Yahoo! has announced that it has released the source used in its new encryption browser plugin, permitting users to encrypt emails ‘end-to-end’ — using OpenPGP.
Brendan Rizzo, Data-centric security expert and technical director with HP Security Voltage (formerly Voltage Security) explained some of the challenges:
“Deploying an email Encryption solution at a large scale will likely fail unless two challenges are overcome: ease of use to send and receive messages, and ease of use in managing the encryption keys used to protect the messages. However, the available details suggest that the key management challenge is not being adequately addressed in this initiative. If keys are stored on an end user’s device, it is unlikely that they will be able to be shared with a user’s other devices. This would mean, for example, that an email encrypted with a key stored on a user’s laptop would not be able to be read from the same user’s mobile phone. It would also mean that if the user loses the laptop storing the key, all previously encrypted emails may then be irretrievably lost.
These challenges stem from the plugin being based on the antiquated “Pretty Good Privacy” (PGP) technology (RFC 4880). If an organization needs to scale to the size of a large webmail provider such as Yahoo, and encrypt email end-to-end without introducing the complexities and frustration that would ultimately stunt widespread user adoption, then newer public key methods like Identity-Based Encryption (IBE – IEEE 1363.3 standard) are required. IBE lays the foundation for ease of use and security without the pain of the older end-user certificate management approaches that have proven to be too complicated for end users. There are well in excess of 68 million users using IBE based solutions every day today including thousands of enterprises that rely on it.
So, when thinking about easy to use encryption – think more modern IBE based systems. IBE solves the critical key management and complexity problems that plague traditional end-to-end solutions and already proven in large scale implementations.”
About HP Security Voltage
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.