My colleague David Berlind just can't seem to stop barking up the wrong tree when it comes to email security. In his latest blog, Berlind accuses me of a "reality distortion field" which really isn't productive. While he has some legitimate complaints - which I've complained about too - Berlind is barking up the wrong tree when he should be joining me in my criticism for those individual companies that don't make it easy for consumers to deploy good security rather than indicting the entire Internet and the protocols that it encompasses. [Update - Awesome and informative response from Ani Shrotri]
David claims there is no interoperable email cryptography standard when in fact we have S/MIME which is baked in to every reputable email client in the last decade. The fact that Berlind can cite a specific email client that doesn't work with S/MIME is proof that that specific email client needs to be shamed; it's not an indictment on S/MIME. If we applied Berlind's "reality field" logic, we can just throw our hands up of every single protocol on the Internet because we can find rare implementation-specific incompatibilities on every protocol used on the Internet. Heck there are implementation-specific issues with SMTP and HTML, would David suggest that it's a reality distortion field to dare suggest that SMTP and HTML are universal standards? Is David Berlind suggesting we come up with a better alternative to S/MIME and start the entire adoption process again when we're already 99% of the way there with S/MIME?
David says that secure email from Server to Client is too hard when in fact it's as easy as a click away. So David's rebuttal to me is: OH MY GOD the user has to do something to turn it on. What next David? Are you going to complain that you have to strap yourself in with your seat belt to save your life in a car accident? As I recall, it took decades to get people to get in the habit of putting on their seat belts and ultimately it didn't happen until we started fining people big money (even bigger for children) for not putting on their seat belts. When it comes to enabling SSL on an email client, it's a ONE TIME SETUP which is even easier than strapping on the seat belt in your car which you have to do every time you get in your car. At least you don't have to enable SSL for your POP/SMTP mail client every time you launch your email applications.
David then points out that even I admitted Hotmail (and Yahoo) didn't support encryption on the entire session while Google Gmail did. But why attack me or the state of technology and call it a reality distortion field? What productive purpose does that serve? Why not join me in criticizing Microsoft and Yahoo? Why not join me in criticizing Google for not automatically redirecting to secure SSL mode so that the remaining 99% of Gmail users can benefit? Why not join me in criticizing ISPs for not disabling insecure POP3, SMTP, and IMAP mode?
The other side of the equation is that user perceptions need to be challenged and we can't just continue perpetuating inaccurate perceptions that security is a "black art" and that it's just too difficult. Furthermore, users bare some of the responsibility for the lack of security because vendors are often punished for mandating security. It's not entirely their fault for shying away from doing the right thing to avoid a beating from certain pundits. Heck it wasn't long ago that Microsoft absolutely got slaughtered in the media for including a Firewall in Windows XP Service Pack 2 and so much FUD was thrown about that issue that many people to this day are afraid to even try Service Pack 2.
David also incorrectly cited the fact that Gmail doesn't support S/MIME. But there is an S/MIME plug-in for Firefox for S/MIME signing. Reading digital signatures on the other hand whether that's a web mail client or a traditional email client doesn't require any action on the part of the end user. David wants a simple solution where he won't have to manually sign documents and buy a fax machine and I've given him the solution. But again he's barking up the wrong tree complaining that the technology doesn't work because the businesses that he deals with won't accept these solutions and complains "oh but they can't print out those digital signatures". But please stop for a moment and think about that statement; why do you even need to print it on paper in the first place when the digital signature is acceptable in court? Since when did the Government mandate that Digital Signatures have to be printable (a technologically impossible feat)?
Think about how retarded it is to require 10 MB digital scans of paper per legal document when a 256 BYTE hash would equally suffice.Berlind’s argument is that Digital Signatures don’t work because you can’t print them out. But this is really a laughable argument even if you ignore the technical reasons. For obvious technical reasons, you can't realistically do Digital Signatures on paper because changing a single white space or capitalization would change the hash. For obvious common sense reasons, there is also no requirement by the Government that Digital Signatures must be accompanied by paper versions because that would defeat the entire purpose of making Electronic Signatures legal in the first place which is to get rid of the cumbersome paper process. The NSA has a whole suite of standards that includes a Digital Signature and Hashing standard that's acceptable for Government use, why shouldn't it be good enough for David Berlind and the companies he deals with? So instead of calling these technologies "black art" and propelling the flat-earther's myths, why don't you join me in saying "there is a better way!". Think about how retarded it is to require 10 MB digital scans of paper per legal document when a 256 BYTE hash would equally suffice.
So the technology is there and I've done everything I can to lead you to the clean water, now you just have to drink it. There is no tooth fairy and there is no magical pixie dust - which is what David Berlind seems to be asking for - but the technology is mature and deployed. So David Berlind should stop complaining about the technology and tell his business partners to get out of the dark ages. Is that going to be an easy transition to educate people and change human behavior? Of course it is but you're not helping the situation by tearing down perfectly good technology.
Comment: A few readers are complaining that it's terrible that we have editors at ZDNet disagreeing with each other and that we should somehow speak with one voice. We view this as a healthy thing that shows the diversity of spirited opinions at ZDNet blogs. We do not "script" these debates out ahead of time. As much as David Berlind and I disagree on this particular topic, we both agree that giving the reader all sides of the debate serves everyone's best interest. These debates extend to the blogosphere outside of ZDNet and the readers are welcome to chime in on the talkback. We don't even censor the talkback (short of adult material and vulgar language) and readers are welcome to criticize any of the bloggers here at ZDNet any way they like. This is simply a testament to the fact that ZDNet respects intellectual freedom.