The short answer is a resounding Yes! Let’s discuss this topic which has spanned generations.
The current case in point has to do with terrorists using WhatsApp. For those of you that don’t use it, it is a text messaging app that also enables voice and video conversations. I started using it when I first went to Israel, because my daughter and most of the folks that I met there professionally were using it constantly. It has become a verb, like Uber and Google are for getting a ride and searching for stuff. Everything is encrypted end-to-end.
This is why the bad guys also use it. In a story that my colleague Lisa Vaas posted here in Naked Security, she quotes the UK Home Secretary Amber Rudd about some remarks she recently made. For those of you that aren’t familiar with UK government, this office covers a wide collection of duties, mixing what Americans would find in our Homeland Security and Justice Departments. She said, “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” She was trying to make a plea for tech companies to loosen up their encryption, just a little bit mind you, because of the inability for her government to see what the terrorists are doing. “However, there is a problem in terms of the growth of end-to-end encryption” because police and security services aren’t “able to access that information.” Her idea is to serve warrants on the tech companies and get at least metadata about the encrypted conversations.
This sounds familiar: after the Paris Charlie Hebdo attacks two years ago. The last person in her job, David Cameron, issued similar calls to break into encrypted conversations. They went nowhere.
Here is the problem. You can’t have just a little bit of encryption, just like you can’t be a little bit pregnant. Either a message (or an email or whatever) is encrypted, or it isn’t. If you want to selectively break encryption, you can’t guarantee that the bad guys can’t go down this route too. And if vendors have access to passwords (as some have suggested), that is a breach “waiting to happen,” as Vaas says in her post. “Weakening security won’t bring that about, however, and has the potential to make matters worse.”
In Vaas’ post, she mentions security expert Troy Hunt’s tweet (reproduced here) showing links to all the online services that (surprise!) she uses that operate with encryption like Wikipedia, Twitter and her own website. Jonathan Haynes, writing in the Guardian, says “A lot of things may have changed in two years but the government’s understanding of information security does not appear to be one of them.”
It isn’t that normal citizens or real people or whatever you want to call non-terrorists have nothing to hide.They do have their privacy, and if we don’t have encryption, then everything is out in the open for anyone to abuse, lose, or spread around the digital landscape.
As you loyal readers know (I guess that should just be “readers” since that implies some of you are disloyal), I have been using and writing about email encryption for two decades. It hasn’t been a bowl of cherries, to be sure. Back in 1998, when Marshall Rose and I wrote our landmark book “Internet Messaging,” we said that the state of secure Internet email standards and products is best described as a sucking chest wound.” Lately I have seen some glimmers of hope in this much-maligned product category.
Last week Network World posted my review of five products. Two of them I reviewed in 2015: HPE/Voltage Secure Email and Virtru Pro The other three are Inky (an end-to-end product), Zix Gateway, and Symantec Email Security.cloud. Zix was the overall winner. We’ll get to the results of these tests in a moment.
In the past, encryption was frankly a pain in the neck. Users hated it, either because they had to manage their own encryption key stores or had to go through additional steps to encrypt and decrypt their message traffic. As a consequence, few people used it in their email traffic, and most did under protest. One of the more notable “conscientious objectors” was none other than the inventory of PGP himself, Phil Zimmerman. In this infamous Motherboard story, the reporter tried to get him to exchange encrypted messages. Zimmerman sheepishly revealed that he was no longer using his own protocols, due to difficulties in getting a Mac client operational.
To make matter worse, if a recipient wasn’t using the same encryption provider as you were using, sending a message was a very painful process. If you had to use more than one system, it was even more trouble. I think I can safely say that these days are soon coming to an end, where encryption is almost completely frictionless.
By that I mean that there are situations where you don’t have to do anything, other than click on your “send” button in your emailer and off the message goes. The encryption happens under the covers. This means that encryption can be used more often, and that means that companies can be more secure in their message traffic.
This comes just in time, as the number of hacks with emails is increasing. And it is happened not only with email traffic, but with texting/instant message chats as well. Last week Checkpoint announced a way to intercept supposedly encrypted traffic from What’s App, and another popular chat service Confide was also shown to be subject to impersonation attacks.
