
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
308
|
Chapter 9: Securing Internet Email
A Brief Introduction to Email Encryption
Encrypting your email from end to end is the very best defense against eavesdrop-
ping attacks; encrypting it and signing it is also a powerful defense against identity
theft. However, because this book is about bastion-server security, and since email
encryption is in most respects much more of a client/local application than a “back-
office” application, I’m not going to go very far in depth on this topic. (The extent to
which it does involve backend services, e.g., in Public Key Infrastructures, is outside
the scope of this book.)
There are two predominant email encryption technologies in use nowadays, PGP and
S/MIME. Both are end-to-end solutions (end users do all the encrypting and decrypt-
ing, with servers involved only in key distribution) And both are based on open stan-
dards. However, neither PGP nor S/MIME has achieved much popularity with less
technical or nontechnical users. The ugly reality is that email encryption as we know
it places a much higher burden of skill and knowledge on end users than, say, SSL
does with web encryption.
That’s because most SSL sessions on the Internet are, in real terms, “anonymously”
encrypted. If I buy something from an online retailer, I may or may not care