What email encryption is actually in use?

Tyler Durden camera_lumina at hotmail.com
Sat Nov 2 20:01:23 PST 2002

"Prior to that, the encrypted email I've sent in the past year or so has 
almost always failed, because of version incompatibilities,"

While in Telecom I was auditing optical transport gear, and we adopted the 
practice of encrypting all of our audit reports to vendors. Of course, the 
chance of there being an eavesdropper (uh...other than NSA, that is) was a 
plank energy above zero, but it gave the vendors the imporession we really 
cared a lot about their intellectual property (if we determined a problem 
with their equipment, and if that info ever leaked, it could have a major 
impact on them).
That the mesages were decrypted I know for sure, and it was easy for the 
customers: we would verbally tell them the password for unpacking the 
encrypted file, and they merely typed it in a it extracted itself.
I think the encryption tool was installed directly into the file manager (or 
whatever it's called now), so it was easy to do.

>From: Steve Furlong <sfurlong at acmenet.net>
>To: cypherpunks at lne.com
>Subject: Re: What email encryption is actually in use?
>Date: Sat, 2 Nov 2002 12:41:55 -0500
>On Saturday 02 November 2002 12:09, Adam Shostack wrote:
> > An interesting tidbit in the September Information Security Bulletin
> > is the claim from MessageLabs that only .005% of the mail they saw in
> > 2002 is encrypted, up from .003% in 2000.
> >
> > ... Last month, about
> > 5% of my email was sent PGP encrypted, about 2% STARTTLS encrypted,
> > and about 25% SSH encrypted to people on the same mail server, where
> > POP and IMAP only function via SSH.
> >
> > I'd be interested to hear how often email content is protected by any
> > form of crypto, including IPsec, Starttls, ssh delivery, or PGP or
> > SMIME.  There's probably an interesting paper in going out and
> > looking at this.
>Well, here's a datum for you: in the past four or five months, I have
>sent exactly no encrypted email. There are several reasons, notably
>that most of my email correspondents are business types who can't
>handle encryption even after several lessons and checklists and even
>when the tools are integrated into the MUA.
>Prior to that, the encrypted email I've sent in the past year or so has
>almost always failed, because of version incompatibilities, human
>error, changes of email address, and what-not. Or because the recipient
>simply isn't bothering to decrypt mail any more because it's more
>trouble than it's worth for the low quality of information conveyed.
>The only business environment I've ever worked in which successfully
>used encrypted email mandated specific versions of mail client
>(Outlook, ecch) and PGP (integrated into Outlook), had a jackbooted
>thug to make sure everyone's keyring was up to date, and had a fairly
>small (couple dozen), mostly technically proficient, user base. And
>even there, half the time the encrypted message wasn't sensitive enough
>to be worth encrypting nor important enough to be worth decrypting.
>I have signed a few messages in the recent past, but that was probably
>even less worthwhile than encrypting them. For all I know, not a single
>one has been verified.
>Steve Furlong    Computer Condottiere   Have GNU, Will Travel
>Vote Idiotarian --- it's easier than thinking

Unlimited Internet access for only $21.95/month.  Try MSN! 

More information about the cypherpunks-legacy mailing list