By David Strom Category: E-mail encryption software
Name of tool: SigabaSecure Desktop
Company name: Sigaba Corp.
Platforms supported: Windows 95 and Outlook 98; Windows NT, 98, and 2000; Outlook 98/2000, Eudora 4.3/5.0, Hotmail and Yahoo Mail with IE v5, Lotus Notes R5, others
*** = Hey, not bad. One notch below very cool. Key features: Pros:
Integration with most major e-mail products
Easy to set up and use for traveling users Cons:
Web interface somewhat clunky
Missing integration for Outlook Express Description:
Exchanging secure messages is far too hard, especially when you venture away from PGP and try your hand at one of the various standards-based products. There have been several attempts lately to make things easier to use, but after reviewing them, I still feel PGP is king of the secure hill. Let's face it, corporate users should be more careful about sending e-mail. Given that the vast majority of e-mail passes around the Internet in plain text, your corporate secrets can be compromised without too much effort. Hence, the motivation for securing your e-mail. In my continuing effort to try various secure e-mail products, I took a look at using the Secure MIME standards that are supposedly supported today. To do this, I tried to use a regular digital certificate, available from one of any number of certificate authorities, and Microsoft Outlook. I first had to retrieve my certificate (of course, I had created one years ago but never used it, so first I had to track it down) and import it into Outlook, which wasn't too obvious. Outlook 2000 has a zillion different security settings, and I am still not sure that I set things up properly. One clue: Whenever I try to send a message with a cert attached, Windows tells me that there has been some protection violation by Outlook. This is typical, and I fear that S/MIME has a ways to go before it could be widely deployed in corporate environments. So I tried a few other products that claim to be dirt simple to use. Well, they got the first word right -- they are pretty dirty. I took a look at several of them: SecureDelivery.com has a Web-based client, in addition to working with Yahoo Mail and Outlook. CertifiedMail.com has Web, Outlook/Outlook Express and Notes software. Safe-Mail.net has just a Web client. Digital-envelope.com has both Web and Windows clients. And Sigaba.com has Outlook, Eudora, Notes, Hotmail, Yahoo Mail and Web clients. Given the length of the above paragraph, this does not bode well for getting the right piece of software installed and matching up all your e-mail correspondents with the right product across your entire enterprise. Digital-Envelope has a single product for all Windows users, which at least is a step in the right direction. By Web client, I mean that ultimately you have to read, compose and decrypt your secure messages inside your Web browser. It is a bit tricky, because depending on how much of the encrypted message you copy and then paste into your browser, you might not be able to decrypt the message. However, the Web client does provide a modicum of security because you will be running a secured (SSL) browsing session, and this does encrypt the conversation between you and the Web server over the wire. Now realize that I am talking about using the browser here -- not any e-mail client like Outlook or Netscape Messenger. Even with using their supported e-mail clients, there are lots of problems with these products, and they really don't offer ironclad security or as much solace for the truly paranoid as PGP does. Here is why. First off, you have to trust that some nefarious person isn't monitoring the path between Yahoo (or whatever you use) and the secure mail provider's servers. You also have to trust these companies that their data centers are up to snuff, that their procedures are solid (it doesn't do you any good if someone by mistake makes copies of your messages and leaves them on a public directory for example) and that they really know what they are doing. Second, some of the products (including SecureDelivery, Safe-Mail and CertifiedMail) don't actually deliver e-mail messages to your recipients. Instead, they deliver a notification message in the clear. Included in the message is a URL that will point you to a place on a secure Web site where you can go and retrieve your encrypted message. Third, most products require that they be installed on both ends, meaning that all your recipients need to set up accounts and download the appropriate software. That's painful, and at that point you might as well download PGP, something that lots more people have been using. Next, tracking when your messages were opened, read and decrypted is somewhat obscure with some of the products. CertifiedMail and SigabaSecure were the best at providing this information, and with Sigaba you can "shred" your message, meaning no one can read it thereafter. Finally, not all products in all incarnations support securing attachments, which is probably the reason to get involved with secure e-mail, so you can exchange sensitive documents. (As an example, SecureDelivery can't include attachments if you use their Web client but does support them with other clients.) One of the nice features of Sigaba is being able to download its Yahoo or Hotmail client and then being able to encrypt attachments sent over these systems. That is useful, especially for travelers at public Internet terminals who want to keep their communications private but don't want to have to tote along a laptop or special software. (The downloads enable a special "send Sigaba secure" button when you bring up the Web-based compose message screen on both Hotmail and Yahoo.) All in all, I would experiment with Sigaba and see if it meets your needs and has the appropriate client software. The company also sells an NT or Unix-based Secure Gateway server solution that is intended to protect an entire enterprise e-mail network, starting at $2,500 per server plus monthly usage charges. While I didn't test this, I think PGP is a far better solution and one that will ultimately win out in the secure e-mail arena. Strom-meter key:
**** = Very cool, very useful
*** = Hey, not bad. One notch below very cool.
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value. About the author:
David Strom is president of his own consulting firm in Port Washington, NY. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995, he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him e-mail at firstname.lastname@example.org.
Related book Internet Messaging; From the Desktop to the Enterprise
By Marshall T. Rose & David Strom
Internet Messaging is a book that describes practical e-mail applications for corporate users and network administrators. It contains information on how to set up e-mail filters, how to access corporate e-mail systems when on the road, manage mailing lists, exchange secure messages and attachments. It covers the major e-mail client software from Microsoft, Netscape and Eudora. The book was co-written in 1998 by David Strom, industry expert and reviewer, and Marshall T. Rose, one of the inventors of the POP protocol used in all Internet e-mail products. Review a sample chapter and complete table of contents.