July 26th, 2007

When it comes to secure e-mail, beware of George Ou's reality distortion field

Posted by David Berlind @ 9:45 am

Categories: General, IT Management, Legal, Personal Technology, Security, Software Infrastructure, Web technology

Tags: E-mail, David Berlind

Yesterday, I posted a blog about how secure e-mail simply doesn’t exist.  It was an extension of another discussion regarding password recovery schemes that result in the transmission of your password (back to you) in clear text over insecure networks.

In a post headlined E-Mail security has been around forever, you just need to turn it on, my colleague George Ou wrote:

Berlind is reeling over his incorrect perception that the Internet still lacks secure email.  The problem is that he’s got it all wrong and the solution has been under his nose all this time and it really isn’t the non-interoperable nightmare he paints it to be.

I commented directly on his blog, but I also feel it’s necessary to understand why to avoid the reality distortion field Ou has erected.  Here are some bullet points as to why e-mail security is a myth and how George even proves that point.

• George wrote in his headline that all you have to do is turn it on.  He offers some good advice for how to do this through Gmail as though Gmail is representative of every email service on the Web.  But in very same paragraph, he says Microsoft’s Hotmail doesn’t offer payload encryption.  In other words, George couldn’t get past two popular e-mail services (never mind the thousands of others) without also pointing out that they handle security differently (I read this to be non-interoperable).  So, going back to YOU part of the headline, I asked George in the comments area to show me how to turn on payload encryption for all of Hotmail. The point is that until everybody secures email and does it the same interoperable way, ubiquitous standard secure e-mail is a pipe dream.
• Also referring to the YOU part, and going back to the genesis of the discussion George, please show me how to reach into the infrastructures of other entities that are sending me sensitive information via e-mail, and turn on their security features. You see, it’s not a simple as turning something on on my end.  Everybody has to turn it on on their ends as well and they have to do it in the same way. As long as that’s the case and almost nobody is doing it, secure e-mail is once again a pipe dream.
• George’s offers advice for how to go out and get a digital certificate for the purposes of digitally signing e-mail. This is in answer to the very real scenario encountered in businesses everyday where Party X sends a Word document as an attachment to Party Y for Party Y’s signature.  Party Y must print that document out, physically sign it, and send it back to Party X via snail mail or fax (can you say “friction”). It’s 2007 and this Draconian approach to signature exchanges is insane. My position on this is that returning a signed document to Party X should be as simple as what Party X had to go through to send Party Y the document in the first place.  But it’s not. George thinks he’s got the solution by applying a digital signature to the e-mail itself. In other words, Party Y replies to party X with the same attachment (by the way the only way to do this in e-mail is with the “Forward” command since “Reply” drops the attachment) and applies a digital signature to the e-mail and not the attachment. Although he’s not a lawyer, he says his approach should be legally sound. It sounds good in theory.  But this is like saying all “I” have to do is turn something on (never mind what everyone else has to do).  Sure, all I have to do is go out and get a digital certificate (the sort of friction that kills the idea already), apply it to a FORWARDED email (more friction — how many people know this failing of e-mail) and send it off. Only there’s one problem.  What if the person or business I’m sending it too is one of the majority of entities that would never accept my digitally signed e-mail as a signed version of the original document?  What if they’re one of the millions of businesses and law firms that keep hard copy of all signed documents in a filing cabinet where they require an actual signature on the dotted line?
• OK George, never mind any of what I just said. As long as you picked Gmail as the poster child for how everything can work, please show me how, through the same HTTPS Web interface you cited, I can apply that easily acquired digital signature to an e-mail. Or, is that something else I can “turn on” as you say? Perhaps this post under the ABC’s of Gmail where CamargoBP writes (as a part of this thread) “Will gmail support digital signing anytime soon? Yahoo mail does and I don’t see why gmail can’t…..I receive messages that I can’t read without my Apple Mail client because the message is signed and encrypted.” In George’s reality distortion field, CamargoBP is clearly an idiot since s/he’s not turning something on.
• George refers to S/MIME as part of the solution.  This is pure fiction. S/MIME may indeed be a standard but have you ever seen how S/MIME-formatted e-mail arrives in certain e-mail clients? That is by no means standard.  Don’t take my word for it. The first sentence in the “Obstacles to deploying S/MIME in practice” section of the Wikipedia entry for S/MIME says “Not all e-mail software handles S/MIME, resulting in a “smime.p7m” attachment that often confuses people.” In George Ou’s reality distortion field, those people are probably idiots too since everyone should know what to do with a smime.p7m attachment.  By the way, that Wikipedia entry goes on to talk about a bunch of other obstacles and caveats that make it clear that S/MIME is not the panacea George makes it out to be.

I could go on.  But you only need one of the above bullet points to bring down George’s house of cards, let alone five or more.  It’s not a simple as just turning something on.  If it were, we’d probably secure e-mail by now.  But we don’t and it’s hard to know if we ever will.