Between the growing threats of email hacking and government surveillance, people are growing more concerned about the privacy of their inboxes, and the use of encrypted email is on the rise. Still, only 50% of emails are encrypted in transit, and client-side email encryption is rarer still.
Both the FBI and the Internet Architecture Board urge more widespread use of data encryption in pursuit of a more secure Internet. Yet, despite its clear benefits in a world rife with security hazards (just ask Sony about their thoughts on email privacy), most users aren’t adopting encrypted email. Why?
For one, it can be difficult if you don’t have an advanced degree in computer science. If you’ve ever had to set up PGP, S/MIME or any of the many portal based solutions, you know that with good security often comes a ton of frustration. While there are user-friendly options out there, the traditional email encryption solutions each have enough drawbacks to keep users from adopting encryption en masse.
Pretty Good Privacy (PGP) is an encrypted email solution that masks your messages before you send them. PGP works using public key cryptography, meaning that every user has their own key pair — one private key, and one public key. The private key is used to decrypt messages, while the public key is used to encrypt them.
Your public key can be openly shared with just about anyone without incurring any risk. Even if a potential bad guy were to obtain your public key, they wouldn’t be able to decrypt your messages. For that, they would need to access the private key, which only you have.
While PGP is very secure, it’s also a huge hassle. If you’re going to send someone an encrypted message, not only do they have to be using PGP, but you also have to exchange keys first. Likewise, once you have a collection of keys, it’s up to you to hold on to them. If they get corrupted, or if your computer goes up in smoke, you have to repeat the process.
Even if you’re tech-savvy, and the above scenario doesn’t really seem like such a hassle to you, what are the chances that you’re going to be able to get every single one of your contacts to enable and use PGP? Or, better yet, what about all of your colleagues? Or friends? As secure as PGP is, it’s not surprising that it hasn’t caught on.
S/MIME: Shuffling Certificates
Much like PGP, S/MIME uses public key cryptography in order to secure and encrypt email. The primary difference is that unlike PGP, which requires users to exchanges keys themselves, S/MIME uses digital certificates. Digital certificates are pieces of code provided by a company known as a Certificate Authority (CA).
In order to obtain a digital certificate, a user must first apply for one through a CA, who verifies the identity of the person applying for the certificate. Typically the CA is authorized through some agreement with another institution (usually a bank or a credit card company), this way they can confirm the identity of the person applying for the digital certificate.
Of course, digital certificates aren’t necessarily cheap. While it’s possible to get a free digital certificate for a year from some vendors, that’s only for individual use, and not for business communication. On top of that, since every user has to have a certificate, you’re paying a yearly fee for all of your employees.
Then there’s the problem of actually using the certificates. In order to activate email encryption with S/MIME, the user must then important their digital certificate into their email client. It’s worth noting that most web email clients (including Gmail, Yahoo! and Outlook) don’t support digital certificates, either.
Doctors, pharmacists, insurance companies and anyone else handling protected health information (PHI) have an obligation through HIPAA and HITECH to safeguard that information, especially when it is in transit. This means that encryption is a necessity when moving PHI between parties that require access to it.
Yet, because of the difficulty of setting up encrypted email, most providers choose to use an all-in-one portal system to manage their PHI. While these systems cover off on HIPAA requirements, user friendliness and interface design are not their strengths. Plus, the burden is passed to the client, who has to remember yet another set of credentials in order to access their information.
Of course, where at least PGP and S/MIME both were a tradeoff of hassle for a solid level of security, most portal systems only provide the absolute minimum necessary for HIPAA compliance. This means that while patient data on their server is secured (and messages sent via the system are secured), it has to reach the server before it can actually be encrypted. Since the PHI is not encrypted on the device — and often, it’s the server doing the decryption as well — a potential breach could occur due to a compromised device, or even while the data is in transit to (or from) the server.
The complexity of setting up encrypted email has driven many to try all-in-one encryption email services that promise a locked-down experience. Many of these providers offer encryption as a service, and many are willing to promise that your information is completely secure within their network.
That last bit is the catch, though, as these providers often don’t offer true client-side email encryption, only offering true protection to clients logged in on their network, using their emails.
This means that if you send an email outside of the network (say, shooting a message to a colleague’s Gmail address), they can no longer guarantee your email will be secure.
This also means that such a service would only really be useful to businesses, and only inter-business communication, at that. The services that do offer encryption that works past their servers often simply use various forms of PGP, meaning that the same hurdles present with that system are present here.
You’re probably starting to see a trend here: good security coming at the expense of convenience. PGP and S/MIME are fantastic solutions, but are they practical for most of us?
Probably not, unless you work in IT — or, as with S/MIME, you have a large budget. But security doesn’t have to mean a bad user experience. That’s where Virtru comes in.
Virtru provides client-side encryption without any complicated setup procedure. It’s as simple as downloading an add-on and signing up for a free account. There’s no key exchange, there’s no going to a third-party certificate authority and there’s no worrying about having to kick everyone off of their existing addresses to enable email encryption.
Virtru works with Gmail, Yahoo! and Outlook, meaning that you don’t have to ditch your current email address to take advantage of email encryption. Likewise, Virtru also works with Android and iOS devices, so there’s no need to abandon email encryption when you’re not at your desk.
Email encryption doesn’t have to be complicated, and more importantly, good encryption shouldn’t be complicated. No matter how strong your email encryption is, it doesn’t matter if users don’t actually pick it up and use it. Virtru isn’t just easy for you, it’s easy for everyone you send email to, as well — meaning that you won’t have to spend much energy convincing friends, colleagues or your IT department that email encryption is worth their time.
Download Virtru today, and see how easy it is to enable true client-side email encryption.
Contact us to learn more about our partnership opportunities.