Computer and Internet

Introduction

In 2001 the mailer of an IT company added this showFooter to the message of an employee:

The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also like to inform you that communication via e-mail over the Internet is insecure because third parties may have the possibility to access and manipulate e-mails.

MSN has an interesting article about this. If I were the sender of a confidential email I would enforce this legal stuff by technical means and care about encryption. If I wanted to make sure that no one would change this email while it travels through the Internet, I would care about digital signature.

Why

1. Email should actually be called e-postcard, because the postmaster of every Internet provider involved (and your employer if you use the corporate network) can read it. Why don't you send your salary slip or love letters to your friend as an open postcard? This is even more important, if you permanently archive your emails at Hotmail or on an IMAP-Server instead of retrieving them from a POP server after a short staging period.
2. Faxes are recognized as legally binding, even though everyone can scan, cut & paste someone's signature. (This is shown for instance in the movie High Speed Money.) Digital signatures offer a much higher degree of security. If you want to send legal documents over the Internet, digital signature is the way to go. With the EC signature directive the framework is set up. Please make sure however if the prerequisites are met in your specific case.
3. People are afraid of entering their credit card number on a secure Web site, but during their vacation, they hand their card to an unknown barkeeper.
4. People are afraid, that Internet over power lines could be easily tapped. They should be aware, that it can be tapped already today and that encryption is the only way to go.
5. “This document was created electronically and is therefore valid without a signature” should be replaced by “this document was digitally signed and is therefore valid according to the EC signature directive”
6. Look for the EC signature directive, national signature directives and the “Echelon Report of the European parliament”.
7. Create facts that make it more difficult for governments and other administrations to limit the civil right for confidential (i.e. encrypted) communication (see: talk.politics.crypto).
8. It is preferable to rely on open worldwide acknowledged standards than to create "security by obscurity" and homemade encryption (see: snake-oil-faq), which is likely to contain flaws because of the lack of experience.
9. It's a good idea to gain experience already today, since this future technology may be soon part of our ID-cards and may be used in business.
10. Encrypting emails is just one of many applications for certificates. Take it as a lesson to learn how to handle certificates. Did you ever ask yourself how to verify if the Web site, where your enter your account number and pin, really belongs to your bank or to find out who created the ActiveX control that you are about to download and install? Has it been tampered or infected by a virus?
11. Return on Investment (ROI):
    1. Encryption grants you the confidentiality of documents at much lower cost and maybe higher efficiency than transmitting or storing them in different forms with the same degree of security.
    2. Encryption and digital signature significantly reduce the risk of unwanted disclosure or falsification of important business documents.
    3. Cryptographic technologies enable you to enter areas of e-business which, have not yet been tapped because of insufficient security.
12. See: Why You Should Use Encryption

Why not

1. Even though cryptographic software is already installed on most PCs, it was hard or expensive to get a certificate to enable this technology. This was one of my motivations for building this free CA before I became aware of the Thawte Web of Trust (WoT), which solves this problem at least for email encryption. That's why I want to spread the idea of encryption and the WoT.
2. Articles about cryptography usually explain the mathematical details of today's algorithms, but lack "cooking receipts" for ordinary users and administrators. That's why I create web pages about this subject.
3. There are still compatibility issues between Netscape and Microsoft, and I suppose Lotus et.al. raise additional issues.
4. Commercial software is sometimes suspected to contain implementation flaws or intentional backdoors. Using no encryption at all and being aware of the insecurity is better than relying on a technology, which actually isn't as secure as it appears to be.
5. Open Source cryptography software is usually considered secure, but often awful user-unfriendly.
6. There are a lot of confusing legal and patent issues.

Conclusion

If you want to get people interested in cryptography and the WoT you should use terms like “security, privacy, confidential and authenticity” instead of “digital signature and encryption”. You should make them aware of the reasons for this technology, as mentioned in the “why”- section of this mail and if they come up with issues from the “why not” section, you should make clear, that there exist solutions and that starting now can lead to their own answers to these issues, while in a “sit and wait”-scenario they will just take them by surprise.