Setting up PGP
This all sounds great in theory, but unless you want to spend more than $100 for Symantec's PGP software, you're going to find that setting up a PGP encryption is easier said than done.
Security expert Robert David Graham of Errata Security called PGP "more trouble than it's worth." However, he said, PGP is probably the best place to start for someone new to encryption.
All of the OpenPGP authorities — insofar as authorities exist in open-source software development — have websites that look straight out of the 1990s.
The site you want is www.gnupg.org, which distributes free, open-source software called GnuPG, or GPG for short, that's based on the OpenPGP standard. GPG was written for users of the Linux and GNU operating systems, but the website also contains links to installation packages for Windows (gpg4Win) and Mac (GPGTools).
You're finally in the right place! Now all that's left is a solid hour or two of setup as you make your way through gpg4Win or GPGTools' long, but thorough instruction manuals. By the end of it, you'll have PGP-based encryption functioning on Outlook for Windows (if you used gpg4Win) or Apple's OS X Mail app (if you used GPG Tools).
But what if you don't use either of those clients, but instead use a browser? If you want to send and receive encrypted email via a browser-based email service, or webmail, you can install a browser-specific plugin. That plugin will act as a bridge between your browser and the PGP software already downloaded onto your computer.
To find the appropriate plugin, check your browser's app store or do a Google search for your browser's name plus "PGP plugin."
Why webmail doesn't cut it
Why isn't there an easier way to go about setting up PGP? Marlinspike says it's more than just a simple question of developing better user interfaces.
"When it comes to secure email, it has long been time to throw out the PGP model and start over," Marlinspike told us. "Unfortunately, however, for the past 13 years, the development of a usable secure email system has been blocked by one thing: webmail."
People love the convenience of webmail, but it's just not as secure as a desktop client, and therefore many cryptographers simply don't bother writing browser plugins for email encryption. "It is simply not possible to produce a secure email system that works in the webmail context," Marlinspike told us. "So most people who are interested in working on secure email haven't even bothered, because it's a non-starter."
Marlinspike says there are no browser-based encryption services that he could recommend "with a straight face."
In email, as with all online communications, privacy comes at the expense of convenience. So it's up to users whether they want to switch to desktop email, and thus increase their security, or continue to use webmail.
"It's a matter of tradeoffs," said Graham. "How much time do you want to spend learning this stuff, and how much do you fear the NSA?"
- Can You Hide Anything from the NSA?
- Future Browsers will Protect You From Spying
- How to Encrypt Your Files Using TrueCrypt