Saturday, February 09, 2008

Encryption Would Be Easy... If We Let It

Whenever something sensitive comes around my desk on a slip of paper I can't think about how much more accessible and secure the info would be if it was passed around using public key cryptography. After all, it has been seventeen years since the more than capable crypto advocate Phil Zimmermann made the case with PGP. Surely by now all e-mail clients can now securely pass info back and forth using some asymmetric key algorithm, right? Right?

Well, yes... unless you're freakin' Outlook. And of course what to 9/10 enterprises mandate you use? Outlook. Fantastic.

Now I've been able to sail under the radar with Evolution, which sports both excellent WebDAV support and public key encryption. I've got the best of both worlds in Linux. However the rest of my correspondents aren't so lucky - they need to use a Windows e-mail client that can book conference rooms and schedule appointments in Microsoft Exchange. So... stuck with some variant of Outlook.

About a year ago I went out on a quest to find an interoperable public key encryption plugin for Outlook. I tried several clients... and all failed. I went out looking again and the playing field hasn't changed a bit.

First you might notice that there were several Outlook plugins originally vying for PGP/GPG abilities, but they have largely atrophied or merged. OutlGPG became GpgOL from g10, but executable distribution was moved to Gpg4win, meaning that GPG distribution became the single player. The only other option would be G DATA's GnuPG-Plugin, but aside from being over five years old it was never that great. And Gpg4win wasn't much better - it too could only do plaintext, and even then as an attachment.

All Linux and Windows mail clients that have some remote sanity use MIME to encode their encrypted payload, and yet Gpg4win (from what I've been able to find) refuses to do so. At best I get an attachment which I need to decrypt separately.

Now look at Thunderbird, KMail or Evolution. All can encrypt and decrypt inline, natively, within the mail browser. And it works seamlessly without any additional windows or superfluous UI components. This isn't rocket surgery.

Until someone out there makes an interoperable GPG plugin for Outlook 2003 that works with OpenPGP MIME compatible messages, no one will adopt public key encryption.

Maybe that's the whole idea.

No comments:

Post a Comment