‘Email’ and ‘secure’ – two words that never go together in one serious sentence.
When I get an email from someone, I am supposed to believe it’s really from that person, but unlike websites, which use SSL certificates to authenticate, we simply have to take email header information about the identity of important companies at face value.
Solutions to identity and security in the field of email are sadly mostly limited to S/MIME, which nobody uses. Why has there been so little attention to the massive problems that we’re facing? Think of all the time we have spent educating users that nothing in email can be trusted – while instead, we could’ve put time into making technology work better.
Here’s a thought I had earlier:
I’m a great fan of the “green bar experience” in browsers that ascertain domain / identity trust when you are on a website with extremely sensitive data (e.g. banks, healthcare providers…). We’ve been struggling to convince everyone that they can’t trust a single email in their inbox. Let’s try and stop educating users to distrust everything on computers, and start changing technology.