When it comes to secure e-mail, beware of George Ou's reality distortion field

When it comes to secure e-mail, beware of George Ou's reality distortion field

Summary: Yesterday, I posted a blog about how secure e-mail simply doesn't exist.  It was an extension of another discussion regarding password recovery schemes that result in the transmission of your password (back to you) in clear text over insecure networks.

SHARE:
TOPICS: Collaboration
46

Yesterday, I posted a blog about how secure e-mail simply doesn't exist.  It was an extension of another discussion regarding password recovery schemes that result in the transmission of your password (back to you) in clear text over insecure networks.

In a post headlined E-Mail security has been around forever, you just need to turn it on, my colleague George Ou wrote:

Berlind is reeling over his incorrect perception that the Internet still lacks secure email.  The problem is that he’s got it all wrong and the solution has been under his nose all this time and it really isn’t the non-interoperable nightmare he paints it to be.

I commented directly on his blog, but I also feel it's necessary to understand why to avoid the reality distortion field Ou has erected.  Here are some bullet points as to why e-mail security is a myth and how George even proves that point.

  • George wrote in his headline that all you have to do is turn it on.  He offers some good advice for how to do this through Gmail as though Gmail is representative of every email service on the Web.  But in very same paragraph, he says Microsoft's Hotmail doesn't offer payload encryption.  In other words, George couldn't get past two popular e-mail services (never mind the thousands of others) without also pointing out that they handle security differently (I read this to be non-interoperable).  So, going back to YOU part of the headline, I asked George in the comments area to show me how to turn on payload encryption for all of Hotmail. The point is that until everybody secures email and does it the same interoperable way, ubiquitous standard secure e-mail is a pipe dream.
  • Also referring to the YOU part, and going back to the genesis of the discussion George, please show me how to reach into the infrastructures of other entities that are sending me sensitive information via e-mail, and turn on their security features. You see, it's not a simple as turning something on on my end.  Everybody has to turn it on on their ends as well and they have to do it in the same way. As long as that's the case and almost nobody is doing it, secure e-mail is once again a pipe dream.
  • George's offers advice for how to go out and get a digital certificate for the purposes of digitally signing e-mail. This is in answer to the very real scenario encountered in businesses everyday where Party X sends a Word document as an attachment to Party Y for Party Y's signature.  Party Y must print that document out, physically sign it, and send it back to Party X via snail mail or fax (can you say "friction"). It's 2007 and this Draconian approach to signature exchanges is insane. My position on this is that returning a signed document to Party X should be as simple as what Party X had to go through to send Party Y the document in the first place.  But it's not. George thinks he's got the solution by applying a digital signature to the e-mail itself. In other words, Party Y replies to party X with the same attachment (by the way the only way to do this in e-mail is with the "Forward" command since "Reply" drops the attachment) and applies a digital signature to the e-mail and not the attachment. Although he's not a lawyer, he says his approach should be legally sound. It sounds good in theory.  But this is like saying all "I" have to do is turn something on (never mind what everyone else has to do).  Sure, all I have to do is go out and get a digital certificate (the sort of friction that kills the idea already), apply it to a FORWARDED email (more friction -- how many people know this failing of e-mail) and send it off. Only there's one problem.  What if the person or business I'm sending it too is one of the majority of entities that would never accept my digitally signed e-mail as a signed version of the original document?  What if they're one of the millions of businesses and law firms that keep hard copy of all signed documents in a filing cabinet where they require an actual signature on the dotted line?
  • OK George, never mind any of what I just said. As long as you picked Gmail as the poster child for how everything can work, please show me how, through the same HTTPS Web interface you cited, I can apply that easily acquired digital signature to an e-mail. Or, is that something else I can "turn on" as you say? Perhaps this post under the ABC's of Gmail where CamargoBP writes (as a part of this thread) "Will gmail support digital signing anytime soon? Yahoo mail does and I don't see why gmail can't.....I receive messages that I can't read without my Apple Mail client because the message is signed and encrypted." In George's reality distortion field, CamargoBP is clearly an idiot since s/he's not turning something on.
  • George refers to S/MIME as part of the solution.  This is pure fiction. S/MIME may indeed be a standard but have you ever seen how S/MIME-formatted e-mail arrives in certain e-mail clients? That is by no means standard.  Don't take my word for it. The first sentence in the "Obstacles to deploying S/MIME in practice" section of the Wikipedia entry for S/MIME says "Not all e-mail software handles S/MIME, resulting in a "smime.p7m" attachment that often confuses people." In George Ou's reality distortion field, those people are probably idiots too since everyone should know what to do with a smime.p7m attachment.  By the way, that Wikipedia entry goes on to talk about a bunch of other obstacles and caveats that make it clear that S/MIME is not the panacea George makes it out to be.