So will that be enough to convince users to start using encryption for normal everyday emailing? I hope so. As the number of attacks and malware infections increase, enterprises need all the protection that they can muster and encrypting emails is a great place to start.
What I liked about Zix and some of the other products that I tested this time around was that they took steps to hide the key management from the users. Zimmerman would find this acceptable, to be sure. Some other products have come close to doing this by using identity-based encryption, which makes it easier to on-board a new user into their system with a few simple mouse clicks.
I also found intriguing is how Zix and others have incorporated data loss prevention (DLP) and detection into their encryption products. What this means is that all of these systems detect when sensitive information is about to be transmitted via email, and take steps to encrypt or otherwise protect the message in transit and how it will ultimately be consumed on the receiving end.
DLP has gone from something “nice to have” to more essential as part of business compliance and data leak hacks, both of which have increased its importance. Having this integration can be a big selling point of making the move to an encrypted email vendor, and we are glad to see this feature getting easier to use and to manage in these products.
Finally, the products have gotten better at what I call multi-modal email contexts. Users today are frequently switching from their Outlook desktop client to their smartphone email app to a webmailer for keeping track of their email stream. Having a product that can handle these different modalities is critical if it is going to make a claim towards being frictionless.
So why did Zix win? It was easy to install and manage, well-documented and had plenty of solid encryption features (see the screenshot here). It’s only downside was no mobile client for composing encrypted messages, but it got partial credit for having a very responsive designed webmailer that worked well on a phone’s small screen. Zix also includes its DLP features as part of its basic pricing structure, another plus.
We have come a long way on the encrypted email road. It is nice to finally have something nice to say about these products after all these years.
In my post from last week, I addressed some of the concerns in the growing conflict between security and privacy. One of the issues that I didn’t talk about, as several readers reminded me, is the difference between privacy and anonymity. This is often summarized by saying, “I don’t care if someone tracks me, I have nothing to hide.” Well, consider the following scenarios.
Scene 1. You are hiking on a remote trail. As you are enjoying the view, someone is taking pictures with their smartphone and pointing their camera in your direction. So essentially your image is being taken without your consent. At first, you think this is fine: after all, you are anonymous, just some random hiker. But when the photographer posts your image on their social feed, your face is recognized thanks to the site’s software. And now, not only are you identified, but your location is also specified. So you have been tagged without your consent. One way around this is to wear specialized clothing that defeats flash photographs, as shown here.
Scene 2. You maintain a very active Pinterest account and post numerous pictures when you are at various events, or when you travel to distant cities. One consequence of this is that anyone who spent time looking at your account could see where you have been and what you have done.
Scene 3. Beginning in 2007, employees of the UK-based News Corp. regularly hack into celebrities’ voicemail accounts. They are sued and eventually pay various fines. Eventually, things come to boil in 2011 and others are charged, and one staffer is actually jailed. Testimony reveals that thousands of phones were involved and dozens of staffers had access to the collected information.
Scene 4. In the neighborhood where I live in St. Louis, the community monitors nearly 100 cameras that continuously capture video imagery to aid in solving crimes. Several dozen people have been arrested as a result of investigations using these images, which are available to law enforcement personnel. While they don’t have facial recognition software yet, it is only a matter of time. But what if anyone could access the video feeds online and monitor what is going on?
Scene 5. Your online activities are being tracked. One of the stories that I wrote about tracking online fraud recently was how security researchers were able to use machine learning to predict when an endpoint device could be considered compromised. They found a series of common characteristics that were easy to discover, without any sophisticated software. These included freshly made cookies (fraudsters clear their cookies often while regular users almost never do), erased browser histories, 32-bit Windows running on 64-bit CPUs and using few browser plug-ins. While any of these factors taken alone might be from a legit user, combined together they almost always indicated a machine used by an attacker.
Still think you have nothing to hide? Maybe so, but it is a bit creepy to know that your digital footprints are so obvious, and show up in so many places.
