What email encryption is actually in use?

Adam Shostack adam at homeport.org
Sat Nov 2 09:09:19 PST 2002

An interesting tidbit in the September Information Security Bulletin
is the claim from MessageLabs that only .005% of the mail they saw in
2002 is encrypted, up from .003% in 2000.  (MessageLabs is an
outsourcing email anti-virus company.)

At this thrilling rate of growth, it will be on the order of between
30 and 40 years before we see most email being encrypted.  And about
10 years before we start to see any real hope of a "fax effect."

Lets be sure to consider that the PGP model is working.  After all,
thats faster than the adoption of the, ummm, well, I'm sure someone
can take comfort from it.  Maybe even someone other than the

Now, it may be that they have a unusual sampling because only a
nutcase company would send all its email through a 3rd party
processor.  But I don't believe that to be true.  Most companies send
their email unencrypted through a single ISP.  Messagelabs only has it
slightly easier when it comes to eavesdropping.  Last month, about 5%
of my email was sent PGP encrypted, about 2% STARTTLS encrypted, and
about 25% SSH encrypted to people on the same mail server, where POP
and IMAP only function via SSH.

I'd be interested to hear how often email content is protected by any
form of crypto, including IPsec, Starttls, ssh delivery, or PGP or
SMIME.  There's probably an interesting paper in going out and looking
at this.

"It is seldom that liberty of any kind is lost all at once."

More information about the cypherpunks-legacy mailing list