2005-01-06 News and Commentary

Home About Us Accounting Payroll Taxes IT Consulting Site Index

Secret Messages

By Dirk J. Hedlund
Originally Posted January 6, 2005

    People often ask me about the security of their email.  They want to know the answers to questions like, "Is it safe to send sensitive information via email?"  Well, like most everything having to do with computers, the answer is, "It depends."  But for most people, the simple answer is NO.

    Most of the time, people are sending messages that have no protection whatsoever.  Email, by design, can pass from one system to another, until it finally reaches its destination.  The messages can be copied and read by anyone with the right tools and a will to do so.  (Think of someone tapping your phone and taping all your conversations.)

    Nobody cares about the message your cousin sent to you with a link to the hamster dance website.  But it your sending something more sensitive, say personal phone numbers, credit card numbers, billing information, or things of this nature, you should protect yourself.

    Let's consider two forms of email protection, both based on encryption using public keys.  These are PGP and Personal Email Certificates, each with their own strengths and weaknesses.

    But first, a complaint:  The computer industry as a whole is doing a terrible job at bringing either of these two technologies to the masses.  In my opinion, features such as these should be standard in all email clients, and usage should be simple and intuitive.  This isn't the case at all, and it's quite normal to see that only the "tech heads" are commonly using these technologies.

    PGP: PGP stands for Pretty Good Privacy.  You probably have seen "PGP Signed" messages, but may not have known what they were.  A PGP signed message has a header (Begin PGP Signed Message), message content, a signature, and a footer (End PGP Signed Message).  With PGP, you generate two keys, one private, and one public.  You share the public key with as many people as possible, usually uploading it to a "public key server" so others can download it.  Others download your key, and use it to encrypt messages to you.  Only YOUR private key will decrypt those messages, thus ensuring that only you can read them.

    Personal Email Certificates: With Personal Email Certificates, we're talking certificates instead of keys, but they do just about the same thing.  You typically generate your own private certificate and use it to request a public certificate from a provider such as Thawte.  You can use the certificate to sign a message, guaranteeing who it is from and that the contents of the message weren't changed.  You can also use it to encrypt a message, so only yourself and the intended recipient can read it.

    Both PGP and Personal Email Certificates are supported by a lot of email clients, such as Outlook and Outlook express.  Not all clients support them, though, and you may have to pay to unlock some integration features in the PGP program.  Both systems can be used to digitally sign and encrypt messages.

    Another drawback for Personal Email Certificates is for persons using webmail; including Yahoo, Hotmail, and Outlook Web Access users.  These people don't have a way to automatically decrypt messages.  They won't be able to read encrypted messages, and they won't be able to read messages that are digitally signed, unless they're also signed in "clear-text".  Since PGP works differently, PGP users can use webmail to read and send digitally signed or encrypted messages.

    I personally prefer using Personal Email Certificates, although I do admit to some advantages to PGP.  The biggest problem I see with both is the lack of widespread adoption.  Put simply, not enough people are using them.  I can digitally sign all my messages, but I know only a handful of people that know what to do with them.

    On a side note, Thawte offers FREE Personal Email Certificates.  They also run something called a "Web of Trust", of which I am proud to be a Notary.  The "Web of Trust" allows you to verify your identity, and not just your email address.  In this way, you can see that a message is not only from a specific email address, but also from a specific name.  As a WOT Notary, I will inspect your ID papers, and make assertions that you are who you say you are.

    PGP does something similar.  You can have other PGP users "sign" your public key.  They do this generally after meeting you in person.  The thought is, the more signatures you have on your key, the more "trusted" it should be.  As a PGP user, I would be happy to sign your key, once I validate it.

    My public PGP key is posted here.  If you would like a copy of my public email certificate, please request it .

Secure your email with a FREE email certificate -- CLICK HEREThawte - Web Of Trust Notary SealDownload freeware PGP program

PGP® and the PGP logo are trademarks or registered trademarks of PGP Corporation in the United States and other countries.

    Dirk Hedlund is a computer consultant with Klatt & Associates, CPA, PC.  He can be reached at dirk.hedlund@klatt-assoc.com , or by calling (515) 232-5642.

Check out these Computer Tips, Links and FAQs recommended by our staff,
or visit the News Archives.

Back Up Next

Copyright ©2003-2006 by Klatt & Associates CPA PC. All rights reserved.

Comments or Questions?  Please contact our at
See the browser compatibility notes here.