What do you use PGP/SMIME for?

Michael Torrie torriem at gmail.com
Wed May 7 12:15:35 MDT 2008

Nicholas Leippe wrote:
> On Wednesday 07 May 2008, Corey Edwards wrote:
>>> I like to say that there are no degrees of insecurity.
>> I disagree. Security is merely assessing risks and mitigating those that
>> are worth mitigating. Clearly some behaviors are riskier than others and
>> are therefore less secure. OTOH, some things are not worth securing
>> because the potential loss is less than the cost of the additional
>> security.
>> So for example, at my company we routinely send passwords via email and
>> IM. The catch is that the servers are hosted entirely in house and
>> nothing goes over the Internet that's not on a VPN, so really it's not a
>> big deal. Sure, S/MIME or GPG would be more secure on top of it but I'm
>> not convinced the cost of implementing it would be worth it.
> I would not consider that to be insecure--since the information never exits 
> your control and never enters any area of external risk.
> I just mean to say that once something is insecure, that's it. It can't get 
> any worse--so placing any type of degree on 'insecure' for me seems a 
> misnomer. I won't deny that there are degrees of security, however.

If you won't deny that there are degrees of security, and by definition
insecurity, then how can you maintain your original assertion, which
implies that there is such thing as something "secure?"  It's all about
risk management, just as Corey asserted.

To say the Corey's company's practice of e-mail passwords around the
internal network is "not insecure" is pretty silly.  And Corey did not
claim it was secure.  Rather the risks of someone inappropriately seeing
this data were deemed to be small enough, compared to the costs
involved, to not be worth addressing with added encryption.  Someone
could come in the building somehow and sniff the switched traffic and
intercept these passwords.  If the passwords guarded multi-million
dollar data then maybe the risk factor and costs would be high enough to
use encryption.  If not, then a good operational plan (like changing all
the passwords regularly) is good enough.

A good security analyst will constantly look at situations and assess
changing risk.  For example the company could have added a wireless
network that leaks out of the building to a neighboring building.
Suddenly the entire picture changes.  Though wireless is itself
encrypted, there's still a chance someone could access the signal, break
the wireless encryption and steal the passwords.  This changes the risk.
 A new assessment must be made.  Is WPA enough to provide the same level
of reduced risk as a typical internal, switched network?  Should added
encryption be added?  Where should it be added?

As for PGP/SMIME, currently the cost/benefit analysis (with the inherent
risk mitigation analysis) doesn't yet show enough benefit for 95% of
what I do on e-mail.  In fact, I'm quite sure that this e-mail is forged
by someone claiming to be me.  No matter, though, since it's as
inflammatory as anything I'd write.

More information about the PLUG mailing list