Some vendors, such as email encryption software Mailpile, have gone to great lengths to document how they address their users’ privacy. Given their market focus, it isn’t surprising. But still the level of detail in that document is impressive. “People should be able to communicate privately,” as they state in their document. That means no eavesdropping on email content, supporting authentic messages and privacy when it comes to the message metadata and storage too. What I liked about the Mailpile manifesto was their non-goals: “Mailpile is not attempting to enable anonymous communication. Most people consider e-mail from anonymous strangers to be spam, and we have no particular interest in making it easier to send spam.”
So as you can see, there is a difference between being anonymous online and maintaining your privacy. Like anything else, it is a balance and everyone has their own trade-offs as to what is acceptable, what isn’t, and what is just creepy. And expect new technologies to upset this balance and make these choices more difficult in the future.
As some of you who follow my work know, I have had a long history of using and complaining about email encryption programs, ever since working with Marshall Rose on our breakthrough 1998 book on enterprise Internet messaging. Rose was one of the key innovators of the Internet email protocols that we still use today, and a wonderful co-author.
Since those dark days, email encryption has certainly gotten better, as I wrote this past summer when I tested a bunch of products for Network World. But is it good enough to pass muster with academia? Not yet, at least on the level of the average undergraduate recruited for a recent academic paper in the “Johnny Can’t Encrypt” research series.
These papers began in 1999, when a Berkeley computer science team published the first study based on trying to use PGPv 5. The research design is very straightforward: pairs of students were asked to send and decrypt messages back and forth under observation. Few of the teams were able to complete the task in under 90 minutes. In 2006, another team at Carnegie Mellon tried again, this time using an Outlook Express plug-in with PGP v9. They had better software but less time to complete their tasks, and most eventually still failed.
And last month, a team at BYU tried again, this time using Gmail and Mailvelope. They gave their teams 30 minutes, with only one out of ten being able to get the job done. The most common mistake was encrypting a message with the sender’s public key, a rookie mistake. There were other user experience issues with the Mailvelope browser plug-in, and some students were clearly very frustrated and vented their low opinions of Mailvelope to the researchers.
PGP has been around a long time, since 1991 when it was created by Phil Zimmermann. Phil is still active in the field, having worked on a newer series of “Silent” email products. I spoke to another Phil involved with PGP, Phil Dunkelberger, who ran PGP and now is running a major effort to spread encryption to the world, Nok Nok Labs. He told met that their results “weren’t surprising, given that they were testing technology that has its roots in the 1980s. The problem is balancing ease of use with key management, and products need to focus on solving both issues if they are going to succeed in the marketplace.” While not singling out Mailvelope specifically, the history of email encryption is filled with other efforts that have failed because of these fundamental flaws.
I will admit that PGP, in whatever vintage (the current version that I have used is v10) isn’t the easiest software to use. Since it was sold to Symantec, it has fallen on disuse and there are a lot of other tools out there that are better alternatives. I was a bit surprised at all vitriol directed at Mailvelope by the BYU students: I gave it a brief spin and it seemed to work reasonably well. Perhaps I would have chosen Virtru (pictured above) or some other tool, but the BYU team was looking for a product that was highly rated by the Electronic Frontier Foundation in their email scorecard posted here.
While there are some issues with what EFF is trying to do, overall I like their scorecard. A big plus is because it shows the multi-layered world of how to protect your communications. Thanks to Ed Snowden, we are more sensitive to how we manage our encryption key infrastructure, and also understand the difference between encrypting the actual message data – the message body and attachments – versus the metadata contained in each message, such as subject lines and recipient names. As I wrote this summer, “encryption has finally come of age, and is appealing to those beyond the tinfoil-hat set.”
Certainly, we still have a long way to go before encryption will become the default mechanism for email communications. But today’s tools are certainly good enough for general use, even by the average undergraduate.
