Are you using encryption in your e-mail correspondence?

[Bandit]

I voted Never. But when I was in the military years back everything was encrypted and only users with valid keys could read it. But now I dont.

[Irihapeti]

I use keys to sign (not encrypt) my messages to a couple of mailing lists.

I think that encryption should be used more, especially among health service providers where patient/client confidentiality is a legal requirement. (For those who are wondering, that's one area where the fact that you want to keep things confidential doesn't mean you're doing something nefarious.)

However, encryption is only any good if everyone in the loop has the same understanding of confidentiality. A recipient can choose to forward an email to someone else, or simply hit the wrong button. No degree of care on my part can prevent that.

Yes, it has happened to me.

[old_dog]

I am one of those people that has nothing to say that is of importance. So there is no need for me to bother with encryption!

an example "Are you lot going down the Kings Arms tonight?"

Under discussion in the UK at the moment is a proposal that all e-mails should by saved by the ISPs in case the Police, MI5 or 6 mustn't forget the Statsi! wish to peruse them at sometime in the future!!!!!

To help them out I cc all my e-mails gchq.gov.uk

gchq is :-
Official site of the UK Government Communications Headquarters which is the centre for Her Majesty's Government's Signal Intelligence (SIGINT) activities.

[mike acker]

Sure, but you're only going to be able to set up encryption with people you know and trust already. So it'd be no use for sorting phishing attacks from legitimate mail from people you don't know.

~~
I have to disagree with this: all of the security bulletins I get from MSFT come thru signed. and the signature verifies.

the reason the signature verifies is because I went to MSFT Web page and got their key. That was an independent action directed by me -- and this makes a difference

I have the following note on file:
Michael Barrett, chief information security officer at online payment processor PayPal,
http://news.cnet.com/8301-27080_3-20052310-245.html
A few years ago we started digitally signing all our outbound e-mail and we worked with Yahoo and Google so if they saw e-mail that purported to come from us but wasn't signed they would block it. That has been stunningly successful. Now we're trying to get the whole industry to take up that type of approach. But it will take several more years of pushing to get the rest of the industry to do that.
~~~

one ought to observe that the digital signature method can be effective. the approach taken by PayPal probably isn't what we want though: it loads too much of the responsibility onto e\mail service providers, and if you were to generalize this you would create a mess

the key is to simply observe that you need secure e\mail where money or sensitive data is concerned but otherwise not so much

it's an interesting topic, one which has interested me since Zimmerman released PGP back when we were using DOS and FIDONET

one might think to request a public key from anyone you need to exchange information with . that might not be a bad approach.

at the hospital where I used to work ( I'm retired now ) we used ZIX. This had the advantage that the user didn't need to know anything about it: if ZIX found sensitive data in your message it would switch it to secure e\mail

that's OK but with all the cracking going on you know hackers will be looking at a service like that

[insane_alien]

I use it with some people at the moment. Some of my nerdier friends and myself are planning on teaching as many people as possible how to use encryption if the UK passes this new bill that means ISP's start recording everything for a year (hopefully it won't, but just in case).

We're just messing around with it now to get familiar with the systems and any problems that will arise. unfortunately it has mean windows virtual machines and installs.

[mike acker]

I use it with some people at the moment. Some of my nerdier friends and myself are planning on teaching as many people as possible how to use encryption if the UK passes this new bill that means ISP's start recording everything for a year (hopefully it won't, but just in case).

We're just messing around with it now to get familiar with the systems and any problems that will arise. unfortunately it has mean windows virtual machines and installs.

EXCELLENT!! This is how we make progress
<snip>

"FWIW" i think the thing people miss in looking at public key encryption is that public key encryption provides authentication and integrity in addition to security

security is just the encryption -- making sure the content is not readilly available to anyone other than those the message is addressed to

Authentication: is the means by which you can verify that the message is really from the person who says they sent it**

Integrity: is the means by which you may be reasonably sure the content of the message has not been tampered with in transit

in today's world the authentication and integrity feature are most valuable,..... especially when sending software updates

** authentication: you need to be sure you have a correct copy of the person's key. you will find my key on the key server. key ID D088 80C3

[SeijiSensei]

I think that encryption should be used more, especially among health service providers where patient/client confidentiality is a legal requirement.

It's up to the service providers to build compliant solutions that don't put unreasonable burdens on patients. I built a web-based appointment system for a healthcare provider about a year ago. Since any email I send to the patient must both be in plain text and include no "patient health information," the message contains only an HTTPS link to the secure application on the website. When the patient clicks the link they can read the actual reply over SSL after logging in. I send notices to the appointments staff using the same approach. In the US, these types of "patient-portal" systems are now fairly common among larger health providers to comply with our "HIPAA" regulations. Individual practitioners and small groups still routinely exchange insecure email with patients.

[Old_Grey_Wolf]

My employer requires that some types of data are encrypted; therefore, I use it.

As far as my personal email to friends and family, no. My friends are about as old as I am, they are in their 50s or 60s. My sisters are in their 70s. For some reason, I don't think encryption would work for them.

And who would want to read about someone's colostomy bag anyway.

[Welly Wu]

I use GnuPG and Enigmail in Mozilla Thunderbird to send encrypted e-mail messages to my friend. He works for the United States Army in their FA53 program which is Information Assurance Management. He uses Ubuntu 12.04 32 bit Long Term Support and I taught him everything that he knows. Of all my friends, he is the most technically inclined with a security background.

[Primefalcon]

Like the title says, I wonder how many people use encryption in their e-mails. It is easily available, enigmail is a nice addon for Thunderbird, and Seahorse is available in every Ubuntu installation. So why not to encrypt when its so easily possible?

Phil Zimmerman once said that if you have nothing to hide, why are people using letters instead of postcards...

I encrypt to my parents but no one else I know much uses encryption, though I do sign and include my public key on all my outgoing messages