2/+5no. it has nothing to do with your government. for an email to travel from your computer to someone else's, it must jump through thousands of other servers. you have no reason to trust any of these servers. read up on how smtp works.
  • skews13, on 11/17/2007, -0/+3find the prying eyes,and poke them out
  • rsh28630, on 11/17/2007, -0/+2Certain professional requirements exceed those of personal users. Automated, multiple off-site backup/archiving and/or data replication to the individual software owner's designated locations is one example. Given the ever diminishing investment for hard disc storage --as well as end user need to be assured 24/7/365 access -- the design of the system is for everyone to control their own data.
  • Somnabot, on 11/17/2007, -0/+2Yeah, I used to like hush.
  • Somnabot, on 11/17/2007, -0/+2I prefer the "painful punch to the throat" approach.
  • Somnabot, on 11/17/2007, -1/+3I get one every once in a while...
  • dazparkour, on 11/19/2007, -0/+1It's free. Did you read it?
  • dazparkour, on 11/19/2007, -0/+1In Outlook Thwate's certificate appears as:
    From: Me
    Signed by: Me
    and an Icon.

    With the Gmail web interface however, it appears as an attachment just the same as PGP.
  • Mysk, on 11/19/2007, -0/+1I don't know. If I were to guess then I would look at the behavior of the BCC field. If you place all of the recipients in the BCC and none in the To field, then the To will often read "Recipient list suppressed". There doesn't need to be anything in the "To".

    Perhaps Ciphire places the intended recipient(s) into the BCC field to prevent it from displaying the address and replaces the To field with its "Ciphire User " message.

    Ultimately though this is a guess. I'm not a programmer and I can only infer possibilities based on the behavior that I've seen from email applications. Ciphire has a forum that you can post the question to though if you want a better answer than what I can give. :)
  • dazparkour, on 11/17/2007, -0/+1You can only encrypt to people that have certificates, so if everyone doesn't make it standard practice to go and get one, should you ever want to, it's going to be a pain in the ass using the method described in the article, because your going to have to sign them up as well.
  • dazparkour, on 11/17/2007, -0/+1Why are peope burying me, if you do not do it, it will not work.
  • inactive, on 11/29/2007, -0/+1I would like to refer to Phillip Zimmerman: "Perhaps you think your email is legitimate enough that encryption is unwarranted. If you really are a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards? Why not submit to drug testing on demand? Why require a warrant for police searches of your house? Are you trying to hide something? If you hide your mail inside envelopes, does that mean you must be a subversive or a drug dealer, or maybe a paranoid nut?".

    Email Encryption is important, and should be free: http://tinyurl.com/2kknoc
  • rsh28630, on 11/17/2007, -1/+2This is not an advertisement. I am reporting the facts of a development effort.

    For the reasons mentioned (and others), my associates and I created a commercial alternative to e-mail that we refer to as "Beams".

    E-mail is insecure, susceptible to spam, subject to nuisance subpoena and an avenue for unauthorized data mining. Beams, by contrast, are always automatically encrypted, travel peer to peer, require correspondent authorization, and are strongly secured even when on the sender and receiver's computer as well as being instantly indexed for the user's convenience:

    As stated, initial unique key generation and subsequent encryption are automatic:

    - at the database level using AES Rijndael 256;
    - also by employing 1024 public key / private key encoding;
    - each is digitally signed via RC4 128
    - and transports Peer-to-Peer via an ‘as needed only’ VPN secured by SSL/TSL IPSEC ESP protocols.

    Beams are also an easy to use alternative to FTP inasmuch as there is NO size limit to attachments.

    At no time do we have access to a client's data. In fact, our sole ongoing function is to issue new users an IP address. In essence, we just make sure each origin point has an unduplicated address. Since we so not ask for (nor even have a mechanism to retain) identifying data, there is no way we can ever be compelled to reveal which address is assigned to an individual.

    Beams are a commercial venture. The cost of coding, testing, marketing, etc. exceeds six figures so we can't give the software away and support it simultaneously. While not free, Beams are economical at $12.95 per month for unlimited use. There is a different version for medical, legal, financial, employment, etc. where storage needs are more exacting which we're offering at $49.95 per month for unlimited Beams.

    The client software is going through marketing evaluation right now to determine the best purchase price. Again, it's not going to be free (except in very special humanitarian circumstances) but for normal personal use, the suggested retail is $49.95.

    This may be somewhat like a parent's perception but after many years of effort and expense, I believe the Beams product is worth the price both for our team and the ultimate user since once information is stolen, the cost can be devastating. My goal was to make it next to impossible for data theft.

