PGP/email encryption systems usable daily?

I've just set up Thunderbird to use Enigmail and gpg4win with my Gmail account.

Ok, fine....but now...
Is it really possible to use this fantastic tool for encryption and protection on daily basis?
I mean, here none of my contacts encrypts email and if I ask them to to that they will simply decline (..to be polite. ..).

I have the impression that this tool is still far away of becoming a standard...therefore it's a nice to have but maybe not really usable.

What is your experience?

 

Welcome to the party! I have been using the same Thunderbird + Enigmail + gpg setup for more than 10 years. Sadly, I believe this email encryption method is in a state of decline, and will eventually disappear. Here's why:

(1) Personal use of desktop email clients has been rapidly declining in favor of webmail, especially since gmail was introduced (except for your contacts using desktop Outlook on MS Exchange servers). Just a few months ago, Mozillla announced they will maintain but stop developing Thunderbird.

(2) There are no known gpg encryption capabilities built into webmail.


In my own personal experience, I have more than 1000 email contacts, and less than 0.5% of them use gpg/pgp encryption. 5 years ago the excuse my friends used to refuse email encryption was .... "sorry, too complicated" ... now they just say ..."sorry, I use gmail".

My 2 cents.

 

I don't agree at all. Our userbase increases 100% every year.

There are some webmails with PGP, Countermail and Hushmail are two of them.

 

Ok, but if 99% of the people in the world do not use this system, this system (sadly) is useless.
From the first post, I must say that since I switched to Opera (also using its mail client) I have no more PGP.

 

The "Current Window" option on every PGP/GPG (with a plug-in) implementation I've ever used, can encrypt the body of a webmail message. Or use Countermail ^.

PD

 

FWIW, I have in the past stumbled across some browser extensions which bring encryption to webmail services such as Gmail. I would be concerned about fragility in the face of Gmail changes and also the use of additional third party servers for some features. However, perhaps one or more have potential. I can't remember their names but searches for obvious keywords would surely find them.

 

It's very useful for the people/companies who wants to protect their email. Those who understands how internet works and the difference between sending an unencrypted email and an encrypted email, will use PGP, but if you never send/store any sensitive information with email, yes, then it's useless.

The biggest problem is lack of knowledge, e.g many people think SSL/HTTPS will also protect their stored email, which of course it doesnt, any admin/hacker with access to the server can read all customers email, if it's not PGP encrypted.
I know many companies who wish they had used PGP, but they didn't realize what PGP was, until after they where hacked...

 

I don't know how those extensions worked, but with the 'Encrypt Current Window' option, all it does is cut the plain text from the window, encrypt it, and then paste it back. It is all done locally, so nothing Gmail changed, would affect it.

PD

 

Learned this lesson myself - frustrating isn't it

I hate to keep tooting their horn but CryptoHeaven is absolutely the best option for dealing with contacts that don't deem email security important! Here is what is does:

- CryptoHeaven is "encrypted webmail": all email you send can be encrypted via "public key" or "password" and is encrypted on your computer. All email (sent or received), files, folders, contacts, etc are "ALL" stored encrypted on the server.

- Everything is decrypted locally and you can choose to store your private key "locally" or on the server.

- Email you receive that is not encrypted "is encrypted" with your public key when it hits the CH server and the original deleted within 10 minutes.

- If you are at least somewhat familiar with a contact, you can send them an encrypted email that can be decrypted with a password to a question they would know how to answer that others won't.

Obviously, your original PGP setup would be optimal but you, I and others know that the masses aren't into it yet(?). Until they do embrace it, give CH a try

 

It's really odd you'd say that, do you work for CryptoHeaven?

CryptoHeaven is a great service its own right, but it's not at all what you'd want if you regularly interact with people who don't deem email security important. It's actually a great way to get your contacts to dread receiving emails from you and if you're sending encrypted email from a CryptoHeaven account to businesses for job applications or whatever, might as well not bother. They don't have time to play those games.

Messages directly to non-CryptoHeaven email domains aren't encrypted so there's no point in having CH unless your other important contacts do too.

About the question/answer decryption, your recipient needs Java installed for that to work. I sure won't install Java just to read someone's email and your recipients may not have the user privileges to install it; nevermind that non-techie people think Java is either coffee or an island in Indonesia.

 

If i did, i would most certainly state so!

Don't think i implied to use it in this way but for those familiar contacts who wouldn't mind clicking a link and inputting the password to a question they would know how to answer.

Actually you missed my point here - everything you send and receive "is encrypted" on "your end" - meaning, everything pertaining to your account ( email sent, received, files, folders, contacts,etc rests "encrypted" on the CH server and is decrypted for you on your computer when you need it. So as you can see, there "is a point" to using CH instead of others.

I would hazard a guess that the vast majority of "non-techie people" do infact have java installed. Those that have a fear of having java installed probably know enough to "secure their email"

BTW, CH can be installed as "portable" and used from a thumb drive. During the initial setup, if no java installation is present on the host, it will install it's own "portable java" in it's file folder. Once completed, no further java installation is needed on a host.

