Saturday, February 19, 2011

Had a phone call from a very IT literate guy in another, similar school yesterday. His head is worried about security, and won't use the EMAIL system because he is convinced his email is being read by the network people.

Well, no surprise there then. As a protocol developed in the 1970s for email between friends on ARPANET, the whole thing is inherently insecure.  We use kludges to encrypt at various stages, but it's difficult to tell someone that an TLS SMTP transaction doesn't mean the email is secure on the IMAP server it ends up on.

Then, of course, there is the statement that it's all but impossible to secure files kept on a file server to which someone has physical root access.

Most of the articles on IMAP security consider only an encrypted exchange with the server.

So, the only way his emails are going to be secure is if he elects to use PK Encryption (or equivalent)  on his email client. But this is just far too unwieldy for the untechy types using email these days. The costs outweigh the benefits.

So one trots out the other line. Email is about as secure as stuff on the back of a postcard.

My PK is (0x) 35168699