Internet Tips

You may have heard about e-mail encryption--you may even have tried it and given up because it was too confusing (okay--too geeky). It's time you tried it again. With programs like Pretty Good Privacy and the encryption systems built into Internet Explorer and Netscape Communicator, you can scramble your messages so only the recipient can read them, or digitally sign them to prove you're who you say you are. But signing and encrypting mail involve extra steps and, in some cases, extra expense. If your messages usually aren't sensitive, why bother?

The short answer: If you don't, someday you may wish you had. Sure, it's unlikely that someone has singled out your mundane missives for scrutiny from among the millions zipping around the Net. But it's easy to become a target. And if you use your employer's mail system, you probably already are. When you negotiate a salary increase, discuss personal matters, advise clients on sensitive issues, or conduct other legal and ethical but private affairs using e-mail, the only way to ensure your privacy is to use encryption.

Go With PGP

The encryption system built into Windows (via Internet Explorer) works much like Pretty Good Privacy's, but I advise you to skip it, for several reasons. (If you want to try it anyway, look for helpful tips in the December issue's "Postmasters.") First, using it costs money--you have to purchase a digital ID certificate from a third-party certificate provider. Second, few e-mail programs aside from IE and Communicator support the digital IDs. And third, PGP is a more secure encryption system than the one included with Windows.

How can I say that? Both systems use encryption keys large enough to stymie the FBI, NSA, ATF--whoever. But recent rumors that Microsoft included a back door in its security system for the government to sneak through point out a fundamental flaw. These rumors are almost certainly untrue, and Microsoft's system may be as robust cryptographically as PGP. But the software's internal structure is unavailable for public review.

In contrast, PGP is an open-source program. Legions of doubting Thomases pore over its public source code to satisfy themselves that the NSA will never break asunder what PGP has encrypted. Unless Big Brother has induced mass hypnosis among privacy geeks, PGP has no back door. By the time the men in black decipher your gibberish, you will be ancient history. And to ice the cake, PGP is easy to use. It comes with plug-ins for Outlook, Outlook Express, and Eudora, as well as with a Windows system tray icon that enables you to encrypt or sign the text contents of any window on your screen.

If you decide to give PGP a try, I recommend starting at MIT's PGP distribution site. After you fill out a form declaring that you are a U.S. or Canadian resident (to comply with U.S. munitions law), you can download the latest freeware version (6.5.1 as I write this column). The Windows 9x/NT version weighs in at a hefty 8MB. Outside North America, find international versions of PGP at the International PGP Home Page.

When you first set up PGP, you get to choose which optional elements you want to install (including e-mail program plug-ins and the PGPnet virtual private networking module). All you really need are the Key Management module and plug-ins for your mail programs, if any. You may also want the user guide. (If you install PGPnet, select Start, Programs, PGP, PGPkeys after your PC reboots to continue installation.) The installer will ask you to choose an encryption type and strength--use the defaults, Diffie-Hellman/DSS, and 2048 bits. When prompted, pick a "passphrase" you won't forget but no one else with access to your computer will guess. And don't write it on a sticky note or any other place. When the installer tells you to send your public key to the key server, do it. That's how other PGP users will communicate with you securely.

You can start signing, encrypting, and decrypting messages right away, or simply ignore PGP until that fateful day when you decide to order some, er, personal items from an online store. To sign outgoing messages or decrypt and verify the authorship of incoming ones, choose Decrypt/Verify in the PGP menu that the plug-in added to your mail program, or click the PGP system tray icon (select Start, Programs, PGP, PGPtray if you don't see the padlock icon) and choose Current Window, Decrypt & Verify.

To encrypt outgoing messages, you must first download the recipient's public key and add it to your Keyring database. Launch the PGPkeys utility from the system tray PGP menu, the Start menu, or the PGP plug-in menu; choose Server, Search; enter your search criteria (an exact e-mail address is best); and click OK. When you find the key you're looking for, drag it into the main PGPkeys window. To encrypt a message, choose PGP, Encrypt and sign now, or click the PGP system tray icon and choose Current Window, Encrypt & Sign.

If you need help, start with the official PGP FAQ. Simson Garfinkel's PGP: Pretty Good Privacy is an excellent primer on public-key encryption and Pretty Good Privacy, though parts of it are a bit out-of-date. For the most current information available and for access to other PGP users, visit the alt.security.pgp and comp.security.pgp.discuss newsgroups.

SUMMARY

PGP: Pretty Good Privacy $30 O'Reilly & Associates 800/998-9938 www.oreilly.com