FreeEnigma: not the deal it sounds
BoingBoing is reporting about a new encryption service for email, FreeEnigma, which incorporates a relatively strong GPG encryption scheme into your popular email services (GMail, Hotmail, etc) via a FireFox extension.

One thing that you must know aboug GPG--indeed, any key-based encryption--is that, just as with any key for any lock, the key must be hidden for the encryption to work. If I have a key to the front door of your house, I can enter your house. It is the same for encryption: if I have the encryption key to your encrypted message, I can read your message.

Having established that, I found an interesting item in the FreeEnigma FAQ:

You manage all contacts and trusted persons with whom you want to exchange encrypted e-mails on the freenigma server. For the experts: the entire key management takes place on the server. Your keys are managed on the server while the encryption itself takes place within the client. For the non-experts: don't worry - you won't find any complicated terms in freenigma. Everything is simple and intuitive to use.

One of the "great" things about encryption is that the keys are long and complex and it would take a significant effort to find your key--unless you use FreeEnigma. Now, any governmental (or commercial) agent who wishes to read all of your encrypted email can just supoena FreeEnigma to get your key. And what's to stop FreeEnigma from exploiting your key themselves? Or from blundering it into the public domain like a much larger company recently did with their sensitive user information?

Encryption technology is not there yet because key management is not there yet. Just because an organization promises to take really, really good care of your sensitive key, we promise, doesn't mean you should trust them. In fact, you probably should not.
- posted by frank crist @ 3:33 PM