Secure email - the myth, the pain, what you can do...
Every now and then I get asked about setting up a secure email system for a customer.
Pretty much every time I have explained the ramifications to a customer, and they've pressed on anyway, they've invariably given up and gone back to regular email or sending private stuff by good old snail-mail.
Without going into technical details, sending secure emails requires that all parties involved are playing the same game.
By that I mean, they will need to understand what the secure method is and buy into using it.
You can't just say "this email is private" and magically everything is taken care of.
To make this a little easier to understand, you can think of the problem like posting someone an actual key to a building somewhere.
The recipient of the key has to be told where the building is and which door the key is for. AND not in the same letter in which the key is being sent.
If the letter is intercepted then the key is useless without the other pieces of information.
The recipient then also has to be willing to go to that building and attempt to find the door as described, insert the key, turn it and THEN hunt around inside the building for the actual piece of information. Oh, and access to the building isn't free. You'll need to rent it or pay by the visit.
In a business scenario you can see that this level of overhead can quickly become costly, time consuming and painful. After all, who really cares about the information you are sending?
Google recently added a "Confidential Mode" to Gmail.
Not everyone has it yet but, as described above, that may not matter.
If you read the article you'll see that once you or the recipient are outside of Gmail the pain of trying increases.
Add all this to the fact that once the information is visible you can still take screens shots of it with any number of tools or even your phone.
If I am forced to send something confidential via email I just ZIP it up using a password (a good password) and then text the password to the recipient...
...email has the encrypted information attached in the zipped file...
...access to it goes via an alternate transport to the same person.
It ain't flash and it ain't perfect but it is easy and fairly universal for people to use.
If anything really, REALLY secure has to be sent then I seriously question why and usually DON'T send it via email. How? That's another blog post. Sorry ;-)
Happy hiding stuff.