It has been a problem we have had for a while: how to make email more secure. It is definitely something that continues to be a discussion point and so it should be. The information that is sent across the internet is increasingly of a sensitive nature. Currently, people rely on obscurity to keep their data safe. But with progressively more intelligent search engines available (www.autonomy.com springs to mind) that can churn through vast amounts of data – let alone email – and make sense of it, it is something that needs to be addressed.
We are seeing encryption being provided already in client-side solutions like S/MIME and PGP, but these rely on individual users to manage it. As any IT manager will tell you, this is far from perfect. Some cloud producers like Mimecast and Webroot are now building this into their proprietary systems. This is great for their users and their correspondents, but requires the end user to decide what to encrypt.
However, another approach is to let the gateway device encrypt what it can. So by using STARTTLS for instance, this is already possible and an increasing number of MTA’s support this. Using opportunistic encryption, STARTTLS-enabled devices can make an encrypted connection if the remote end is set up to accept it.
The problem, as ever, is getting everybody to adopt it. Anecdotal data suggests that anywhere from 20% to 60% of email servers are capable of implementing this: so one fifth of all email could be sent encrypted over the internet if people chose to implement it. So the question is, why don’t we?
I tend to believe that the reason is that we have got used to unencrypted email. It is the dead body in the room – at first it was a concern, but we have got used to the smell now and we just naturally avoid it.
Really, STARTTLS is easy to implement, but how to fit it into your day? If you have a managed service you can just delegate and get on with your real work, not so easy if you have to bone up on it and then deploy it.
Once a certificate has been purchased which requires a yearly subscription, its pretty much free if you have the right software implementation and if it is opportunistic then you only gain when a remote end is capable of it.
It should be mentioned that while the destination is effectively authenticated by the TLS certificate, the author is not. So it is not a solution to Spam, hoaxes or similar -but just being able to know that your email is more secure across the internet should be a huge motivator.