[cryptography] Security Pop-Up of the Day

Joe St Sauver joe at oregon.uoregon.edu
Wed Sep 21 17:27:56 EDT 2011


#> When smime.p7s files start getting stripped, there goes yet another
#> potentially critical piece of security technology.
#
#All email client vendors had to do to give smime a chance in life was to 
#make it easy to generate and use a cert.  Automatically.  Add an 
#account, generate a cert.  The rest can follow in due course...

Well, its obviously not quite that easy yet, but users can currently get 
a free client cert by visiting a web page and filling out a form, and 
then clicking on a link. That part is relatively easy (and arguably easier
than installing GPG and Enigmail (for example), and generating PGP keys 
and getting them signed, and submitting them to a keyserver, etc.)

Where things get ugly is after the user has gotten their client cert, and 
then needs to manually incorporating the client cert into their web browser 
or MUA or hardware token or smart card or whatever. I show the process for 
configuring Thunderbird on the Mac (by way of example) on a one sheet/two
sider: http://pages.uoregon.edu/joe/smime/using-smime-with-thunderbird.pdf

I've tested that document with a random selection of folks, and all were 
able to do it, FWIW. 

So yes, there is a bit of nastiness up front, but it's one time only, and 
nothing that can't be overcome if the user is willing to give it a shot.

#Dunno why, but the architecture seems to be an exercise in won't work.  
#Is it possible that nobody really wanted smime to work?

Well, consider the large free web email providers. If their business 
model is "we're going to sell contextual ads to pay for the service," 
about the only "context" you get for S/MIME-encrypted mail is the 
content of the message's subject plus the header info. That's often
fairly meagre gruel. It is thus perhaps not surprising that Gmail
isn't pushing S/MIME encryption routinely as part of their product.

On the other hand, I don't see them interfering with Penango, a nice 
third party S/MIME plugin for Gmail. That said, their non-interference
might be the ultimate commentary that current levels of adoption of 
S/MIME for encryption represents absolutely no threat to their core 
contextual ad business model, unfortunately. :-(

Regards,

Joe

Disclaimer: all opinions strictly my own



More information about the cryptography mailing list