Astaro User Bulletin Board - View Single Post - Why Astaro Email Encryption is useless (or worse)

AngeloC · #3 (**permalink**) 06-16-2009, 07:13 AM

Thanks for your feedback. I agree to some levels that doing this type of broad encryption at the gateway has drawbacks. However the system does work when used as intended, which is to offload the need of having to educate and train each end user on how an encryption system works, and ensuring they do it when sending to certain addresses or senders. It is used throughout Astaro's customer base, for example a common implementation is when all mail from the company using Astaro and mail encryption wants to ensure all mails to "lawfirm@ourlawcompany.com" or "joe@myaccountingfirm.com" is encrypted. While for general, growing support of encryption the key harvesting is a nice feature and works well, most users load in the certs or keys of their intended recipients.

That being said, we are investigating ways to make the process even easier, and with better tracking and options. However with any system, usually the easier it gets, the more the most security-minded individual loses control. For example, the most popular clientless encryption solutions start by sending a plain-text email to the recipient informing them how to retrieve their encrypted mail, and even put the credentials in the message! This is insecure yes, but it solves the CUSTOMER problem that the acutal text or message itself is encrypted, and currently the laws and regulations they are conforming to by using encryption doesnt dissallow the transmitting of how to receive sensitive information in insecure ways, just that the information itself not be transmitted. Silly perhaps, but if it solves their problems, they are happy with it.

Thanks again for the feedback, we'll take it in account!