Educause Security Discussion mailing list archives
Re: Do you use Email encryption software?
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 16 Jan 2009 08:45:18 -0500
On Fri, 16 Jan 2009 07:52:43 EST, "Fusco, David (FUSCO)" said:
Should every email from a faculty member to a student that has a grade in it be encrypted? I would think that most institutions do not use encryption for this type of process, but how far have you taken it? We are considering it for the encryption of obvious messages, such as financial data, health data, etc.
From a purely cryptographic standpoint, once you have implemented e-mail
encryption, you might as well use it for *everything*. The important mail *and* the trivial. The first reason is that if (say) you only encrypt the 3% of your traffic that "needs" it, you can do traffic analysis on that. It becomes obvious to an attacker which users are handling sensitive data because they're doing a lot of encrypted traffic. If all traffic is *by default* encrypted, then you can't tell which users are sending around orders for millions of dollars of equipment, and which are telling their administrative assistant that they seem to be out of paper clips. (This is slightly weakened by the fact that most e-mail solutions encrypt the bodies, but the RFC822 headers are sent in the clear). The second reason is that users always have a easier time messing up in the default direction of a setting. If the default is to "don't encrypt", then they can screw up and forget to click the checkbox and send it in plaintext. If the default is "encrypt everything", then they need to go and *find* the checkbox and manually clear it to send it in plaintext.
Attachment:
_bin
Description:
Current thread:
- Do you use Email encryption software? Fusco, David (FUSCO) (Jan 16)
- <Possible follow-ups>
- Re: Do you use Email encryption software? Valdis Kletnieks (Jan 16)
- Re: Do you use Email encryption software? Miller, Don C. (Jan 16)
- Re: Do you use Email encryption software? Jesse Thompson (Jan 21)