It’s absurd that, in 2012, sensitive information is still regularly shuttled around via the unencrypted, MITM-vulnerable, often-intercepted protocol we all know as “email.”

Connections to websites are commonly secured via HTTPS, which Just Works™ for end users. Unlike HTTPS, email encryption:

- Seems to come in multiple flavors: PGP/GPG and S/MIME.

- Does not have a universal, automatic discovery mechanism.

- Is *never* used for communication from even high-risk institutions like banks

- Is difficult for end users to “opt into”

- Has less than universal client support

What can be done to change this shameful status quo?

How might webmail work?

- If you trust the webmail provider, it can handle your keys for you and present your mail in decrypted form. Since the last leg is HTTPS, this isn’t a big deal. It’s maximum convenience, although your email can be intercepted at the provider level. You could choose whether IMAP/POP access would be pre-decrypted or not. Couldn’t Gmail, Hotmail, and Yahoo roll this out tomorrow, transparently?

- If you do not trust the webmail provider, there are browser extensions that can use local keys to encrypt and decrypt mail, client-side.

Current popular implementation of email are on free servers provided by the likes of GMail, Yahoo and Microsoft. They want to monitor your data for adverts and security purposes. That means they don't want you to use PGP. Also, they prefer you to use their web apps, which is what most people do. Anyone else using POP3 can encrypt data themselves before sending it. Large scale implementation won't happen till we start paying for our email.

In Steve Anderson book "Free" he explains why Gmail is free and how hard it will now be to "charge" for email. That is a almost impossible hurdle for people today. My own son complains that (pre-iOS6) he had to pay for (99 cents +12 dollars a year) for Navigation on his iPhone. The trick is that if I encrypt my email how does the guy I sending un-encrypt it? There is a company called cryptoheaven.com that has secure email but it's overly expensive I think (I may be effected by free stuff as well)

When I think about who would want to encrypt their email I get stuck at governments/corporates/criminals.

It's just not on the mind of your average Internet user, which suggests it will never take off - it's just not important.

Thinking about the groups who are interested in encrypting their email.....

These groups are already paying for their email. It is a cost of doing business and factored in to their operations and cost/pricing structures.

There's a whole other conversation to be had about how to make encrypted inter company communications secure - because believe me it's really needed.

Well, that’s depressing, Ian.

Yeah. Sorry about that.

It suggests a world where increasingly email is something for providers (G', Y' , FB' etc) to plunder for their own financial gains. And all the while we'll keep feeding that machine because we're lazy and too few people care.

Matt, I think you mean Chris Anderson. I'm reading that book right now and it's interesting!
What matters in this case is not just that they're giving away email for free. What matters is that people are not asking about it. Everyone is thinking that it's a fair tradeoff to give Google their personal information in exchange for an amazing free email service. The erstwhile paid provider - Microsoft, has shown the world that paid, Enterprise based services pretty much fail every other day. That's why SalesForce and Box.net are making great services but are aiming for the corporate sector. They know that "Free" is already ruling in the common masses and they don't want to pay for services.

Common people don't understand the need for secure emails etc. That's what the governments and Google exploit. The only other way? Cory Doctorow points out in his book "Little Brother" that if we encrypt everything, those who really need encryption will be hidden amongst those who don't. Otherwise, it's very easy to point out those who're using encryption out of the crowd. That's what we really need to do - Encrypt everything, from out thank you emails to our secret text messages. This is not for paranoia, this is to ensure that privacy remains true for everyone.

Nitin yes "Chris" doing it from memory

I pay for Evernote at $45 dollars a year
I pay about that much for a secure email service.

Matt, you're paying for secure email at your end. How is it secure at the other end? Are you encrypting it with PGP? Can you explain the setup?

Somewhat relevant: Here’s a proposal to basically replace passwords with email. It would be a good idea if email were the least bit secure! nopassword.alexsmolen.com

Alan... Saw that... I can't believe that such a proposal might be drawn ever. No system is trivial enough to not warrant a password for security. The assumption that your email is secure and you don't care about certain websites being compromised shows the lack of real-world thinking the author is doing. It's a great idea, theoretically.

All, Here's an update. A Google Chrome extension now supports PGP with Gmail...