Encrypting OS X and iOS email with public keys

“In recent weeks, I’ve written about protecting data stored locally on a hard drive, against both people with physical access and potential remote attacks,” Glenn Fleishman writes for Macworld. “But your data is much more vulnerable in transit, as it passes between end points or via servers.”

“This problem is effectively solved for instant messages with iMessage, which uses strong end-to-end encryption designed in such a way that—Apple says—not even they can decrypt your messages,” Fleishman writes. “This is accomplished by creating local encryption keys through a process that can’t be reverse-engineered on their side. Even though iMessages pass through intermediate points on the Internet, there’s no opportunity for others to grab the plain text, images, and audio within. (The same is true with FaceTime audio and video.)”

“But it’s still a mess for email, whether Mail in iOS or OS X, or third-party email software,” Fleishman writes. “iMessage [offers] …strong end-to-end encryption. So how can we achieve the same in email? Through the use of public-key (PK) cryptography, something that’s been available for encrypting documents and email messages since 1991 in one form or another.”

Read more in the full article here.

5 Comments

  1. WTF is this all about? Come back when, exactly, for the next piece of the puzzle?

    Articles like these remind me of those magazines that you have to buy 250 copies of at £9.99 to build a car… first issue only 99p!

    Shite.

  2. Part 2 of Glenn’s article is no doubt going to discuss the history and workings of Gnu Privacy Guard, ‘GPG’. AKA ‘GPGTools‘ on the Mac platform.

    https://gpgtools.org

    I’ve been using GPG inside of Apple Mail for several years. But I mainly use it as a method of certifying my identity as the author of my emails. I almost never use it to encrypt my email. Here’s why:

    1) GPG is not trivial to setup and understand. It has a scary learning curve. The documentation has thankfully been improving with time, which helps.

    2) Even many of my Mac security buddies don’t see the point in bothering with it as certifying one’s identity, let alone encrypting email, hasn’t been important to them. We aren’t sharing secret formulas or bomb blueprints. [Oops, I just triggered the NSA alarms. Hello NSA!]

    3) The GPG development team hasn’t had a lot of support or sufficient staff, until very recently (as I suspect Glenn will discuss). Every major change in OS X has meant a new period of beta testing of a new version of GPG. Currently, the version for OS X 10.10 Yosemite is STILL in beta. IOW: It’s slow in its development.

    I still love and champion GPG and recommend it to everyone! But getting through the learning curve is NOT for grannies. Most people don’t even comprehend what ‘certification’ and ‘encryption’ actually ARE! The mere words fly over their heads. Plus, we aren’t in an actual state of BIG BROTHER surveillance. Most people think sending their email in-the-clear for any hacker to read isn’t that big of a deal. – – – YET. 😯

    1. BTW: Apple uses PGP (the commercial, Symantec [gag!] owned equivalent of GPG) to certify all their security documents. When they arrive in my Apple Mail inbox I get a notification that the documents are REALLY from Apple, as opposed to some phishing scammer, etc. That’s VERY useful as well as reliable.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.