Whether you think Ed Snowden is a patriot or a traitor or somewhere in between, it certainly has been an interesting couple of years in the secure email business. It is a continued series of ironies, starting with the fact that Snowden had trouble convincing his chosen scribes to make use of encrypted email technology itself to transmit his documents. As I wrote about earlier this year, since Snowden’s revelations, more people have been motivated to employ encryption than ever before.
Ironically, it seems that the type of encryption that you use can make you a target of the spy agencies, who can scoop up your transmissions and figure out your origins. As Bruce Schneier said in a post last year, “There’s nothing that screams “hack me” more than using specially designed al Qaeda encryption software.”
That is a scary thought. But I don’t want to debate this here; instead I wanted to take a closer look at both new and older email encryption technologies and how much they actually protect your communications.
I took this two-year mark of Snowden’s unintended flight to Russia to write this review of seven different products for Network World. They include Hushmail, ProtonMail, Datamotion SecureMail, HP’s Voltage SecureMail, Tutanota, Virtru and AppRiver. Using one of them will certainly be better than not using any encryption, even if it raises your profile with certain three-lettered agencies. Tutanova’s Outlook plug-in is pictured above.
You can read my full review here.
Voltage Security has a secure email client for both iOS and Android devices that mimic the same user interface of the device’s email apps. It is easy for IT to manage and scale without a lot of hassle for email message storage and key management. It is easy for business users to adopt without cumbersome certificates and web links.
Requires iOS v 5.1 or Android
Price: Free to download , requires Voltage SecureMail platform
A fairly sophisticated messaging server that has wide-ranging policy management for data leak protection, message encryption, email sender reputation, and message routing purposes.
Price: Less than $13 per user, with a minimum of 1000 users.
- Very complex message routing processes can be constructed for a wide variety of purposes
- Compliance and governance can be built into messaging infrastructure
- Sendmail is a leading email server software and supports a large number of third-party applications
- Still some integration into a single Web server for management purposes
- Policies can be fairly complex and require careful debugging
Version 4.0 was tested on a small network in August 2009.
6475 Christie Ave., Suite 350
Emeryville, CA 94608
McAfee/Secure Computing’s Secure Mail email security appliance combines several different but complementary protection technologies for both inbound and outbound emails in one easy-to-setup box. While lots of vendors have anti-spam products, Secure Mail offers a superior way to stay ahead of the constantly changing and increasingly sophistication of spammers, and the company guarantees it can block 99% of unwanted inbound emails. It also has a wide range of outbound protective features that can help corporations be in compliance with various reporting rules such as SoX and PCI.
Product category: Email security appliance
Pricing: Base unit starts at $1,995, plus an additional $13.00 per user/year, lower for multi-year contracts and for more than 500 user networks. There are more powerful and costly appliances for larger networks.
We tested version the S10 appliance, which is the smallest and least expensive unit, running software version 6.7 on a small network in September 2008.
Secure Computing www.securecomputing.com 1-800-379-4944
55 Almaden Boulevard, Suite 500, San Jose, CA 95113
• Dashboard shows you status at-a-glance
• Almost all critical features managed by a Web browser
• Combines inbound and outbound email protection with global intelligence features of TrustedSource.org
• Changing startup configuration values once you complete the wizard can be tricky to find the right input screens
• Reports can be difficult to interpret
We tested VSN on a Windows XP running Outlook Express v6 in September 2008, using a pre-configured version of the software supplied by Voltage. This is how a typical customer would use the software.
Summary: VSN is a plug-in for Outlook/Outlook Express that makes for sending and receiving encrypted emails literally a snap. There is a Web portal for users outside the enterprise, and a secure file transfer application add-on to Windows Explorer as well.
Advantages: VSN is extremely easy to use once setup.
Enterprises should consider VSN if they are looking for more control over things like user experience, which help desk number to call, control over cryptographic elements like root certificates, integration with other systems like Blackberry Enterprise Server. Also, if they are looking to off-load managing third-party authentication and providing help desk support, then VSN should be on your radar.
Disadvantages: You will probably need to coordinate the installation among several different IT departments. The online documentation is somewhat confusing.
