PGP 9 serves as principal line of defense

Nov 26, 2005

By Glenn Fleishman

Special to The Seattle Times

What's a paranoid delusion called when you know that everyone's out to get you? In light of Sony's inclusion of software that phones home on Windows' computers with details of what music is playing — and which apparently compromises system security — even multinational corporations may be trying to insinuate themselves into our personal affairs.

Macintosh owners, so far, have had little reason to fear the direct compromise of their computers. Firewalls are useful and fine lines of defense — and Apple Computer offers a built-in firewall in both Panther and Tiger. But once information leaves your computer, it's subject to the vagaries of whomever operates the networks across which your information passes.

I've beaten the drum of security for data while it's in transit for years, but it's finally become almost trivial to add a corporate level of security on top of the most personal of e-mail. You no longer need to become (or find) an expert to make it work.

My principal weapon of defense right now is PGP Desktop Home 9, the most recent in a multiyear series of releases across three owners of the software (www.pgp.com, free 30-day trial, $99 thereafter).

PGP has consistently released software for Mac and Windows at the same time, but until version 9, the Mac release was always somewhat harder to use because of a confusing set of separate programs then merged into a confusing interface. That's been fixed.

PGP 9 can secure e-mail as well as the contents of e-mail, and it also offers encryption to guard instant-messaging sessions. For those who want to secure files on their own computer, it has a few different ways of providing robust protection for that as well. (The trial version can be used at no cost for personal use with just its manual features after the trial expires, but the features I describe below are available only after 30 days with the paid release.)

It's critical to know that e-mail is unprotected unless you or your Internet service provider have taken specific steps to avoid it. When you send and receive e-mail, every part of the transaction is in the clear with no encryption or scrambling. Your account name, your password and the full contents of e-mail are freely available to anyone on the same network.

Networks are only as secure as their parts. If you connect via dial-up or use Ethernet and no Wi-Fi at home to hook into a cable or DSL modem, then you're relying on the generally good security found at ISPs for their internal networks.

But if you use Wi-Fi at public locations or without enabling its security on your home network, you're sending your e-mail to everyone within range. And once e-mail leaves your ISP's network for delivery, while your account and password are shed, there's a risk that anything sent in the clear could be read in transit.

ISPs and most e-mail clients now support a veteran Internet technology known as SSL/TLS (Secure Sockets Layer/Transport Layer Security). The older SSL was once used exclusively for Web-based protection for e-commerce and banking; the newer TLS has supplemented and supplanted it, and is found in e-mail, FTP, and other Internet transaction software.

For e-mail, SSL/TLS can secure end points: All popular Mac e-mail programs include full SSL support. And many ISPs offer it, too, including Apple at its .Mac subscription service.

I'll tell you from years of personal experience, though, that enabling SSL, having it work consistently, and talking to an ISP about its support is a humbling and frustrating experience. This is where PGP 9 brilliantly inserts itself.

The next time you check e-mail after installing PGP Desktop Home, the software tells you that it can secure the connection. If you let it, it takes the unencrypted transactions coming from your e-mail program, wraps it up neatly and securely, and communicates with your ISP's mail server.

The program includes all the various exceptions, workarounds and standards needed to talk to the mail server software, something that each e-mail program doesn't.

On top of this, PGP 9 can automate receiving and sending encrypted messages using its Pretty Good Privacy (PGP) technology. To use PGP, you create a key for yourself within the software.

The key includes two pieces: a public key that can and should be published for other people to use to send messages to you; and a private key, which PGP secures on your computer using a strong password.

When you want to send a secure message, you find a recipient's public key — via public directories or using a built-in key finder in PGP 9 — and encrypt the message using it. Only the person with the corresponding private key can unscramble the contents.

With PGP 9 handling your e-mail connections, incoming messages are decrypted with your private key (you can disable this, too); outgoing messages can be secured to people you choose. The program includes handling rules that let you secure messages to a set of recipients, or perhaps just when "[secure]" appears in the subject line. It can also sign a message using your key, which lets a recipient know that the message hasn't changed while it was in transit — it's a tamper-resistant e-mail seal.

Using PGP requires that other folks you're corresponding with also use the software, but they can use older versions. There's also a free, open-source version of PGP known as GPG: GNU Privacy Guard. There's a free Tiger-compatible version available at the Mac GPG project site: macgpg.sourceforge.net/.

While PGP can't solve all security woes, the program removes the strain of making security work by hiding the ugly plumbing.

Glenn Fleishman writes the Practical Mac column for Personal Technology and about technology in general for The Seattle Times and other publications. Send questions to gfleishman@seattletimes.com. More columns at www.seattletimes.com/columnists