Mail encryption has gotten less cryptic, but some usability glitches linger

I seriously underestimated you all late last year. In a Dec. 7 post about encryption, I wrote that I hadn’t gotten an encrypted e-mail from a reader in years and said I expected that streak to continue.

PGP keysIt did not. Within a week, a dozen or so readers had sent me messages encrypted with my PGP public key (under subject lines like “Have Faith!” and “Challenge Accepted”), and several others have done the same since. That’s taught me that the crypto user experience has, indeed, gotten pretty good in GPG Suite, the Pretty Good Privacy client of choice in OS X.

But at the same time, some awkward moments remain that remind me the woeful state of things in the late 1990s.

Most of the them involved getting a correspondent’s public key, without which I could not encrypt my reply. When it was attached as a file, dragging and dropping that onto the GPG Keychain app had the expected result, but when it came as a block of text in the decrypted message, I (like other users before me) wasted a few mental processor cycles looking for an import-from-clipboard command when I only had to paste that text into GPG Keychain’s window.

I should have also been able to search keyserver sites for a correspondent’s e-mail address, but those queries kept stalling out at the time. One reader did not appear to have a key listed in those databases at all, while I had to remove a subdomain from another’s e-mail address to get his key to turn up in a search.

One more reader had posted his public key on his own site, but line breaks in that block of text prevented GPG Keychain from recognizing it.

The GPGMail plug-in for OS X Mail is in general a pleasure to use. But its default practice of encrypting all drafts meant that I could no longer start a message on my computer and finish it on my phone–and one e-mail that I’d queued up in the outbox while offline went out encrypted, yielding a confused reply from that editor. I’ve since shut off that default.

It’s quite possible that the upcoming stable release of GPG Suite for OS X El Capitan will smooth over those issues. But that version was supposedly almost ready in late September, and there hasn’t been an update on that open-source project’s news page since. I suppose having to wonder about the status of a crucial software component counts as another crypto-usability glitch.



9 thoughts on “Mail encryption has gotten less cryptic, but some usability glitches linger

  1. Hey Rob,

    that is a nice write up. It would be great if you could re-post it (as is) in our support platform That way, we could connect the open tickets for the problems you are mentioning and could let you know as we fix them. Some have already been fixed by the way – e.g. GPG Keychain, when open, will now automatically detect, if a key is in your clipboard and ask, if you want to import that key.

    This project is all but dead and the issues mentioned are a big part, of the work we are currently doing.

    The default to encrypt all mails is actually an important security feature. As an activist, you would not want your drafts end up on some mail hosting servers, with content you originally intended to encrypt. It’s one of a few settings available in the GPGMail preferences and fairly easy to disable. Imaging things the other way around – not a situation critical communication should be in.

    Key management and exchange are not trivial to solve problems, which is not meant to say, we’ve done all we could to make it even easier.

    • Thanks for the detailed reply. That’s some great customer service! About encrypting drafts by default, I get where you’re coming from–if anybody should be inconvenienced in that scenario, it should be me. But could the plug-in know not to encrypt a draft if there’s no recipient with a public key in the keychain?

      • 1. Language barriers: “all but dead” was intended to indicate “we are working on things” and not that the project is soon to be closed.

        2. Please post your feature request on our support platform, so we can process it into our system.

  2. Pingback: Ransomware on the Mac: Turns out identify theft is a problem for apps, too -

  3. Pingback: Ransomware on the Mac: Turns out identify theft is a problem for apps, too – Newspaperplus | NewsPaperPlus - Websites to post story and News>

  4. Pingback: Here’s how to make sure no one else can read your Facebook Messages | TechDailyTimes

  5. Pingback: Notes on macOS Sierra | Rob Pegoraro

What do you think?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.