Encrypted/Digitally Signed E-Mail

[SonicVanguard]

Our studio is starting to do more and more work with larger studios - for example, we just inked a deal with New Line. We are working in a team environment - meaning projects will be divided between 3 or 4 studios like ours to facilitate post production.

One concern we have is our e-mail contact. Much of what we are working on is copyrighted material and some of it is somewhat secrative (plot lines, movie endings and the like). We would like to start encrypting or digitally signing our e-mails - how hard or simple is this to do?

I found one certificate provider: http://www.cacert.org/ and a few of us have signed up for their certificates. The problem with this particular certificate is that it is not common so when I e-mail my contact at New Line, the certificate appears in-valid on his end. And to have all of New Line sign up at CAcert is pointless - the powers that be won't allow that to happen.

So...is there any way to get a certificate that is commonly known by most browsers without spending a fortune to do it?

Dave.

[glc]

Why don't you just use something like PGP ($50), or Winzip 9.0 (shareware) which can 256-bit encrypt zip files?

[Xayd]

PGP is a pain in the ass, and only as secure as the machine that the message came from for email messages. For instance some versions of Outlook save unencrypted versions of messages on the local hard drive for any virus or trojan to just pick up and forward how they see fit, even if the message was originally encrypted.

The problem as you're finding with SSL certs and such is that not all certificate authorities are recognized as highly as others, the only sure bets are probably Verisign and Thawte, both of which are pretty expensive (500 to 1000 dollars).

If you want absolutely secure communication? I dunno. You could set up a forum such as this with SSL + passworded forums + a firewall that only allowed access from certain IPs, that only responded to an IP address and didn't have a registered domain. This is all relatively simple to do with a Unix/Linux machine, and would give you in-transit encryption as well as multiple password checks and a check on the host IP address, but again it's only as secure as the machines that are allowed to view it. Once their web browsers view and cache a page you're back to square one .

[doctorgonzo]

I don't think that PGP is a pain in the ass. And any form of encryption is only as secure as the computers used at both ends of the process.

Outlook may have holes when using the PGP e-mail plugin (wouldn't suprise me at all), but there are other ways to sign and encrypt messages. You can write the e-mail message in Notepad and encrypt and sign the file itself. You can also encrypt and sign any other files you want to e-mail. Attach those encrypted files to an e-mail, and even if Outlook saves a message, it won't be saving the cleartext (since it never had access to it).

The question you need to ask yourself is how much it would cost for your information to leak out, and how likely that is. If the impact would be hundreds of thousands of dollars, and people are actively trying to get this information from you, then it makes sense to spend thousands on reliable SSL certs. If the threat is less, then I think you can make do with PGP and some good, enforced rules for e-mailing this information around.

[Xayd]

All of that comes at the expense of ease of use, though. Will users cease typing emails and only type attachments to emails?

No, of course they won't. They haven't been doing anything that way for all these years why would they change now.

Finding a solution to a problem is one thing, getting users to use it is another thing entirely.