When you want to send secure email, you have plenty of choices. I showed you recently how you can set up email encryption in Apple’s native Mail app, and that raises an interesting question. What’s better to secure email, Apple’s Mail app or a solution that uses OpenPGP, such as GPG Suite? Let’s take a look.
An Abbreviated History of Secure Email
Internet developers first standardized the Simple Mail Transfer Protocol, or SMTP, in 1982, when there was little concern for security. That quickly changed, and we needed to find ways to make our email communications more secure. Basically, we needed to be able to digitally sign, encrypt, and then decrypt our emails.
Groups came up with several standards to accomplish this. One of those is Secure/Multipurpose Internet Mail Extensions, or S/MIME, which is what Apple Mail uses. Another is PGP, which stands for Pretty Good Privacy. You probably know of this one in the form of OpenPGP. GPG Suite utilizes OpenPGP.
How Secure Email Works
Both methods use Public Key Cryptography to digitally sign, encrypt, and then decrypt your email. They rely on a pair of keys, one public and one private. When you send a digitally signed email to someone, you’re signing the email with your private key and sending that person the public portion of your keypair. Once you receive a digitally signed email, your mail software saves the sender’s public key so you can later send encrypted messages to that person.
As your email software digitally signs and encrypts a message, it’s doing two things:
- It’s signing the email with your private key
- Then, the software encrypts the message using your recipient’s public key.
Key Differences Between S/MIME and OpenPGP
From a technical standpoint, S/MIME and OpenPGP function pretty differently. S/MIME utilizes a standard way of putting arbitrary data into your email, with a definition of what type of information is there. Your email software transmits nearly everything as ASCII. On the recipient’s end, software decodes the ASCII into text or binary files. On the other hand, OpenPGP wraps the text and any binary attachments in “ASCII Armor,” an encoding layer. The software never converts the binary data into ASCII. Your binary files stay right the way they started.
Another key difference between S/MIME and OpenPGP is more apparent to you, the user. That difference is in how you get your public/private keypair. Using S/MIME, the user obtains the certificate and keypair from a centralized trusted authority. These are referred to as CAs, or Certificate Authorities.
OpenPGP, on the other hand, doesn’t rely on a centralized trusted authority. You, as the user, sign your keypair and then others verify whether or not the key really belongs to you by signing it themselves. OpenPGP relies on something called a Web of Trust, in which everybody is a potential CA. The theory is that you can trust a public key because it’s been signed by many other people, confirming that it really belongs to the person you think it does.
Which Method Leads to More Secure Email?
This is where theory and practice clash. In theory, OpenPGP could be a much stronger method of security. This is true because CAs lose their trustworthiness occasionally. Recently, the tech industry investigated two CAs, WoSign and StartCom, because of trust problems. The industry determined that those CAs failed to maintain the high standards expected of them. As a result, Apple, Mozilla, and Google all stopped trusting StartCom and WoSign certificates. The theory behind the Web of Trust is that users will build up and maintain that trust over time. There’s no dependency on a centralized agency to keep things on the level.
In practice, many folks don’t even utilize the Web of Trust behind OpenPGP. It can take too long to build up the trust level, so users of OpenPGP often resort to other mediums to develop the trust relationship. For example, people will exchange their public keys and then spell out the “key fingerprint” over the telephone.
If your browser or email software suddenly stops recognizing your S/MIME-based certificate, that’s not necessarily a bad thing. Yes, it’s inconvenient, because you’ll have to obtain a new keypair from a CA. On the other hand, this ensures the security of your email is maintained.
My Verdict: S/MIME is Simpler to Use and More Secure at the Same Time
I’m putting on my flame-retardant clothing here, because I know that statement is going to draw some fire. However, my personal opinion is that the S/MIME security implemented natively within Apple Mail is both simpler to use and more secure, as long as your CA stays above-board. I’m not alone in that analysis, either. S/MIME dominates the secure electronic email industry because of enterprise acceptance and how it works. OpenPGP doesn’t mandate how to create trust. Furthermore, many folks bypass the protocol’s Web of Trust altogether. S/MIME, on the other hand, relies upon certificate servers and industry support.
Don’t get me wrong. OpenPGP definitely has its merits. The GPG Suite is a fantastic set of tools for Apple Mail and other security problems. The drawback of OpenPGP is that maintaining true security of your email while still allowing trusted recipients to open them is a bit too time-consuming and labor-intensive. If you’re already deeply invested in OpenPGP, though, there’s little reason to change. The idea behind OpenPGP that you can’t fool everybody all the time is pretty solid, but the standard for is just too non-standardized for my use.
References
In developing this analysis, I relied upon a few sources for further information. If you want to read more, these are outstanding articles to check out.
“Despite revoked CA’s, StartCom and WoSign continue to sell certificates”, Mattias Geniar, January 17, 2017.
“How does PGP differ from S/MIME?”, StackExchange Information Security, October 6, 2011.
“OpenPGP”.
“S/MIME vs PGP,” Computer Security and PGP, March 30, 2016.
@MickM: The most likely answer to your question is that they don’t want to be a CA. They certainly could be, if it was something they felt compelled to delve into.
You say:
the S/MIME security implemented natively within Apple Mail is both simpler to use and more secure, as long as your CA stays above-board
So why can’t Apple officially be a CA? They have proven to me they treasure personal privacy…
grayman: Sorry this took me a couple of days, but I had to reach out to some folks more knowledgeable than me to get an answer for you. If it were possible to double-encrypt email using both GPG and S/MIME, then yes, it would make it even harder for the “bad guys” to bust open your email. It’s actually a bit more complicated than that, though. Here’s what Lukas from GPGTools had to say:
Hope that helps!
(Yes, I just now saw your post on how to turn on S/MIME functionality in iOS …so now the question above has even more relevance as we can now easily encrypt via GPG first, then send using S/MIME, whether iOS or macOS. So…is there any extra security advantage to encrypting using both methods? Does it make it even harder to unravel for “bad guys”?)
Great articles on encryption- thank you!
Since 2011 we have been using GPG Suite for macOS email / messages.
When not at a Mac or laptop and using mobile devices (iOS) we use an app called Secumail, which utilizes the same Open PGP keys created by GPG Suite to encrypt/decrypt mail, iMessages, clipboard contents, etc. in other words, all our traffic is encrypted via Open PGP protocol thru all our platforms (mobile device and laptops/desktops) using these two different apps that share the same keys we created.
The question I have is this – is there any utility in setting up the S/MIME thru Apple AND then encrypting via GPG Suite as well, “double-wrapping” in effect the mail? Yes, I understand the iOS doesn’t support S/MIME encryption for now, so pls just address the security afforded (or not) by this idea for the macOS.
Thank you!
Great that Apple Mail offers PGP encryption, I didn’t know that. But I’ll probably stick to my Startmail account because they make PGP encryption real easy with only one click. But good developments, I really hope that email encryption will be normal by 2020. -Fingers crossed- !
Bravo. A concise and clear discussion that has baffled me for a long time. You have been instrumental in assisting me in making my decision. Goodbye, GPG Suite. Hello S/MIME.
Jeff:
This is a very succinct treatment of the subject and nicely articulated. It’s also reassuring to know that Apple have chosen a robust secure option.