    I repeat, this is not an advertisement. What I've outlined here is no more than a report on developing an alternative to e-mail. Please notice I'm not including a URL. E-mail is a wonderful evolution up the road from the Pony Express., We hope to make Beams light years beyond e-mail.
  • dazparkour, on 11/17/2007, -1/+2In Vista with Firefox, you have to change the firefox shortcut to be XP SP2 compatible or the certificates will not be imported properly.
  • JonForTheWin, on 11/17/2007, -1/+2***** what this article recommends. It's all about GNU Privacy Guard. FireGPG, Enigmail, gpg4win if you're still using a legacy operating system, and you're set.
  • dbr_onix, on 11/18/2007, -0/+1GPG either creates a MINE attachment, or appends text to the end of the emails. I'm hesitant to sign (or even more so, encrypt) messages to a lot of people since there's a good chance I'll have to explain what that weird attachment/strange text is.
    But, the encryption using Thwate's certifications seems to be much less obtrusive. Although I've yet to try it, but it seems in Apple Mail (for example) when you receive a signed email, it displays it as a little star with a label "Signed" or "Encrypted" - with Enigmail or GPGMail, it's similar, but that depends on the receiver having it installed, which they almost-certainly don't..
  • smackhero, on 11/17/2007, -0/+1i don't know why you're getting buried. i was wondering about that too. this program sounds a little suspect.
  • dazparkour, on 11/17/2007, -0/+1Bury this one. Double posting. =o(
  • dazparkour, on 11/17/2007, -0/+1Questions, because I was tempted to digg you down, but your right, you didn't include a link so I'm not going to jerk my knee into your balls. Yet.

    > and transports Peer-to-Peer via an ‘as needed only’ VPN secured by SSL/TSL IPSEC ESP protocols.

    If it transports peer-to-Peer, does that mean people will be storing their own messages, if that is true, why have two plans for high end users, since they will be using their own bandwidth to move files + messages and their own disk space to store it.
  • SkyDancer49, on 11/17/2007, -1/+1I probably won't use this, but it's good to know how to encrypt, should I ever want to.
  • CheeseburgerBro, on 11/17/2007, -6/+6Encryption: Still too tedious to be practical. Face it. If you're a developer: simplify it.
  • Somnabot, on 11/17/2007, -2/+2Ain't ignorance bliss?
  • williamdyer, on 11/17/2007, -1/+1It has a lot to do with government. Why do you think encrypted mail is not a standard feature, on by default? Government leans on companies to make their systems open for snooping. ***** the government.
  • peterjhill, on 11/17/2007, -3/+3I just blogged about s/mime last week: http://www.peterjhill.net/Live/blog/Entries/2007/1 ...

    Cert based signing and encryption is way easier than gpg. On the downside, s/mime only works for email. gpg can sign and encrypt any file. public cert distribution for s/mime is handled by just sending someone a signed email. Just like gpg, your cert has a public md5/sha fingerprint that can be used to verify authenticity.

    The web of trust of gpg is interesting and useful (I certainly maintain a gpg key and get it signed whenever I'm near a signing party), but it is not for mom and dad or grandma and grandpa. Well, at least IMHO
  • JazD, on 11/18/2007, -1/+1YES! YES! YES! This is something my husband has been talking about for more than a year now. Definitely what we do need to do. Hey, it may be somewhat costly but there are ways to have this free or inexpensively. We need to do this. You have been dugg. Please digg mine when you can. Thanks!!!
  • codecomposer, on 11/17/2007, -0/+0And his name and address, if he lives in the US.
  • gbarberi, on 11/18/2007, -1/+1PGP costs money - about 200$ if you want a full version. for less than a $100, they'll give you a year subscription.
    GnuPG is still too difficult to use for the average user. No transparency and is a pain to configure.
    I liked ciphire better... free for personal use and completely transparent. If you send mail to a ciphire user, it automatically encrypts it. It does not encrypt the TO: field as someone stated above. If it did, how would the recipient get their mail?
    only thing it lacks, is integration with other pgp keyservers.
  • dazparkour, on 11/17/2007, -1/+1Long time linux user burying you for calling gpg4win for legacy operating systems.

    Fan boy press is never good.
  • cgruber, on 11/17/2007, -2/+2Truth is, almost nobody has any clue how to setup a non-encrypted email account (geeks make up a pretty small population). Good luck getting them to do a encrypted one, and even better them understanding why they would want it. Everyone wants instant gratification, there's a reason there is big money being a IT security expert.
  • sw10, on 11/17/2007, -4/+2"Shutup" isn't a word, but you get the idea, right ?
  • spyd3rweb, on 11/17/2007, -10/+5It SHOULD be private, but our government is not doing its job protecting the rights of its citizens.
  • inactive, on 11/17/2007, -7/+1probably useful stuff, but buried for the tag
  • brandonace, on 11/17/2007, -9/+3Thanks for the info i don't think i will use it but the info was explained vary well
  • ciaika, on 11/17/2007, -8/+0For real ad hoc secure email, head over to Voltage Security's VSN solution. http://www.systemfolder.info/articles/31/1/Voltage ...

    Voltage's solution allows you to generate your keys on the fly and their key management solution makes it easy to recover keys should you need to encrypt and decrypt older messages.
  • jsambarreto, on 11/17/2007, -8/+0It's a very important informacion! Thank you!
  • hungarian33, on 11/17/2007, -21/+1so much junk email these days, my friend makes 5000 dollars a month actually, sendig that junk

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.