Last week's revelations of security breaches at Hotmail and ireland.com have shaken users' faith in Web-based email systems and heightened interest in encryption tools. The ireland.com problem was a minor one, but at Hotmail a gaping security hole left the mail accounts of over 40 million users wide open. Hackers could read their mail and send messages in their names.
This was just the latest in a long series of service and security problems at Hotmail, but the size of the problem guaranteed it worldwide attention. Encryption programs have long been pushed by Internet privacy advocates and Net veterans, but most casual users decided that they were just too much trouble. Many are now changing their minds.
Public-key encryption would have protected Hotmail users against the two main effects of the problem at Hotmail. As well as scrambling the contents of email messages to protect messages from interception, it allows senders to digitally sign messages - proving that a message originated with the owner of the key used to sign it.
These programs work by allocating each user two keys, a private one and a public one. They are mathematically related, so that messages scrambled with the public key can be read only by using the private key. However, the private key cannot be deduced from the public one without using amounts of computing power so large that the process is believed to be unfeasible even for government agencies. So, for Ms A and Mr B to communicate securely they both need to obtain an encryption program and generate a public and a private key each. They can distribute their public keys to anyone they want to communicate with, or even post them on public key-servers on the Net, from which they can be downloaded. They must each keep the private keys to themselves.
To send a message securely Ms A would tell her encryption program to encrypt it with Mr B's public key and to sign it with her private one. The first stage turns the message into a jumble of letters and symbols unreadable by anyone who does not have Mr B's private key. The second stage assures Mr B that the message is in fact from her, and not from someone who has seized control of her Hotmail account.
Apart from the risk of hackers, this process also protects the correspondents from accidental disclosure of their message. If Ms A, for example, mistyped Mr B's email address the message might well end up within Mr B's company, but directed to the staff member who handles stray email messages. This could have unfortunate consequences if the message was a response to a job application, or a love letter, or a discussion of plans for them to leave their jobs and set up in business together.
Despite their reputation for complexity, encryption programs are in fact quite easy to obtain and operate. Among the best (and best-known) encryption programs is Pretty Good Privacy (PGP). Obtaining and using it is a relatively simple process, and the program is free for personal use.
The first step is to go to the website www.pgpi.org, where an international version of the program is provided because of US export restrictions on cryptography. Versions for DOS, Windows, MacOS and Linux can be downloaded from this site. The download will take some time, as the program is large (just over 6.6MB for the Windows version).
Following a simple installation process, the user is prompted to create a key-pair and to post the new public key to a key-server if they want to. PGP comes with good documentation and help files that should be enough to get most users going.