Email-Security.Net HOME Papers Blog Atom Feed RSS Feed Contact Us

What Email Needs

This is a public discussion paper. It may change frequently.
An up-to-date copy is available at

E. Gerck, Ph.D.
Copyright (c) 2005 by E. Gerck, first published online on September 30, 2005.
All rights reserved, free copying and citation allowed with source and author reference.


    This is a public discussion paper on email security. The paper is published in sections, each section presented after sufficient time for feedback. Join the discussion in the Blog and help shape this paper and its conclusions.

1. Why Is Email Encryption Not Used?
(other sections to be published)


We all know what email needs. Security. And we need email security for both sender and recipient, end-to-end, and after the end point as well -- after the email arrives. Email security for the message and for the email addresses.

But, we have so many email security solutions already! Email encryption and digital signing with public-key cryptography was made possible for everyone on the Internet more than 20 years ago, with PGP. Microsoft Outlook, ubiquitious in corporations and available as the free Express version, uses public-key cryptography to encrypt and digitally sign email with a single click. Just search for "email security" and you will find pages and pages of solutions, for everything that's wrong with email including fraud, spam, spoofing, phishing, and eavesdropping.

Many medicines is a sign of no cure.

Public-key cryptography gave the impression that email message security could be achieved quite simply. The public-key can be distributed at will, no need for secrecy, and anyone can receive private and secure messages. The same procedure being applied to each side, sender and receiver, both could immediately engage in private and secure communication.

However, despite the apparent simplicity and widespread availability of public-key cryptography, less than 5% of all email is encrypted. Banks won't even consider using encryption for sending out monthly statements and notices. It's not just the mounting problem with email fraud schemes such as spoofing and phishing. Banks discovered that not even their own employees were willing to use encryption.

1. Why Is Email Encryption Not Used?

One common explanation why email encryption is not used is that people just don't need secure email; if they would, they'd use encryption. Given the successful use of encryption for web sites, with SSL, and the obvious need to protect information from hackers, why would information sent by email not need protection as well?

Thus, in the same way that bank statements, contracts, medical records, job offers and personal correspondence are invariably sealed in envelopes before they are sent using postal mail, correspondence delivered by email would also need to be sealed by encryption. Furthermore, because email messages can linger on in servers and caches long after they are deleted by the recipient and sender in their own computers, unprotected information sent in an email could come back in the future to haunt senders.

Another explanation is that people do not know that regular email is not secure; if they would, they'd use encryption. However, high-profile email disclosures and attacks such as phishing emails are in the daily news. Every day, many millions of Internet users receive emails from themselves, their banks, and even their friends, that they never sent. The Missouri Bar Disciplinary Counsel, for example, requires all Missouri attorneys to notify all recipients of email that:

"(1) email communication is not a secure method of communication,

(2) any email that is sent between you and this law firm may be copied and held by various computers it passes through as it is transmitted,

(3) persons not participating in our communication may intercept our communications by improperly accessing your computer or this law firm's computers -- or even some computer unconnected to either of us that the e-mail may have passed through."

Thus, if people do need secure email and if they do know that regular email is not secure...

Why is email encryption not used?

...Continues in Part II (to be uploaded)

Contact Information

Ed Gerck, Ph.D.

This paper does not intend to cover all the details of the technologies reported, or all the variants thereof. Its coverage is limited to provide support and references to the work in progress on new email security technology and to unify references, concepts and terminology. No political or country-oriented criticism is to be construed from this work, which respects all the apparently divergent efforts found today on the subjects treated. Products, individuals or organizations are cited as part of the fact-finding work needed for this site and their citation constitutes neither a favorable nor an unfavorable recommendation or endorsement.

Copyright (c) 2005 by E. Gerck, first published online on September 30, 2005.
All rights reserved, free copying and citation allowed with source and author reference.