The Chicken-and-Egg Problem of Encrypted Email
Nobody will use it until everybody uses it

Posted on

security gpg gnupg smime email encryption

A Secure Past

I've been using GnuPG to secure my email for over 13 years now. While my conviction that all email should be encrypted remains unbroken, my determination of persuing that goal has always followed a certain ebb and flow: the use of GPG (or any software to encrypt email for that matter) requires people to use the same encryption technique – and the difficulty is finding people to talk to in a secure fashion.

GnuPG is a versatile standard that allows you to encrypt arbitrary data. While I had times when virtually no email was piped through my gpg executable, I still used it in my everyday life: Before encrypting entire harddisks was made so ridiculously easy in modern operating systems1, GPG was my go-to tool to encrypt sensitive data on my computer.

1In fact: if you're using Mac OS or GNU/Linux there's really no excuse left not to do it; the OS already has everything you need, be it Apple's FileVault or Ubuntu's HDD encryption features. I don't know about Windows, but there's always TrueCrypt.

Of Apples and Oranges

I've noticed a few similarities between IPv6 deployment and the low amount of people using appropriate means to encrypt their email traffic. I have isolated three of them:

  1. People don't care
  2. People don't understand
  3. People have no one to talk to

No one cares

People don't care because they consider their email communication not private enough and/or the old »I have nothing to hide« argument is in place. Similarly, end-users and providers alike don't bother taking the effort of activating IPv6 because the Internet Just Works™ with v4.

A tough concept

It would seem that you need a degree in computer science to even remotely understand how this encryption thing works. The requirement of a peer's public key in order to send encrypted email is a concept that's very hard to grasp. What happens under the hood? And then there is the distinction between encrypted and signed (or both). Signed, what does that even mean?

While I would argue that most internet users come across the term IP-address at some point, they have no clue that it comes in different flavours, or – well – versions (and rightfully so: there should be no need to). After all, internet is the thing you type into Google, right?

Explaining that the theoretical pool of 232 IPv4 addresses (yes, there are significantly fewer) is almost depleted and that a (theoretical) number space of 2128 will solve the addressing problems of the Internet of Things just boggle the minds of the less tech-savvy: »2 to the power of 128 – so that's four times the address space we had before, right?« Uhm, no.

Anybody out there?

The biggest problem is the insular state you find yourself in once you've gone to all these lengths and got your email encryption software set up: you are virtually alone. For those who went past the barrier of understanding how it all works, it will quickly raise one question: »If I need to install extra software, have to have the remote site's public key and can't use it anymore when I access my emails via a webinterface… will anybody use it at all?« Encrypted email right now is a privilege of the technically adept people. You can use it to communicate with only a few selected people.

The IPv6 internet is not different to that: sure, there are hotspots out there that work for the early2 adopters among us. The numbers are growing, thankfully, but until the vast majority of end-users has v6 connectivity, the content-providers will not see a solid reason to connect to the v6 internet themselves. On the other hand, ISPs may not see a reason to change their infrastructure and add native IPv6 to their clients as long as there isn't anything to see.

2Not so early at all: the protocol is there since 1999 and with the release of Microsoft Vista in 2007 even every major desktop operating system had support for IPv6 built in and enabled by default.

Escape the hamster wheel

The solution to the IPv6 chicken-and-egg problem is closer than one for encrypted email: more and more VPS- and hosting providers delegate a native /64 IPv6 subnet to their boxes and ISPs providing internet connectivity to end-users slowly start to give out IPv6 addresses. All of this is driven by the fact that v4 nets have indeed become very scarce (in fact, old addresses are being re-used much faster now). The main inhibitor for the global IPv6 rollout was never the problem referred to as #1 or #2, but the item #3. It would seem that this knot will now untie itself over the years to come.

It has a sour aftertaste, but there is a similar pressing event for the email privacy. It is, of course, the recently uncovered electronic suveillance by various secret services: I have seen more and more people developing an interest in email encryption. These people may still count as »technically aware« but they are by far not computer geeks with an additional maths degree.

People realising that their emails are being read and stored does not solve the chicken-and-egg problem #3 for secure email transportation. It responds to the problem #1 in a way that people have an urge to act, just like ISPs have because their addresses run out. That is good! However, #2 and #3 still stand in the way. While you don't have to know about the cryptographic theory behind the technique, understanding the general workings and implications of switching to a secure means of email communication is mandatory if one is to eliminate #3.

So what can be done? As with so many things, it's talking to people. Set up S/MIME and/or GPG for a friend today! That's not completly altruistic, either: The more people use it, the more secure your own emails will become.

comments powered by Disqus