Technology June 2, 2009, 4:03PM EST

Hushmail and Other Ways to Protect E-mail

(page 2 of 2)

Story Tools

To start things off, you install PGP Desktop or its Outlook plug-in on a client computer and set up PGP Universal on a separate server to handle the external communications. If you send an encrypted message to an external user, they will get a message with a URL pointing them to the Universal Server's Web Messenger and the automatic registration process.

This is the whole point to the product: You don't have to manage a bunch of certificates and can begin communicating with your external correspondents immediately.

The Web Messenger works simply and effectively for users new to the encryption game, and the messages are encrypted at the edge of the enterprise network and across the Internet; Web access is via HTTPS and no information is stored on the client machine.

When a user clicks on the embedded URL, they are taken through a series of steps to register their identity, pick a passphrase and select how they want to receive subsequent communications from among four different options:

•Via Web Messenger, meaning that they continue to use a Web browser to view their e-mails

•Via a background PGP service that is installed on their client, what PGP calls Universal Satellite

•Via the full PGP Desktop client or an S/Mime e-mail client

•Via e-mail as password-protected PDF attachments

You can also limit these choices globally for all users on the Universal Console.

The biggest drawback to using Universal Server is that it is a complex product and has many options that might be intimidating to people new to PGP products or encryption in general. There is a Web control panel that is used to set up policies and users, collect reports and set up other configuration parameters; that has numerous key management options that could be overwhelming, such as controlling how keys are generated and authenticated, and whether they are stored on clients or just the server.

The advantage to using PGP is that if you have correspondents who have implemented encrypted e-mail, chances are high that they are familiar with PGP and are using its desktop products.

Voltage SecureMail Connected Gateway Voltage Security, like PGP, offers a wide variety of encryption packages, including two server-based products. The first is Voltage Security Network (VSN), which is a complete hosted e-mail solution, similar to what Hushmail offers in that the company hosts your e-mail domain and deals with the encryption to and from the domain. Voltage also offers a SecureMail Connected Gateway appliance for those companies that want to handle the encryption on premises.

The process of setting up VSN is on a par with setting up Hush—you change your domain records to point your e-mail traffic to their service. Voltage's advantage is that you can send encrypted e-mails to anyone, and they will self-register using the Zero Download Messenger solution. This is similar to PGP's Web Messenger: if you try to send someone an encrypted message and they're not known to the system, they will get an e-mail with a URL that will direct them to register and then to decrypt their message.

For this review, I actually tested the on-premises Connected Gateway product. (Voltage will sell the hardware necessary, or you can install their software on your own computer system.) Once you run the software to create the appliance, you still need to change the domain and MX mail records for your domain. When I tried it, it all took less than an hour. Connected Gateway automatically sets up two policies for encryption and decryption, and you can add other policies in the same way you'd do on any firewall console.

Voltage offers an Outlook/Outlook Express plug-in that supports automatic encryption—it's really a custom-generated Windows MSI file that your users install. Once this is accomplished, a process that takes a few minutes, you almost don't realize that you are exchanging encrypted messages because everything happens under the covers. It is that effortless and easy, and one of the reasons that I like the Voltage solutions.

No matter which combination of Voltage products you choose, you don't have to worry about key or certificate management—that is all taken care of automatically and on the fly. This is one of the big advantages of the Voltage products; they automatically digitally sign each encrypted message as well. If you want more flexible options such as how keys are managed, then you are going to want to look at PGP's Universal solution.

The biggest distinction between the Connected Gateway and VSN solutions is that the former lacks the PGP and S/MIME interoperability that is available on the latter. Both have Web-based consoles—the Connected Gateway console is fairly spare but I didn't find it limiting in terms of exchanging encrypted e-mails.

The main drawback for the Connected Gateway is price—$115 per user annually versus $65 for the hosted VSN solution, about on par with what PGP charges.

Conclusions The good news is that all three of these solutions work easily and will protect your e-mails from end to end. They aren't difficult to implement and won't take up a lot of IT support resources handling key management issues either. If you need the security of keeping your e-mails private, they are all worth a closer look. And while they aren't effortless to set up, they are fairly effortless for end users on a daily basis.

My recommendation is to start off with either the free Hushmail product or the Business version and see if hosted e-mail is right for your needs. If you want to run your own encryption inside your firewall, then move to Voltage's Connected Gateway. If you anticipate communicating with a lot of existing PGP users, then install its Universal product.

Apple thwarts app piracy ahead of iPhone software release

Adobe aligns software branding to shine light on Flash

Latest Kaspersky Mobile Software Wipes Data Via SMS

Provided by ComputerWorld—Read the latest in Tech News and Trends.