Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How to accelerate the adoption of secure email?
5 points by als0 5 days ago | hide | past | favorite | 7 comments
Google Chrome accelerated the adoption of TLS for websites by making it difficult to access websites over insecure channels. This is likely because of their dominant market position. LetsEncrypt also commoditised the certificate business to the point of free.

What would it take for a similar thing to happen for unsigned and unencrypted e-mail? Which companies or organisations could contribute to a fast change?

End-to-end or hop-by-hop? I'd argue that hop-by-hop encryption (i.e. SMTP over TLS) is becoming more common. Protocols like SMTP-STS and DANE help.

E2E is another story. There's never been a good user friendly tool that allows non-experts to easily use at scale (i.e. outside of a controlled enterprise). Then there is the problem of cert distribution/discovery: How to find recipient's keys in order to send encrypted email. There is a DANE solution to this but it never caught on.

Lastly, there is the multiple device problem. People send and receive email on multiple devices (usually laptop, mobile phone and occasionally tablet). Any solution needs to account for syncing keys between devices.

The above assumes open standards based email (S/MIME and OpenPGP). some platforms have a closed solution that works on their platform but not with users on other platforms. Similar to how every medical provider in the US has a messaging portal for patients rather than rely on (insecure) email.

I've used S/MIME email within a company and on one occasion to another company. It was underpinned by a CA model. These days, obtaining a certificate for your client is not more difficult than obtaining an app password (some providers like Gmail and O365 ask you to obtain such an app password for "legacy" or "insecure" clients). There is a definitely big margin for usability improvements. We've seen browser vendors like Chrome and Safari make such strides.

I agree that the multiple device problem is a long standing unsolved problem for E2E. However, there have been minor success stories like iMessage, WhatsApp, OnePass, Signal and iCloud Keychain. These solutions do sync secrets well. They aren't for everyone because of the trust model but do provide an acceptable convenience for a significant number of people - in the same way that the web's current CA hierarchy is convenient to many.

How would you handle spam with predominantly E2EE emails? WhatsApp et al. have complete control over clients giving them a few more cues to go by. I would imagine it would get even harder to send anything from your own server. Though one could argue it's already too hard to bother.

Not thought this through but if enough clients vote on who is a spammer then servers could indicate that an email might be spam. To some extent this might already be done when you voluntarily mark something as Junk or Spam in a webmail client.

I hope that Apple takes the lead here, because it would fit well with their other efforts in user privacy and security.

"Apple dropped plan for encrypting backups after FBI complained." https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...

This is an example of why I don't see any major company pursuing this. Or if they did, they'd hold a master key or some other backdoor so they can hand the data over.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact