e-ignite

As I discussed on my main website, there are two major types of email encryption: OpenPGP and S/MIME. I believe that OpenPGP is a far superior system, although I admit it’s a bit more complex to set up. This is mainly because S/MIME functionality is already built-in to many email client programs.

So first thing’s first: Why is S/MIME built-in to email programs but OpenPGP isn’t?

Well, there are two possible issues. The first one I believe to be most likely: money. In most cases, you need to pay around $20 per year for an S/MIME certificate. There is therefore an incentive for companies to push S/MIME and make money out of it. The second, “slightly” less-likely reason is Government intervention. If you get an S/MIME certificate, the issuer of the certificate will have a copy of it, allowing them to decrypt your email if the government decide they want to read what you’ve been sending. OpenPGP is based entirely on “certificates” generated by you, so the Government (or any other party) would probably not be able to get a copy of it and decrypt the emails.

So why do I prefer OpenPGP?

Well, see the paragraph above. Firstly, you usually need to pay for an S/MIME certificate (although there are some free certificates available), but the main reason is that you are placing your trust in a Certificate Authority (CA) to keep your emails private. What would stop the CA handing the certificate over to the government? Or even an employee being paid off by a journalist so they can intercept potentially sensetive information? OpenPGP puts you in control of your keys and therefore your privacy.

OpenPGP is also more configurable. You can choose which options to use. You can generate a key with loads of bits (more secure) if you like, or you can use a smaller key if you wish. S/MIME generally forces a 1024 bit key on you (the smallest standard key that OpenPGP will generate). You can also use as secure a Hash Algorithm as you like, where S/MIME forces SHA-1 on you - as discussed in this article, SHA-1 is the least secure hash algorithm still in general use.

However, OpenPGP can also be used for more than just email encryption. It uses an encryption program called GnuPG that can be used to encrypt files, you can use it for file signatures and file verification - it is a very versatile tool. More importantly, it’s free, open-source software and is constantly subjected to peer review. This means that any security loopholes or issues are quickly found and reported widely, ensuring you and your data is as safe as possible.

Yes, I know, I’m talking about my emails as if they are the most important thing in the world, when 90% of the encrypted emails I send are general day-to-day emails that say “check out this link” or “I forgot to tell you today…”, but depending on your situation, an email really can be the difference between life and death. For example, if a journalist was sending information from a country with particularly strong secrecy laws (China, North Korea etc), a leaked or intercepted email containing “restricted information” could have him imprisoned or worse. In situations like this, it’s vital that you can have full trust in your encryption systems, and I believe OpenPGP is the way to do that.