I could go on.  But you only need one of the above bullet points to bring down George's house of cards, let alone five or more.  It's not a simple as just turning something on.  If it were, we'd probably secure e-mail by now.  But we don't and it's hard to know if we ever will.

Topic: Collaboration

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • some right some wrong

    Most email on the net is passed in clear text, the email system was never really intended to be a private form of communication like snail mail is. There are tools out there for you to encrypt your messages, but the receiving end will have to have your key to open it. What george is talking about is encryption from your computer to your email providers servers. The email passes in clear text before it reached the email providers servers. This is much easier to accomplish with corporate email systems that have this functionality built in to encrypt highly confidential emails, but as for regular users that will not be as easy just yet, so make sure you watch what you send over the net.
    OhTheHumanity
  • Is it me...?

    Or does anyone else notice that, more and more lately, it seems that ZDNet bloggers spend more time attacking each other's assertions? Why don't you all settle your differences behind the scenes instead of bickering back and forth online. Then, once you've all got your facts straight, come back with a collaborative "here's what we figured out" type of posting.
    MGP2
    • These are like drive-by shootings

      I've noticed it, too, and sometimes I've even cringed. But then I thought more about it, and I realized that these incidents serve to bring in more readers. And isn't THAT the main purpose of these blogs?
      bmgoodman
      • Ouch

        Yes... the reason we even write anything here is because that's our business model. I write something. We get traffic from some demographic that reads that something. Advertisers looking to reach that demographic pay to put their ads on our pages. It's a classic media model. For the record, we don't write with specific advertisers in mind. There's a great separation of church and state at ZDNet's parent company, CNET Networks. We also don't pander for traffic. If the debate between George and me was some sort of pre-orchestrated plan to use internal controversy as a means for generating traffic, you'd have a point. But it wasn't until earlier this morning that I had any idea that he posted that blog. This has been the case in the past as well. George is often critical of what other bloggers (especially me) write here on ZDNet. And it's OK to have a difference of opinion. The blogosphere is very much about a conversation and so that's pretty much what you're seeing. But to be clear, there's no American Idol thing going here where, by design, the insiders are fighting with each other (or were picked because the producers knew they would) to draw viewership.

        db
        dberlind
        • Sorry, David

          I was not trying to be as cynical as my post may have appeared. I didn't mean to suggest that any sniping was orchestrated. I believe your disagreements and debate are honest. I was more focused on why ZDNet allows these posts, whereas I could never have such public debates with my own coworkers. Basically, you all appear to have a lot of latitude in your public remarks. ZDNet allows it, in my opinion, because it brings more eyeballs.

          Again, my apologies if it sounded like I was questioning your integrity (or any other writers).
          bmgoodman
          • You speak of ZDNet as though its a person

            ZDNet doesn't allow it.The people who run ZDNet allow it. I'm one of them. The question has never come up in any so-called ZDNet management meetings. There was no conscious decision to allow or disallow it. No discussion ever took place that I know of (and I would have been party to it) whereby we said, let's allow this because it's good for traffic. No discussion ever took place period.

            Not everyone is going to be of like mind. Public discourse, be it between ZDNet bloggers/editors and readers or be it between ZDNet bloggers/editors and ZDNet bloggers/editors is a good thing, in my estimation. It's very transparent. It shows that ZDNet has no single minded agenda. Etc.

            db
            dberlind
        • difference of opinion?

          wouldn't, as some say, the world would be boring if we all agreed on everything? I'm glad to see george and yourself(db) or whoever from zdnet get involved in the topic.

          keep up the good work you two because you both write some interesting and [b]controversial[/b] articles.

          gnu/linux...giving choice to the neX(11)t generation.
          Arm A. Geddon
    • Usually

      it's Ou taking a snipe at one of the other bloggers.
      frgough
      • It's not always George...

