Ready to get serious about e-mail privacy?


You may have heard about e-mail encryption -- you may even have tried it and given up because it was too confusing (okay -- too geeky). It's time you tried it again. With programs like Pretty Good Privacy and the encryption systems built into Internet Explorer and Netscape Communicator, you can scramble your messages so that only the recipient can read them, or sign them digitally to prove you are who you say you are. But signing and encrypting mail involve extra steps and, in some cases, extra expense. If your messages usually aren't sensitive, why bother?

The short answer: If you don't, someday you may wish you had. Sure, it's unlikely that someone has singled out your mundane missives for scrutiny from among the millions zipping around the Net. But it's easy to become a target. And if you use your employer's mail system, you probably already are. When you negotiate a salary increase, discuss personal matters, advise clients on sensitive issues, or conduct other legal and ethical -- but private -- affairs using e-mail, the only way to ensure your privacy is to use encryption.

Go With PGP. The encryption system built into Windows (via Internet Explorer) works much like Pretty Good Privacy's, but I advise you to skip it, for several reasons. First, using it costs money -- you have to purchase a digital ID certificate from a third-party certificate provider. Second, few e-mail programs apart from IE and Communicator support the digital IDs. And third, PGP is a more secure encryption system than the one included with Windows.

How can I say that? Both systems use encryption keys large enough to stymie ASIO. But recent rumours that Microsoft included a back door in its security system for the US government to sneak through point out a fundamental flaw. These rumours are almost certainly untrue, and Microsoft's system may be as robust cryptographically as PGP. But the software's internal structure is unavailable for public review.

In contrast, PGP is an open-source program. Legions of doubting Thomases pore over its public source code to satisfy themselves that ASIO will never break into what PGP has encrypted. Unless Big Brother has induced mass hypnosis among privacy geeks, PGP has no back door. By the time the men in black decipher your gibberish, you will be ancient history. And, to ice the cake, PGP is easy to use. It comes with plug-ins for Outlook, Outlook Express and Eudora, as well as with a Windows system tray icon that enables you to encrypt or sign the text contents of any window on your screen (see FIGURE 1).

FIGURE 1: Encrypt or decipher text anywhere on your screen using Pretty Good Privacy's PGPtray utility.

When you first set up PGP, you get to choose which optional elements you want to install (including e-mail program plug-ins and the PGPnet virtual private networking module). All you really need are the Key Management module and plug-ins for your mail programs, if any. You may also want the user guide. (If you install PGPnet, select Start-Programs-PGP-PGPkeys after your PC reboots to continue installation.) The installer will ask you to choose an encryption type and strength -- use the defaults, Diffie-Hellman/DSS, and 2048 bits. When prompted, pick a "passphrase" that you won't forget but which no one else with access to your computer will guess. And don't write it on a sticky note or any other place. When the installer tells you to send your public key to the key server, do it. That's how other PGP users will communicate with you securely.

You can start signing, encrypting, and decrypting messages straight away, or simply ignore PGP until that fateful day when you decide to order some, er, personal items from an online store. To sign outgoing messages or decrypt and verify the authorship of incoming ones, choose Decrypt/Verify in the PGP menu that the plug-in added to your mail program, or click the PGP system tray icon (select Start-Programs-PGP-PGPtray if you don't see the padlock icon) and choose Current Window-Decrypt & Verify.

To encrypt outgoing messages, you must first download the recipient's public key and add it to your Keyring database. Launch the PGPkeys utility from the system tray PGP menu, the Start menu, or the PGP plug-in menu; choose Server-Search; enter your search criteria (an exact e-mail address is best); and click OK. When you find the key you're looking for, drag it into the main PGPkeys window (see Figure 2).

FIGURE 2: Use the PGPKEYS program to download other PGP-users' public keys onto your Keyring from public key servers.
To encrypt a message, choose PGP-Encrypt and sign now, or click the PGP system tray icon and choose Current Window-Encrypt & Sign.

If you need help, start with the official PGP FAQ at www.cam.ac.uk.pgp.net/pgpnet/pgp-faq. Simson Garfinkel's PGP: Pretty Good Privacy is an excellent primer on public-key encryption and Pretty Good Privacy, though parts of it are a bit out of date. For the most current information available and for access to other PGP users, visit the alt.security.pgp and comp.security.pgp.discuss newsgroups.

Pretty Good Privacy

$69.95
O'Reilly & Associates; www.woodslane.com.au


Category:Internet
Issue: February 2000

These Web pages are produced by Australian PC World © 1999 IDG Communications