While it’s something I’ve kind of wished for since coming back to Wayne State, a recent conversation with a coworker (and a recent blog post by Geoff Nathan) reminded me of my slight annoyance at the lack of widespread support of email encryption and signing. A quick search for gpg support in Zimbra doesn’t really turn up much, and in fact it lead to me find that a Firefox plug-in I once experimented with using, FireGPG, is now discontinued, and that was my first idea for a somewhat hackish way to do it.

There is, of course always the option of just abandoning the Zimbra web interface and using Thunderbird, KMail, Evolution, or any number of other desktop clients with gpg, but that has the downside of giving up some of the nicer features of the interface, as well as parts of it that I use that aren’t going to be in those desktop clients. There’s also the downside that it would drastically impair my ability to read email on a mobile device, but that’s true even if Zimbra did have good support for encryption.

As it is now, the best way I can think of so far (and admittedly, I’m still thinking about it now, so I may come up with something else better) is to just use a desktop client for more “secure” correspondence, and whatever other clients for “everything else”, when I’m away from my desk. Realistically, while I’d love for as much of my email to be done in a secure way as possible, most people don’t have a public key out there that I could use anyway, so 99% of my email would be the same as it is now. The only time I’d have to start up a desktop client would be on the rare occasion a more enlightened coworker sent me something encrypted, or if I wanted to confirm their signature. Alternatively, I could just use the desktop client full-time, and start up the web interface for those few things that desktop clients can’t do. CPU cycles are cheap anyway.

I’ll have to dig around more, but I think this touches into a bigger problem of so many things being insecure. I shudder to think how many times my social security number has been emailed around in plaintext documents at old employers or the like, to sit around on someone’s email inbox protected by someone’s password that’s no stronger than their dog’s name.