Voltage Security Inc. 4005 Miranda Avenue #210, Palo Alto, CA 94304 (650) 543-1280, http://voltage.com/products/vsn.htm
Windows only, works with Outlook (2000-2007), Outlook Express and Vista Mail applications
Price: $65 per seat per year, includes both secure email and secure file transfer
PGP the product has had a long and interesting past. It began as a piece of shareware written by Phil Zimmerman in the early 1990s called Pretty Good Privacy, a DOS-based command-line encryption utility that was used by uber-hackers to keep their emails from prying eyes and keyboards. Back then the Internet was young, the Web was still to come, and to make matters worse, the US Government quickly banned the nascent software utility, claiming that email encryption was a national security threat.
Well, eventually the government came to its senses and PGP became the gold standard for keeping emails private. A software company grew around the utility and became successful enough that the conglomerate called Network Associates bought PGP in 1997. After several releases, including support for Windows and Unix, a group of investors were formed in 2002 and purchased the assets and intellectual property back from Network Associates (which is now called McAfee) to have a successful life as PGP Corp. (Note: PGP is now a part of Symantec.)
The company is run by Phil Dunkelberger, who was at the helm in the days before Network Associates era in the mid 1990s. The president and CEO is a soft-spoken but very intense man that is very focused on the task at hand, making PGP into the best encryption software provider bar none. Dunkelberger has a long heritage with his technology chops, going back to Xerox’s Palo Alto Research Labs in the late 1970s when they introduced the Star workstation, the precursor of the modern PC. He runs both Mac and Windows PCs today. We caught up with him recently in San Francisco, where he spoke to us about how the company was formed, where it is going, and how its channel and products have evolved.
Q. How easy was it to take PGP’s assets out of Network Associates (NAI)?
A: It was actually fairly easy for us. NAI had told the world that they were going to discontinue innovating PGP and that they weren’t going to support the products. So the end of life notice was already given when we picked up the assets from NAI.
I have seen more and more resurrected companies since we did our deal. There are a number of small and big opportunities and the traditional venture mode is changing. You can get a head start by acquiring these assets. My advice to entrepreneurs is instead of build it yourself to begin with look for proven, standards-based technology or a vertical market, and then pursue this because in our case it certainly gave us a running start.
Building a real business these days requires a lot deeper and broader set of skills than what was required five or seven years ago: your management team has to be deeper, your VCs have to be more patient. People aren’t as quick to bet on innovative companies these days. If you are entrepreneur, I would recommend that you buy an existing customer base.
Q: Do you ever use a public kiosk or public wifi network to get your own email?
A: I am pretty good about using our own security products. I don’t ever roam freely around those networks without any protection, and there are certain things that I won’t do on a public network. And if you are in a hotel in Europe if you aren’t protected you will likely get some form of malware on your machine from their networks.
Most of the time when I travel I use TMobile’s service, although I have used many others. On a recent trip to Europe I was on Vodaphone’s network at the Munich airport and Swisscom in Switzerland. I also use our own products extensively, including our own disk encryption and firewalls. Although right now I am testing Symantec’s Norton desktop firewall and several VPN clients as part of our internal quality assurance tests. All of us, and especially the executives at PGP, run a lot of different things to test our software against. It was a lucky thing that I had more than one VPN client installed, as one worked on the Lufthansa flight back from Europe and one didn’t. That was very fortuitous.
Q: How important to you personally is hard disk encryption?
A: I have had my laptop taken away from me briefly at airports for security screenings, and have the screeners pick it off the belt where I can’t see it, and that motivates me to make sure that everything on it is encrypted. Our product really is a godsend, and all my files on my laptop are encrypted. These days securing your data and not just encapsulation of the pipe is becoming more and more important, and an absolute business requirement.
Q: How does a corporation get started on setting up email security policy options?
A: We have seen this happen in variety of different ways: channel, reach, compliance and remediation, and industry-specific situations. First, it helps by having a robust channel with some focus on vertical markets where a company is under some kind of compliance and has some kind of external force pushing them to encrypt and protect their email traffic. Second, we have also seen many small businesses that are in business servicing someone big, and that big company mandates their suppliers and customers send email using PGP. We have a large auto manufacturer in Germany that has 5,000 suppliers and that mandated all of those small businesses to send email with PGP. Both are easier entries than just going in there cold and trying to get people to realize that file attachments are an issue.
