Is the free PGP as good as paid services for sending encrypted emails?

Is the free PGP as good as paid services for sending encrypted emails?

I'm choosing between using a free VPN and SSH-service for sending and receiving encrypted emails and have these alternatives:

www.pgpi.org
www.cotse.net
http://mdemail.net/hipaa-medical-email-security/

The first alternative (PGP) is free, the other two are paid services.

If I use PGP, can I bee 100 % (or close to) certain that my outgoing e-mails won't be read by anyone else?
LVL 1
hermesalphaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hermesalphaAuthor Commented:
Does it matter where in the world I live what regards the security with VPN and SSH? I live in mainland China now and every web site I visit is registered by the local police (so they know which sites I visit). If I use PGP for email encryption here in mainland China, is there a risk that it will be useless in the end as I use the hotel's local network (which is monitored by the local police)?

Or will it always work with email encryption as long as the application can be launched, no matter if I live in China or anywhere else?
shubhanshu_jaiswalCommented:
A free service is used by comparatively large number of users so it is more vulnerable. I would suggest you to go for some paid encryption services if your mail traffic is critical...
IronhoofsCommented:
Wikipedia has this to say about PGP:

Security quality
To the best of publicly available information, there is no known method which will allow a person or group to break PGP encryption by cryptographic or computational means. Indeed, in 1996, cryptographer Bruce Schneier characterized an early version as being "the closest you're likely to get to military-grade encryption."[1] Early versions of PGP have been found to have theoretical vulnerabilities and so current versions are recommended. In addition to protecting data in transit over a network, PGP encryption can also be used to protect data in long-term data storage such as disk files.

http://en.wikipedia.org/wiki/Pretty_Good_Privacy
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

DocSeltsamCommented:
Hi there,

If you encrypt your mails with pgp, gpg or any other asymetric encryption and take care of your private key,
there is no way to crack the enryption within a reasonable time at the moment.
This can of course change in the future, so the mail you enrcpt today will most likely not be safe for ever.

I don't know if or not the use of encryption in china is possibly prohibited but I think it is quite widely used.

--TheDoctor
TolomirAdministratorCommented:
You can use the the trial version of the current pgp, after 30 days it will revert to the function set of the former free edition.

http://www.pgp.com/downloads/desktoptrial/desktoptrial2.html

 The trial version will cease full  functionality thirty (30) days following installation.  Upon expiration,  a certain limited set of “freeware” functionality will continue to be  operable.

---
So you can still use your pgp keys to send encrypted emails.


Tolomir
Dave HoweSoftware and Hardware EngineerCommented:
PGP is a commercial provider of encryption software that impliments a rfc standard "openpgp" - a free alternative being gpg. Once installed, it allows you to use the public key of an intended recipient (note, you must already have this, although keyservers exist  you can search) to encrypt private messages to them, the public key of a correspondent to check the digital signature of an inbound email (again, you must already have this), your own private key to decrypt messages to you (from people who have your public key) and your private key to digitally sign messages from you.

Most email clients have the second option - s/mime - built in, but not the tools to create or manage the keys; you can find a free key generator at http://sourceforge.net/projects/xca but there are no s/mime keyservers - you must manually send your certificate (public key) to all intended correspondents.

PGP (and gpg) use 128 bit encryption in CAST or AES by default, secured by a RSA public key generated by the recipient. if the recipent's key allows, they can also now use 256 bit AES (but this isn't the norm). S/mime will usually use 3DES at around 112 bits keystrength, again secured by the recipient's key.

Both solutions are effectively unbreakable by analysis, but in a country such as China they are more likely to just seize your endpoint solution if they want to read your mail and/or hack this.

IF all you want is secure email, then (despite recent attacks) google mail is as good a choice as any - https access for online webmail, or POP3S/IMAPS/SMTPS for offline. online has the advantage that no mail is held on your computer, and you can have multiple accounts to surrender should they require/force access to your mailbox.

cotse are both a vpn webaccess provider and a mail provider - so provide secure surfing too.

I haven't examined the HIPAA site, but they seem to be just another mail provider offering ssl security certified to american HIPAA standards - unless you need to be visibly compliant to that standard, I wouldn't bother.

hushmail ( www.hushmail.com ) offer a free pgp-compatable webmail solution that can send and receive pgp mail from outside their system. Worth investigating if you are worried about in-transit mail but need something hosted outside china. Note that both google and hushmail will comply near instantly to law enforcement requests, although I understand google won't be helping chinese authorities any time soon ;)
hermesalphaAuthor Commented:
I installed the PGP Desktop but the problem with this is that anyone I e-mail to also need to use PGP Desktop. So in addition, I need something more flexible which doesn't require the receiver to have anything installed only to receive e-mail from me.

