Choosing an email reader for encryption
Off the Beat: Bruce Byfield's Blog
Most modern email readers support encryption, but that's only half the story. Despite the growing public interest in security and privacy, most readers are still designed on the principle that if you want encryption, you will have no trouble figuring how to configure it.
To say the least, this is an ungrounded assumption. All too often, poor documentation and interface design, as well as complicated procedures conspire to keep encrypted email out of the reach of all but the expert or patient few. A little research may tell you that you need a PGP public key, but how easy is it to made your email reader aware of the key?
Here's how seven of the most popular email readers on Linux answer that question. The answer should be obvious, but rarely is:
Alpine is the latest incarnation of Pine, the ancient email browser. To a desktop user, Alpine is as complicated to configure as most of the other major options.
However, if you are at home at the command line, the technique seems natural: add your public key to your ~/.pinerc file.
Claws Mail is mostly easy to use. But as so often happens, encrypted email is an exception. You need to install and enable the PGP/Core, PGP/Inline and PGP/Mime plugins.
And how do you install plugins? Not by scanning the Claws Mail manual, which doesn't mention the subject, but by hunting down the Claws Mail FAQ online. Simple -- so long as you're willing to investigate.
GNOME's Evolution includes encryption choices in the Options menu of the Compose Message window. Selected options remain in force until toggled again, so be careful not to send an encrypted message when you intend to send one in clear.
Evolution will indicate problems, such as the lack of a key. Sadly, though, the interface gives no hint of how to configure encryption, and, in several major distributions, includes no online help. If you know about Evolution's manual, you will find concise and clear procedures for setup, but if you don't, it takes persistence and luck to stumble across the configuration options buried several levels down on the Security tab for your account.
Geary is a new email reader from the Yorba Foundation, the makers of the Shotwell photo manager. Unfortunately, it is still in beta, and does not currently support message encryption. Jim Nelson, Yorba's executive director, says that "this is something we would like to include, but can't make a definitive statement when it will be available."
However, Nelson does express how he thinks email encryption should operate. Many other implementations, he says, "seem little more than GUI representations of the arguments one would pass to a command line tool. We think a modern client should offer a straightforward keyring manager, a checkbox interface for encrypting a message, and a prominent indicator when a received message is properly (or improperly) signed" -- a vision that would put Geary well ahead of most email readers if implemented.
KMail, KDE's main email reader, provides full support for encrypted email. However, the menu items for configuration are scattered all around. Some are on the Encryption tab under Identities, others on the Composing and Miscellaneous tabs under Security. Nor does the verbosity of the online help or its arrangement by menu item provide an adequate explanation of which options are required and which are optional.
Granted, once encryption is set up, encryption in KMail is only a single click away. But reaching that point can be frustrating to users new to the concepts.
At first, Sylpheed is puzzling. A popular, light-weight email browser, Sylpheed includes PGP Sign and PGP Encrypt options in the compost window, but searching the menus gives no hint of how to configure it for encryption.
The truth is so simple that overlooking it is understandable: if you create any keys, Sylpheed automatically detects them and displays them for selection just before sending the message. If Sylpheed would only mention this setup somewhere, it would be the encryption solution of choice among the major email readers.
As installed, Mozilla's Thunderbird (or Icedove, as it is known in Debian) has no email encryption. However, you can add the Enigmail extension, which adds the functionality.
Enigmail does many things right. It offers a wizard that educates you while guiding you through the process of generating private and public keys, and adds an OpenPGP menu to the Write window.
Enigmail does have some weaknesses. It assumes some PGP options, and the menu items it adds are poorly worded and potentially baffling to users new to encryption. It is also extremely slow at generating keys. However, currently, it is a reasonable choice for configuring and using encryptions graphically -- which is no doubt why the Free Software Foundation centers its campaign to promote encryption upon it.
Making a Choice
At some point in the next few years, encryption will be as simple as a spell-check. Perhaps Geary will be the email browser to provide that solution.
Meanwhile, encryption remains a non-standard feature -- under-documented, with options hard to find and poorly worded. For now, Thunderbird and Enigmail seems the best choice for new users, although the simplicity of Sylpheed is very nearly there. But, even with these choices, easy encryption is still a release or two away, if not several.comments powered by Disqus
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.