Welcome to the MacNN Forums.

Spliff · Feb 23, 2005, 06:18 PM

Is there a way to encrypt email messages that doesn't require the recipient to have the encryption software installed to decrypt the message? From what I understand, if I use PGP to encrypt a message on my system, then the recipient also needs to have PGP installed.

I want to be able to encrypt a message, send it to a PC or Mac user, and have to easily decrypt it by entering a password that I've told them over the phone. A cross-platform, non-application depending decryption key would be good, as well.

Is this possible?

TETENAL · Feb 23, 2005, 06:20 PM

http://joar.com/certificates/

Spliff · Feb 23, 2005, 06:26 PM

Originally posted by TETENAL:
http://joar.com/certificates/

That's not going to work because it requires that the recipient also has a certificate. Getting a certificate is too much of a hassle for the people I know. That why I want a way of encrypting/decrypting messages that doesn't require the recipient to do anything else except enter a password or use a key that I've sent them.

cpac · Feb 23, 2005, 06:58 PM

couldn't you just compress a txt file using some compression that requires a password to open? (I know .dmg has this capability, but it's not really cross-platform)

Spliff · Feb 23, 2005, 09:39 PM

Originally posted by cpac:
couldn't you just compress a txt file using some compression that requires a password to open? (I know .dmg has this capability, but it's not really cross-platform)

Yeah, I could do that, but it's still cumbersome. I want seamless encryption. I can't believe that no one has developed an easy, efficient, effortless cross-platform mail-to-mail encryption method.

Graymalkin · Feb 24, 2005, 03:36 AM

Symmetric encryption (everyone uses the same key to encrypt/decrypt) is the sort used on encrypted disk images or StuffIt/Zip files. All of the data is encrypted with one key that you and I have to share. Asymmetric encryption (encryption/decryption is done with different keys for everyone) is a bit more logically secure because no secret information has to be passed over possibly insecure lines. If I send you a file I encrypt it with your public key which you decrypt with your private key. I don't need to know anything about your private key to encrypt a file for you.

Asymmetric encryption comes at an ease-of-use cost which should be rather obvious. In order to encrypt files to send to me you need my public key. In order to get this I either have to send it to you or there has to exist some method for you to find and obtain my key through a third party (a keyserver). The kicker is there isn't really an easy way to transfer and sign public keys transparently.

This is the major stumbling block against easy encryption for the masses. No one has yet devised a relatively foolproof method for generating secure keypairs, uploading them to a keyserver, and then searching for apropos public keys when it comes time to send someone an e-mail or file. Certificates are a possible solution (and used on several e-mail clients) but are extraordinarily expensive and still a bit cumbersome.

The GPG plug-in for Mail comes pretty close to being easy to use. When encrypting a message it gives the option of using symmetric passphrase encryption, searching for a public key on a server, or using a stored public key. While the message does require the recipient to have GPG installed it works well and the recipient will know they received a message encrypted and/or signed with GPG. A quick plaintext e-mail telling them you use GPG, offering links to download sites, and an attached key will help people along the way. If you're interested in using encryption for e-mail it is worth the few minutes to prepare such a form letter to send to your friends.

TETENAL · Feb 24, 2005, 03:39 AM

Read the instructions I linked to above. This is really simple to do, efficient, cross-platform etc.

Look into your keychain. You probably already have dozens of certificates in it from people who mailed you signed e-mails without that you even noticed yet, so you can start mailing encrypted mail right from the beginning.

Spliff · Feb 24, 2005, 03:40 AM

Graymalkin:

Thanks for the clear, detailed answer. I'll give the GPG plug-in a try. Getting my friends to muck about with GPG is going to be the big challenge.

Spliff · Feb 24, 2005, 03:43 AM

Originally posted by TETENAL:
Read the instructions I linked to above. This is really simple to do, efficient, cross-platform etc.

Look into your keychain. You probably already have dozens of certificates in it from people who mailed you signed e-mails without that you even noticed yet, so you can start mailing encrypted mail right from the beginning.

None of my friends have certificates and it's unlikely that I'll be able to convince them to go through the arduous (for them) process of getting one. But I'll try.

Richard Edgar · Feb 24, 2005, 05:21 AM

First off, if you think about it.... if PGP is a problem because it has to be installed, anything is going to be a problem. GPG is simply an implementation of PGP, and should suit you nicely if your friends will use it. You can all swap public keys, and verify them (so that you can sign each others keys). Building the web of trust is the hard part, and it seems that it shouldn't be a problem in the first instance. Read The GnuPG Guide for a general introduction (plus the specifics of GPG/PGP, which should mainly be hidden by the plugin for Mail).

The main problem for the adoption of encryption is the simple fact that, because people can't see the bits flashing down the cables, they assume no one else can. For comparison, not many people send important letters without envelopes.