InformationWeek
Defining The Business Value Of Technology
July 14, 1999
Are E-mail Digital Certificates And Encryption Worth The Bother?| Threads |
|
Do you or your business use digital certificates or encryption for E-mail? Why or why not? Would you use one if it were free and part of your basic E-mail application? What do you think it will take to foster general acceptance and use of digital certificates? Join in! Discuss it in LangaLetter threads. |
| Recent Columns |
| What's The Best Search Engine For Business? |
| Bio |
| Fred Langa is a senior consulting editor and columnist for Windows Magazine. Fred's free weekly newsletter is available via subscribe@langa.com. You can contact him at fred@langa.com or via his website at http://www.langa.com. |
How many digitally signed or encrypted E-mails do you get in a day?
I'm probably not typical because I get somewhere around 800 E-mail messages a day (thank goodness for autoresponders!). But consider the percentage: of those 800-some E-mails, only a dozen or so are digitally signed. I can't ever recall having gotten an encrypted message, and I've been using E-mail since around 1980.
It's surprising because it's ridiculously easy to spoof E-mail. At the simplest level, many users are unaware how easy it is to alter the "From" and "Reply To" fields in E-mail. It's child's play to send someone an E-mail that will look (to a casual or inexperienced eye) like a message from, say, a boss, a co-worker, or a spouse. The potential for mischief or outright fraud is enormous.
It's not a lot harder to hack many mail servers: Spammers do it all the time, and the "warez" boards are full of tools that will help a hacker find poorly guarded mail servers they can exploit.
But is also very easy to use digital certificates or simple encryption to validate messages or protect them from prying eyes. For example, Netscape Messenger and Microsoft's Outlook and Outlook Express both support the S/MIME (Secure Multipurpose Internet Mail Extensions) standard, and both can use digital certificates that can verify the identity of E-mail senders and receivers, helping to keep the mail contents private.
(Check the "Help" files of your E-mail client for more information. Or for Netscape digital-signing information, see http://home.netscape.com/security/basics/email.html. For Microsoft digital-signing info, see http://support.microsoft.com/support/kb/articles/q168/7/26.asp.)
Netscape and Microsoft also make it easy to obtain a basic digital certificate, and the benefits of getting one are enormous: A digital certificate can eliminate the need for multiple passwords on various Web sites; it helps you really know who you're talking to or hearing from; and it makes sending encrypted E-mail a snap.
So, why don't more people use certificates and encryption? I have several theories:
Cost. These days, you can get a browser for free. You can get an E-mail client for free. Heck, you can get an entire PC, including an OS and applications, for "free" (if you sign up with the right ISP). But you can't get a digital certificate for free. The most popular certificate vendor, VeriSign, charges $10 per year for a very low-end "Class 1" certificate--and all that really does is prove that you have a valid E-mail address. (VeriSign offers more secure certificates for E-commerce and developers, but they cost much more. A Java-Signing Certificate, for example, costs $400 per year.)
Hassle. E-mail has become the lingua franca of business because it's so fast and easy. Appending a certificate and encrypting your messages takes extra steps, extra clicks, extra thought, and extra time.
Cost. Did I mention that, unlike almost everything else these days, certificates aren't free?
Ignorance. Many users understand the need to know who's sending them programs and attachments, but few worry about the source of basic E-mail--perhaps because they don't know how easy it is to fake an E-mail address.
And did I mention cost? Here's an opportunity for some browser or E-mail client vendor--perhaps AOL/Netscape?--to make some major headway: Subsidize free Class 1 certificates for users. At a stroke, this would elevate the product (the one with the free certificate) above the competition. It would increase public awareness about certificates and would start generating thousands or even millions of new certificate users, which would help encourage others to get and use certificates, too. And it would help make the Net a safer place.
Any takers? Do you or your business use digital certificates or encryption for E-mail? Why or why not? Would you use one if it were free and part of your basic E-mail application? What do you think it will take to foster general acceptance and use of digital certificates? Join in!
Featured Microsite