Are these assumtions correct?:

1. PGP Desktop offers the most secure solution for sending and receiving of e-mails that is available today?

2. The disadvantage with PGP Desktop is that the receiver also must use PGP Desktop. In these cases, where the receiver doesn't have PGP Desktop, I can still use a quite safe method of sending encrypted e-mails by using Cotse, Hushmail or Google Mail. However, as I can not assume the receiver to also encrypt his e-mail, I would need to ask him when he replies that he cuts out my message and paste into a new message.

Actually, I'm more worried for leaving my e-mails online as that seems to me the most vulnerable. POP3-downloading all e-mails to Outlook 2003 and encrypting my HDD with PGP Desktop seems to be an optimal security solution.

Some further questions I have:

1. Which of pgp and gpg is most secure? Is anyone of them easier to handle and use than the other?
2. Which of Cotse, Hushmail and Google Mail would be most safe to use? Do all of them use PGP encryption?
3. Google Mail, is that the same as?:
https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Dsv%26ui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1<mpl=default<mplcache=2&hl=sv

My username is "username@gmail.com", is this Google Mail? What about Google Docs, will large file transfers from there also be PGP-encrypted?
TolomirAdministratorCommented:
1. lets say on of the best
2. yes, and this applies to all such solutions. You need the matching infrastructure!

Google Mail / Gmail (is the same there are trademark issues with gmail) offers no encryption for emails.

You can go with hushmail though. If will provide the same infrastructure as pgp desktop but webbased. This also means the recipient needs to use  either hushmail too, or another pgp based service like pgp desktop.

Maybe this is a solution. you use pgp desktop for your own safety and send your recipients to hushmail to receive your pgp encrypted emails. Hushmail offers free private accounts so this would be feasible.

Tolomir
TolomirAdministratorCommented:
Just a remark. Keep an eye on backups. with a full disk encryption all regular tools to recover files from a broken windows installation will fail.

We have many questions here where users lost data because of uncareful EFS usage. Don't make the same mistakes.

I've got good results with acronis trueimage 2011. they additionally provide a webbased service to backup your files online. AES encrypted! http://www.acronis.com/homecomputing/products/trueimage/

Tolomir
Dave HoweSoftware and Hardware EngineerCommented:
There is only one practical solution that doesn't require the recipient to take active steps, and that is oracle based encryption (of which the best known is CISCO's CRES (as found in their Ironport email appliances) and towards the cheaper end, http://www.zixcorp.com/

All other email solutions require that the *recipient* first have the right software, actively create or obtain a key, and convey that key to you for use in *your* encryption software.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hermesalphaAuthor Commented:
Yes, that has to be a good solution!: For all receivers that don't use any PGP-tools, I just send them a link to a Hushmail account (which I myself have created) for each e-mail that I send to them. I could see that I can use Hushmail with Outlook so I can send everything always from Outlook but PGP-encrypted via Hushmail.
Dave HoweSoftware and Hardware EngineerCommented:
Be aware that "free" hushmail will
a) expire (lock out the user) if not accessed for 20 days and
b) isn't supposed to be used for commercial purposes.

The former is more of an issue however :)
gheistCommented:
gnupg is nother tool of a sort. maybe you need to compile openssl fips engine to conform to regulations, but otherwise software makes all correct encryption in openpgp format so it is readable by PGP(i) etc
Dave HoweSoftware and Hardware EngineerCommented:
again though. gpg requires the recipient to have, in advance, generated a key and sent it to you. That has always been the deathknell of attempts to introduce a secure messaging infrastructure - invariably, people who are enthusiastic about encrypting all their outbound mail find it near impossible to convince the recipients to get everything they need set up on their end.

Personally, I swear by Thunderbird+enigmail+gpg4win, but I can count on one hand how many people I know who have a key I can send to.

Note that gpg is *NOT* FIPS compliant, despite offering a higher level of security than FIPS requires.
gheistCommented:
only free validated FIPS module is openssl in FIPS config. It is supported by mozilla with keys from providers like comodo.
Maybe it is of help.
Dave HoweSoftware and Hardware EngineerCommented:
indeed. however, there are no email clients that use FIPS compiled SSL, so its pretty useless for messaging.
gheistCommented:
Mozilla PSM is not "validated" but it works in FIPS mode if required.
hermesalphaAuthor Commented:
ZixMail seems to be what I've been looking for: simplicity and security. No need for the receiver to do anything but I can keep my outgoing mails confidential at all times. And integration with Outlook.

To add maximum online privacy, would I need to use a webmail service like Cotse? I still will have e-mail accounts like this: info@mycompanyname.com

Considering my company name is in the actual e-mail address, will this ever be encrypted somehow online, either by ZixMail or Cotse?

ZixMail for encryption of contents, Cotse for hiding IP-address online.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.