The Lack of Encryptonomiconization of the Internet

I find it interesting which sorts of things get encrypted on the Internet.

Most people know to encrypt their Wi-Fi router, for example. That’s because there’s been lots of press about it, and many people like to tell stories about how they bum internet service from their neighbors.

A few people know the difference between a regular website and an SSL-encrypted web site. That little lock icon in your browser means that communication between you and the site is relatively secure. However, few people know what it actually means. I won’t go down the road (in this post, anyway) of the value of SSL certificates and whether they actually do the job they are supposed to.

And that’s about it. SSL and WiFi is the limit of what most people deal with encryption. I’m talking about personal use here, not business. Of course the average IT worker uses a terminal session called SSH which is quite secure, and most businesses have secure VPN’s in to their private networks, which are generally also secure. Like WiFi encryption, the what I find interesting there is that the businesses use this mainly for protection of their own internal networks. Their outside communications are generally via email or IM, just like most people’s private ones.

And yet there are plenty of free, and not terribly difficult ways you can encrypt your emails and IM’s, and even phone calls so that only you and the receiver can communicate. Yet, hardly anyone uses them. In fact, so few people were interested that PGP, one of the best methods for sending emails securely, completely failed as a commercial product even before they started charging for it. Luckily, there is a free GPL replacement, so that the solution is still generally available for anyone who wants to use it (I do).

What am I talking about here? Well, any message you send over the Internet can be read by just about anybody. Any Email. Any IM. Any Skype call. Any message board posting. Now, I’m not paranoid. I agree that statistically speaking, no one really cares about the chain letter of jokes I forwarded to my cousin last week. Right?

Well, maybe not. But what if I sent a bank account number to my wife, so she could check it? You can bet there are bad people on the internet who are on the lookout for such information. What if my friend asks me for my phone number and address so he can send me a party invitation. How do I know it was really him, and that I’m not sending my information to an impostor? What about the government? I mean, you don’t have to be paranoid to be worried when the FBI calls their email surveillance system CARNIVORE. For Cripe’s sake! They couldn’t call it “PEACE” or “LOVE” or something? CARNIVORE?! And before you think that we don’t need to worry about this sort of thing anymore, CARNIVORE was initiated by the Clinton administration, not Bush.

So, I’m thinking about creating a blog for encryption-related stuff. Encryption for the lay-person, as it were. I’m not saying everyone is out to get you, but people buy car insurance even though they don’t plan on ramming anything.

Would anyone out there find something like that useful? Like easy how-to’s to set up encryption in different mail and IM clients, layman-level articles about how encryption works, and why you’d want to use it? It’s a bit of work to set up a new web site (and write for it), so I’ll only do it if people want it. Leave comments here! (http://2robots.com/2009/01/23/encryptonomicon)