On Thu, 2014-06-05 at 11:40 +1000, Russell Stuart wrote: > On Thu, 2014-06-05 at 10:36 +1000, Karl Auer wrote: > > As far as I can tell, the "encrypted email" Google is making a song and > > dance about is only encrypted between the sender and Google (or the > > sender and their email server, more generally). > > Nope. The song and dance is about them supporting OpenPGP encrypted > emails. They are doing it using a Chrome plugin, so it only works with > GMail and Chrome.
That's a separate thing. Google is definitely talking about the encrypted transfer of emails between MTAs. But they have ALSO done the Chrome plugin (currently very alpha), and that is also a good thing. > Outlook, Apple Mail and so on have supported S/MIME for decades, so it > has *always* been possible to securely email things like credit card > numbers and passwords. No one ever has, probably because only a > minuscule proportion of the population is even aware it's possible. > It's all a bit depressing. S/MIME isn't really a very good mechanism, though it is certainly easier to use than GPG/PGP. The problem with S/MIME is that is uses certificates obtained from certificate authorities, many of which have been compromised, sometimes very badly. When a CA is compromised, everything from that point down in the heirarchy of trust that S/MIME depends upon is, not to put to fine a point on it, *&^%ed. GPG/PGP is harder to set up and, because it is not heirarchical, means you must set up a relationship with a recipient before you send, but if a key is compromised, it only affects stuff sent using that key - not every key you ever produced. > True, although you are being somewhat unkind here. Not at all! Google is doing a good thing in both cases - and it's not their fault if downstream servers don't support encryption. I'm not blaming Google for the lack, just reminding people that email follows a long path from sender to recipient, and if any part of that path is unencrypted, then the email is at risk of being read by people other than the recipient. Plus, email in storage is rarely if ever encrypted, so email service providers can (and DO, and HAVE) handed emails over to law enforcement agencies and other less savoury agencies, often without even requiring a warrant. The only protection against these issues to to encrypt your emails yourself. S/MIME is one way, GPG/PGP is better. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882 Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A _______________________________________________ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link