The main reason is that it requires your recipient to take an extra step. If you send an encrypted email to someone else, and they haven’t configured their mail client for encryption, then they won’t be able to read it. For most people, that negative outweighs the privacy gain.
Also, encryption is easy; key management is hard. If your workplace sets up a Public Key Infrastructure on your Exchange server, all you have to do is click “encrypt.” But outside of an organization that uses it, you’ll need some out-of-band way of exchanging keys with everyone you want to communicate with. And, as fun as key-signing parties are, they can be a little awkward for, say, someone you just met on reddit.
Right. Encryption is a lever; it permits you to use the secrecy of a small piece of data (the key) to secure a larger piece of data (the message). The security isn’t in the encryption math. It’s in the key storage and exchange mechanism.
*I stole this analogy from something I read recently, probably on HN.
Before you send an encrypted (PGP-style) mail to someone, you need their public key. The recipient’s public key is used to encrypt the message for them. So when you are able to send en encrypted e-mail to someone, they probably already have everything configured.
I guess most people don’t care too much about their e-mail privacy; or at least don’t have a clue that there is something that could be protected, but isn’t. And if you use a free webmail, there is no point in encrypting your messages (and I don’t know if it is even possible). If you are OK with Google company reading and archiving all your e-mails… yeah, Google would never do anything evil. ;-) And Google is probably better than Facebook, and many people don’t mind sending their private data through Facebook messages.
For many people the costs of encryption would be not only configuring their e-mail client, but first installing it, and accepting that they cannot send e-mails from any place, but only from their own computer. Some people don’t even know that it is possible to use e-mails without connecting to a website.
And if you use a free webmail, there is no point in encrypting your messages (and I don’t know if it is even possible).
Of course it’s possible: Compose the email in a different program, encrypt it in GPG with the recipient’s public key, and paste the ciphertext in the webmail’s message field.
You only have to configure it because it isn’t standard. If it was, anyone who had a mail client would be able to read it.
I don’t just mean email. I was referring to any kind of information transfer.
What’s especially odd is with webpages. I’ve never seen a browser that can’t handle https, and yet, if you’re not sending something secure, they just use http.
The main reason is that it requires your recipient to take an extra step. If you send an encrypted email to someone else, and they haven’t configured their mail client for encryption, then they won’t be able to read it. For most people, that negative outweighs the privacy gain.
Also, encryption is easy; key management is hard. If your workplace sets up a Public Key Infrastructure on your Exchange server, all you have to do is click “encrypt.” But outside of an organization that uses it, you’ll need some out-of-band way of exchanging keys with everyone you want to communicate with. And, as fun as key-signing parties are, they can be a little awkward for, say, someone you just met on reddit.
Right. Encryption is a lever; it permits you to use the secrecy of a small piece of data (the key) to secure a larger piece of data (the message). The security isn’t in the encryption math. It’s in the key storage and exchange mechanism.
*I stole this analogy from something I read recently, probably on HN.
Before you send an encrypted (PGP-style) mail to someone, you need their public key. The recipient’s public key is used to encrypt the message for them. So when you are able to send en encrypted e-mail to someone, they probably already have everything configured.
I guess most people don’t care too much about their e-mail privacy; or at least don’t have a clue that there is something that could be protected, but isn’t. And if you use a free webmail, there is no point in encrypting your messages (and I don’t know if it is even possible). If you are OK with Google company reading and archiving all your e-mails… yeah, Google would never do anything evil. ;-) And Google is probably better than Facebook, and many people don’t mind sending their private data through Facebook messages.
For many people the costs of encryption would be not only configuring their e-mail client, but first installing it, and accepting that they cannot send e-mails from any place, but only from their own computer. Some people don’t even know that it is possible to use e-mails without connecting to a website.
Of course it’s possible: Compose the email in a different program, encrypt it in GPG with the recipient’s public key, and paste the ciphertext in the webmail’s message field.
It’s just inconvenient.
You only have to configure it because it isn’t standard. If it was, anyone who had a mail client would be able to read it.
I don’t just mean email. I was referring to any kind of information transfer.
What’s especially odd is with webpages. I’ve never seen a browser that can’t handle https, and yet, if you’re not sending something secure, they just use http.
But an HTTP server that doesn’t have a unique IP address cannot use HTTPS. There are extensions to the standard that fix this problem (e.g., Server Name Indication), but they are not widely supported. (The problem stems from SSL working on a lower level of abstraction than HTTP.)