As we look at the overall trends in business, there is more awareness about security in general and encryption. For example, in California there are small real estate companies and banks that are very aware of what they have to do to secure their data.
Q: You got your start with selling command-line encryption tools. How is that market doing?
A: We re-introduced the command line encryption products the middle of last year, and the business has grown 100% a quarter for the past three quarters. It has been a very pleasant surprise. We have had days where people order $50,000 off our Web site with their own credit cards. We have everything from a large aircraft manufacturer that takes all of the manuals to banks on Wall Street using the command line product. Some of our customers are encrypting their backup files and then storing them on tapes.
Q: Who of the surviving email security vendors is your competition these days?
A: We usually have two kinds of competitors now. First are the PKI infrastructure vendors, including Microsoft, Entrust, Cisco, Juniper, Aventail and those kinds of solutions. We usually win based on usability and reliability. Then we also have traditional email vendors that are selling into particular vertical markets such as Tumbleweed and Sigaba, and we win when the solution involves more than just selling email as part of the entire solution. We tend to be a suite vendor rather than selling a single product.
Q: Your PGP Universal product is supposedly very easy to deploy. Can you give me an example?
A: Universal is ready to run on a number of platforms, you just add hardware, and it works. Our biggest solution to date was with one of the top pharmaceutical firms and we had it running in less than 30 days for over 70,000 users. One of the very valuable features of the product is something we call “learn mode” which means the product just observes the traffic but doesn’t interfere with the mail stream and is very useful to help our installers as they tune the system to a particular customer’s needs.
Q: What do you think of the Microsoft/Groove announcement?
A: I think this validates the whole idea of peer-to-peer security that we have been talking about for many years and we welcome what they are doing.
Q: Tell me more about how you have developed your channel program and how it evolved.
A: We have three tiers of resellers. The top tier has the same training that our own system engineers have, and have to be able to install all the products and understand their interaction with our various partner products as well. The next tier has specific service contracts typically for larger corporate customers and they only need to know a couple of our products. The last tier are not very solutions oriented, just sell in quantity one to five units, typically only deal with our desktop products and specialize with one or two products and not sell enterprise-level products.
Our channel has evolved over the past several years. We now have 300 resellers in 91 countries and have added 30,000 new customers in the less than three years since we began our company and taken it out of NAI. In fact, our sales now are better than any of the years when we were part of NAI.
When I was in charge of sales at Symantec, we found that you couldn’t rely on the channels to create demand for new products like PGP Universal. The channel makes money on support, service, hardware management, off-site monitoring and so forth. But we had to go out and find the market segment, recruit the resellers, and do things like build hands-on labs to train our VARs and find other partnerships that would work for us.
For example we just put on a four-day training session in Singapore, for our local partners. We get everyone involved in installing the software and understanding how the products work in a very hands-on session.
But we also established a series of technology partnerships with vendors that have major email solutions such as IronPort, SendMail and MailFrontier. These vendors all offer things like anti-spam and content filtering solutions. First they wanted to cross-train their sales teams to resell our products and as their gained experience with PGP they became OEMs and wanted to bundle their software with ours on a single box. Now they are an active channel for us and we have consolidated reporting. They sell a single solution and everyone gets a better margin and the customer gets one vendor to buy all of it from and fewer vendors to deal with for front line support.
Q: So any final thoughts?
A: We have become successful because of several things. First, encryption is just becoming a standard feature for more and more people. It operates down at the transport layer and is just like a network dial tone, what I call “encryption tone” these days. Second, we got a great start by being established and not having to recreate everything from scratch when we came out of NAI. Third, it helps that we are an open standards vendor and we publish our source code. We wish more companies would publish their code as well. Finally, we have a very good product road map and we spend a lot of time listening to our customers, asking them what they want in the next two versions of the products and so forth.