        Have you seen the (Ir)rational Rants blog? I think Mitch Ratcliffe would argue with himself if there were no one else around to argue with.
        MGP2
    • And you would be served with only one opinion?

      And you would be served with only one opinion? Maybe some people like hearing both sides of the argument. As much as I disagree with Berlind on this particular issue or his assessment of it, I wouldn't dream of silencing him on it and I think he feels the same way. We feel having a diversity of opinion is healthy because YOU in the end get to hear all sides and make your own decision.
      georgeou
      • My point was...

        I don't think it serves anyone from an informational aspect to keep going back and forth with the he said - he said stuff. Why not step back, figure it out in private, then both come back with an informed conclusion, not an ongoing spat.
        MGP2
    • yes, it's just you

      Nope, often things have two or more sides. I'd like to hear all of them - or least the two most opposing. I think it's just you and most republicans :-)
      Prognosticator
  • Why can't we all just get along?! lol

    I guess there's only one right answer, and that person will win (hopefully). Keep the traffic, I mean flame wars going .:-)
    BillyG_n_SC
  • Regarding electronic signatures, I've checked with our Denise Howell

    Regarding electronic signatures, I've checked with our blogger Denise Howell and she referred me to someone else. Electronic signatures are legally acceptable. Electronic Signatures don't necessarily have to be digital signatures but digital signatures are a form of electronic signatures. There is official hashing and signing algorithms defined by the NSA good enough for Government secret and top secret use. http://en.wikipedia.org/wiki/NSA_Suite_B

    So I?m not trying to play a lawyer here David, this is just basic security knowledge that any CISSPs should know.
    georgeou
  • Way to go, Berlind.

    George often doesn't let the details derail his tortured reasoning. He's always right, no matter how wrong he really is.
    Uber Dweeb
  • Time is on the hackers side.

    Ok, I admit, my secure emails probably are not of a huge interest to anyone but myself and the recipient. However, there are people who's email would be of great interest in the future. (Say a President, Donald Trump, any celebrity, etc.) Why is the future significant?

    Last year the Olympic Committee used new DNA test procedures on old DNA samples from athletes and found they had been using illegal enhancers when they won their medal and then moved to take them back. Point being that what is very hard to do today become child's play in a short amount of time and the advance of technology.

    Given the US government is tracking and keeping all emails in the US (Carnivore) its not much of a stretch to think that in a few years with much faster computers (quantum computers?) equipped with multiple CPUs that the encrypted emails will be cracked. Bottom line, even the very best of encryption is a short term stop gap that WILL be cracked in the future. Something many might want to consider before placing anything sensitive in an email.
    No_Ax_to_Grind
  • It takes two to tango

    Email encryption takes two parties to collaborate. You can have the best email encryption product, but if it doesn't provide low barrier facilities for the receiver, it is not going to work.
    There are a number of products in the market that allow for easy email encryption. These products cover not only the sending side (their customer) but also the receiving side (the customers - and other contacts - of their customer). Some of these products use generally accepted standards, which is better than using proprietary algorithms.
    Having such a product, email encryption becomes very easy.
    Xtien
    • You speak as if email encryption is just one thing

      Email cryptography (not just encryption) is multiple things.

      There's Server to Client (which is just a one time checkmark away).

      There's Server to Server cryptography which includes authentication and encryption which is totally transparent to the user since it's between Servers and their administrators.

      There's End to End cryptography which can be a one sided affair if we're only talking about Digital Signatures and receiving encrypted content for the side that has a digital certificate.

      http://blogs.zdnet.com/Ou/?p=635
      georgeou
      • good observation...

        Client, server, cryptography; all very techy and complicated. In the end someone is going to receive an email and it should be incumbent on the sender to ensure the contents is protected, especially if it contains sensitive information. In the real world the senders can be real people using some some software, or it can be machine generated for things like notifications, confirmations, statements, etc. So best to keep the discussion in the real world on what people use email for, and the tech is the vehicle.
        loa_online
    • easy is the key

      Hear! Hear! Very low barriers for the recipient. The value is in getting the message, not getting wrapped up with technology. Too many systems require the recipient (the passive party in the communication) to have to install some software, or register for some service. They should just be able to receive the message. Standards typically assures compatibility with the widest range of systems and solutions out there. Google Echoworx for such as product.
      loa_online