
Ask HN: How to make secure email convenient? - xorgar831
In every org I&#x27;ve worked for Email has been an issue, from requiring people to have two phones, to clumsy apps that sandbox corp email. The fall out is that users will simply go around these (supposedly) more secure hurdles. How is this not a solved problem?
======
atmosx
> How is this not a solved problem?

It's not because the big 3 (Apple, Google and Microsoft) do not want you to
encrypt your email, so they can use it for data mining. If 70% of their gmail
users used encryption, I'm sure they'd be turning the service subscription
only or (as it's customary for G) shut it down.

So, if you need encryption you have use an external "add-on".

The problem of _secure email_ is _solved_ , it's just not _pushed_ as a
standard because:

a) Users don't understand they're being tracked (or don't care)

b) It's not promoted (actually it's being demoted) by industry leaders

The fact that H. Clinton and her equip didn't use GPG is appalling, doesn't
make sense. This group of people had big stakes on the privacy of their
communications, they went as far as setting up a mail server and forgot to
apply encryption? I just don't get it.

~~~
stephenr
Apple specifically say they don't data mine users data, and for all but the
most basic users iCloud _is_ subscription only.

Also note that macOS and iOS mail both support s/mime out of the box, you just
need to supply certs/keys.

------
dev_throw
I have witnessed several enterprises move from 100% email to 90% Slack and
alternatives while using email primarily for scheduling purposes. I have a
feeling corporate email will slowly die off over time.

Perhaps using a community messaging tool with built-in end-to-end Signal
encryption will be the way to secure lines of communication in the near
future.

~~~
ttul
Corporate email will become more about interacting with the outside world and
less about team interaction. Which makes sense because inside the
organization, you have a contained set of actors, whereas outside there are
billions (and also apps, mailing lists, etc).

------
gravypod
> How is this not a solved problem?

Because we better understand the threat vectors that are imposed on the
company from sloppy IT practices and as such are more willing to take security
measures to prevent these things from happening.

We are also, at the same time, too stupid to realize that not everyone want's
5 applications just to encrypt their mail with a PGP key. When we make it so
that by logging into a service with a password your browser can derive a
private key and public key and use that to sign and send email we will have
larger adoption. This will only be the case if it automatic.

Sure it's less secure but less secure is better then unused.

------
GQLupb
Build end-to-end encryption into the gmail app for Android/iOS.

There's no real reason this is not possible, and the benefits are huge. The
ease of use of end-to-end encryption in WhatsApp etc shows there's nothing
technically impossible about this, and fundamentally, the gmail app is no
different to WhatsApp when it comes to sending mail from one gmail account to
another.

------
justintocci
The existing solutions all fail because they add friction.

There is a clear way forward. Add transparency to email clients. For example,
i have two emails in my in box right now. Which one was sent in the clear?
Which via ssl? I don't know. If i knew, then i might be annoyed by the one
that was sent in the clear. And if i'm annoyed i might do something about it.

~~~
stephenr
macOS mail identifies S/MIME signed/encrypted emails with a little icon.

Honestly knowing that the email traveled over a secure transport is less
important than knowing its signed/encrypted.

