Email security

As part of the background research for next month's awareness module on 'email and messaging security', I figured it is about time I got to grips with secure email. You'd have thought I'd be on top of it already, given that my career started nearly 30 years ago with email system administration and then information security! Truth is, I've managed OK without it until now. The few times I have really needed to send secure email, I have either used a secure webmail facility provided by the client or achieved the same ends using AES-encrypted WinZip archives, sharing the secret password off-line. Now, I find myself needing to communicate securely with a company that doesn't offer secure webmail but does (allegedly) use PGP for secure email. Hmmm.

Today I re-discovered a key reason for not bothering with secure email - the very same reason that has caused me to try, fail and give up previously. The process of configuring MS Outlook - a commonplace, mainstream email application - for S/MIME is convoluted and inadequately-explained. For starters, what is S/MIME anyway? Does it interoperate with PGP? Despite reading a bit about it, I'm not entirely sure at this point although I suspect not. Some of the information online might as well have been written by Greeks.  In Martian.

I found a website offering free email certificates ... except it didn't explain that Chrome won't install them properly: evidently we need to run Internet Explorer. There's not the feintest whiff of an error message to tell us the process failed. That's another hour of my life down the pan, chasing down Windows' certificate store and yet failing to persuade Outlook to install and use a perfectly serviceable certificate from the store. Re-running the download install through IE worked fine though (after I had also figured out how to revoke the first certificate since it wouldn't let me have two for the same email address, oh no). I wish I had a clue what it was doing automagically in the background that I couldn't do manually. Some sort of hocus pocus going on.

We're clearly a long way from simple secure email, despite the common refrain that the process really ought to be made easier and more widely accessible. My cynical mind wonders if certain 'agencies' might be actively frustrating attempts to simplify and so spread secure email more widely ... and while I would understand their reasons, I doubt I could be persuaded that it is in the public interest to allow the authorities to continue snooping on all our emails willy-nilly. So I guess our next awareness module has a public service objective.