Secure Email is Dead

[ 2007-April-10 22:26 ]

For the last two years I have had a free S/MIME digital signature for my email from Thawte. Last week it expired again, and I no longer care to bother. Effectively no one else has a digital signature, and thus it is useless. As much as I would like to use encrypted email to communicate with my financial advisor, I cannot do so. This is not the first time I have written about this.

Digital signatures for email have been a complete failure. To be useful, the people I communicate with need to use and understand them. For that to happen, we need people to understand that signatures and encryption are useful, and someone needs to come up with a clever design that makes it simple. Let's face it: encryption and signatures are complicated. Brad Templeton has an in-depth article that discusses an email encryption scheme that does not require any user intervention. It seems like a pretty good idea to me.

Maybe banks, EBay and PayPal will eventually realize that digital signatures could be helpful for fighting phishing. With their support, and the support of big web-based email providers like Yahoo, Gmail, or Hotmail, it seems to me that something could be built that would do the job.