 

I asked because I've seen you often very enthusiastically mention them and to do so in the OP's scenario strikes me as strange, IMO, so I was just curious.

You didn't, but the OP did. He's already seen friction from people when trying to convert them to Enigmail. CryptoHeaven would likely result in more of the same because grandma is still going several steps beyond the normal Hotmail protocol to interact with this one person. CryptoHeaven doesn't solve anything here, and that's not CH's fault but in this occasion, I don't think it's an appropriate solution because the same level of usability is not preserved.

I'm aware of that and it's great that this happens, but the unfortunate part is how easy and automated that is for the CH user compared to the other party. Everything you send to other people is going to be unencrypted unless either they have a CH account or they do the question/answer thing. Sure the Q/A is not a major inconvenience once in a while, or for people who value the extra security, but to grandma or colleagues or friends who don't see that point, it's an inconvenience and that's all that matters when you're a minority aiming for widespread adoption. And if recipients don't have Java installed, that's just one more step for them to take; one that requires upkeep.

Well, Apple has included Java with OSX for a while now but I remember Steve Gibson's podcast a few months back said they're moving away from it because of the Flashback incident. I think a lot of Java's popularity has ballooned because of mobile devices. Whether Windows has Java as an OEM supplied program I've always found to be hit or miss. My overall impression is that Java is on household computers is not the norm but that's not based on anything empirical.

The desktop version does this too. It's CryptoHeaven's own Java VM package streamlined for their client program. No browser extensions and it's not accessible by anything but CH so it's a minimal attack surface compared to a full SE install.

I don't doubt that CH is a good service. I wrote about them extensively this past summer but their system looses its fluidity once you starting bringing other domains and users' security models (or lack thereof) into the picture.

 

I understand what your saying. And i only piped in when i noticed the OP had given up already and moved back to basic email. I am merely pointing out that you can still "secure your end" by using CryptoHeaven which i can't say for the others.

 

The biggest problem with CryptoHeaven is that they don't support OpenPGP, this means that you can't communicate securely with any PGP user. OpenPGP is the most widely spread email encryption protocol, there are several millions of OpenPGP users out there. By using a non-standard protocol you actually reduces your chances of secure communication. With OpenPGP you are not locked to any special provider application.

 

Hi Countermail Rep. I am a premium user with a USB key. I can't loggin since a week and I have not yet received a reply from account@countermail.com or info@countermail.com.

PLease PM me, it's urgent. I can't PM you for some reasons, even if I add you to my buddy list.

 

I agree - However, seeing as what "1%" maybe even less of email users worldwide secure their email makes that irrelevant at this point in time. For the odd contact that does use PGP, then using Thunderbird, Enigmail and gpg4win would be the optimal choice!

Now since PGP isn't mainstream yet, all we can do is secure our end the best we can. It's still much better, much more secure than doing nothing isn't it Which is why i recommended CH.

Seeing as we know the title of this thread is not possible right now, i like to hear of services, ways - both free and paid like CH that at least allow email users to secure their end. If it's free, all the better!

Just want to add that i "do not" use CryptoHeaven as 95% of my email correspondence is done through a mobile device which CH doesn't support. However, they are working on both an IOS and Android App and until that is released and working properly, i am open minded to other solutions like CH which also work on mobile.

 

What's relevant for me and most people who ask about email encryption, is what is secure and future-proof? Even if a beginner want to start learning email security, I think it's better to spend those learning hours on the most accepted protocol.

By using a standard protocol like OpenPGP, you will get more apps, easier to find help and much better chance to communicate securely with security-minded people or companies, this fact is not irrelevant.

With OpenPGP you don't have to wait for a special app for your own platform, there already exist OpenPGP-apps for:
-Linux
-MacOS
-Windows
-Windows Mobile
-iPhone (iOS)
-Android
-BlackBerry

That's a working OpenPGP solution, but it's also the most complicated. A web based OpenPGP solution is much easier, especially for beginners. Hushmail realized this 14 years ago, when they started their OpenPGP-based webmail.

 

"Just want to add that i "do not" use CryptoHeaven as 95% of my email correspondence is done through a mobile device which CH doesn't support. However, they are working on both an IOS and Android App and until that is released and working properly, i am open minded to other solutions like CH which also work on mobile."

Cryptoheaven now has a mobile application (Android) :
http://www.cryptoheaven.com/Download/Download.htm

 

Hello

Yes - been testing since initial private beta release and am impressed with the speed and how fluid this app is. Still not close enough to the desktop version (feature wise) though for my taste but is still "very usable".

However, i am only interested in the mobile app and so far they have flatly refused my recommendation to offer it "also" as a "standalone" (less space/less price) instead of their current marketing strategy "companion to the desktop version".

Currently Supports:

Secure Email

Secure Messaging (works great BTW)

No file access/sharing though - you can't even see your secure files from the app and would want that in the app before i decide whether to cave in and purchase or not.

 

Allegedly. But in reality...

Hushmail Turns Data Over to Government

"Hushmail is no more secure than Gmail"