One of the most difficult things that hinder data privacy other than anti-encryption laws is the technicality of deploying user friendly encryption. Automation leads to poor quality implementations rendering encryption meaningless like generation of private keys on a company’s server offering you 100% secure public-private key-pair system. It is a typical engineering trade-off, it is always UX versus security. You either get a super user-friendly application or a secure one, you rarely get both, especially where you are working on encrypting content of a universally federated system like Email.
Secure/Multipurpose Internet Mail Extensions or S/MIME uses public key cryptographic system for encryption and signing of email content including text and attachments like audio, video, images etc. It is the go-to solution for Email encryption versus much more difficult PGP/GPG. You basically get a valid signed cert issued from a trusted public CA, configure it in your email client and it just works. No need to download extra plug-ins and spend hours configuring complex things like in the case of GPG. Also, with GPG, things get hopeless when you use it on a smart-phone for the majority.
Public key cryptography or asymmetric cryptography is a system that uses a uses a minimum of two keys, a pair, public and private keys. Out of the two, public key is meant for distribution to others and is used to encrypt anything incoming to you that can only be decrypted using the your private key. The reliance of this cryptographic system comes from the fact that unlike symmetric-key algorithms, the same key cannot be used to both decrypt and encrypt the content. It is one of many reasons to include it as inevitable part of any modern crypto-systems.
Widely deployed TLS/SSL encryption protocol also uses the same public key cryptography system. Let’s Encrypt, a non-profit Certificate Authority (CA) that was publicly announced on 18th of Nov 2014, has made it possible for over a 225 million websites to obtain TLS certs for free of cost. Technology is robust and efficient even for a non-profit like Let’s Encrypt to be able to issue over a billion TLS certificates in a short span of 6 years only. Things done for public-benefit works just as good when implemented properly.
Sadly, Let’s Encrypt do not offer S/MIME as of yet.
S/MIME serves a lot of cryptographic functions for email including but not limited to authentication, content’s integrity, privacy and security using robust encryption. The aforesaid, pair of minimum two keys i.e. private key and public certificate can either be generated from a private certificate authority (CA) or a widely trusted public CA like Polish Certum or Swiss-based infamous CA called SwissSign. Benefit of using a public CA is that the valid signed certs are going to be trusted by all modern S/MIME supported email clients or applications.
S/MIME’s idea to encrypt emails is borrowed from or based on deployment of TLS certs by in-house or Public CAs. Although the certificate type is not same. Their fundamental purposes are far apart too. S/MIME is about confidentiality of the message. SSL/TLS is about confidentiality of the transmission.
Automatic trust by modern clients and applications, gives rise to a question, whether you should go for a paid S/MIME certificate from a public CA? Or the freely available ones are good enough for you? It is not going to be a simple answer by any means.
Public-key encryption reckons on secrecy of your private key. For starters, most widely trusted free S/MIME certificate issuers do not have support for certificate signing requests or CSR. CSR is like an application to a CA for a valid signed certificate. It contains public key for which the certificate is to be issued. Now what’s special here is that before generating a CSR that you submit along with other details to your CA, you generate a key pair, giving you the basic possibility to keep the private key with you locally on your computer. So, if your CA is offering you free S/MIME certs without accepting a CSR for the same, I would call it a grift. If your S/MIME certificate’s private key was generated on your CA’s servers, there is a fair chance that they stored it and are in technical capacity to decrypt your encrypted electronic mails. It is mere privacy by policy and not design without CSRs.
Before you choose not to pay, keep in mind, there are no free lunches. When you do not pay for the product you are a product. When public pays the public is served and when advertisers pay advertisers are served. Its basic truth of life. No one would want to give you free food unless its a religious community mess funded by believers and followers for public-benefit, in a way like non-profit public CA known as Let’s Encrypt.
Its been almost 30 years since Phil Zimmermann wrote PGP. PGP or GPG is still hard to use for the mainstream in 2020 even on desktops, let alone dominant mobile devices like smart-phones. Even geeks like the inventor of PGP, Mr Phil agrees. He finds it difficult to use his own product, which is considered to most used email encryption software on the planet. It is not smooth experience if you like to send an encrypted email with PGP/GPG and without messing it up.
A public-internet technologist, Mr Bruce Schneier has admitted similar things on his blog post, ‘I have long believed PGP to be more trouble than it is worth. It’s hard to use correctly, and easy to get wrong.’
This is what Google’s help center has to say on S/MIME:
To conclude, if you value your email’s confidentiality during transit and at rest, S/MIME is a practical approach to email security owing to content (MIME) encryption and digital signature’s non-repudiating nature. Even if you are not sending a lot of encrypted emails owing to lack of adoption in your work or family circle, you could still sign all your emails to affirm the source of email. With native compatibility without any extra software or plug-ins on popular or leading email clients on both mobile and desktop platforms, S/MIME is apparently toppling every other available email encryption scheme out there. It is simply secure, practical and easy to use.
