Eddy Nigg (StartCom Ltd.) wrote, On 2007-12-15 18:14: >> It seems that most of the world's email users have moved away from >> running their own MUA programs to using webmail.
> Oh no...now you have also fallen into this hype? No hype. I came to this conclusion based on my own direct observation of various groups of users whom I help with computing. Here are two examples: a) My own extended family. Years ago, I helped each and every one of them setup the email clients in their Netscape Communicators to work with their ISPs' email accounts. I did this when they transitioned from Netscape to Mozilla too. Today, besides me, only two of them still use their own MUAs. The rest have switched to web mail. b) Kids in schools. I was once very active in getting computer and LANs into schools in California. Computers in schools are nearly ubiquitous now. Since all those computers are shared, kids can't and don't run MUAs on them. By the time the kids get out of school, they are thoroughly trained (as it were) to use webmail. > Guess you were listening to Aza Dotzler for too long ;-) I got a good laugh out of that, Eddy. Thanks. :-) > Webmail is almost as old as the Internet itself. Webmail is almost as old as the Web itself, which is much less old than the Internet or Internet email. The various internet email protocol standards in use today predate the Web by a decade. Compare the dates on RFCs 822 and 1945. I was working on PEM, the predecessor of S/MIME, in 1990, before the web existed. See http://mirror.switch.ch/ftp/doc/ietf/pem/pem-minutes-91jul.txt > ..hotmail seems to exist > since ever too...what's new? Nothing, just better infrastructures, more > users, higher bandwidth and more providers. The information I have > shows, that mail servers and clients are used tremendously being it in > the enterprise or home. More than that most people have multiple > accounts too, some of which are web mail. Webmail uses the same MTAs that all internet email uses, so yes, mail servers are used everywhere. But use of what I'll call "local MUAs" (MUAs running on the user's system) is way down, percentage-wise, from what it was a few years ago. Consequently, access to MUAs that can even READ signed emails is way down. >> standards for signed and/or encrypted email that work only with MUAs >> that run on the user's system, and that do not also work with webmail, >> are dying, whether they are S/MIME or PGP, frankly. >> > And why does encrypted mail not work with webmail? Maybe there is no > business case? It could work technically. There are numerous reasons. Here are some: a) Web mail gets its money from advertising. Every page the user sees brings more ads and more revenue, so schemes that can effectively be used to reduce spam are actually revenue reducers for them. Despite their publicized anti-spam activism, they really don't want to reduce spam any. (Doubt that? Google for "pink contracts".) ISPs KNOW that signed email has the power to reduce spam, if widely used. (That's why I suspect that this new scheme must pay them to process signed emails. Something must offset the lost revenues or it won't interest webmail providers.) b) Encryption, signing, and signature verification still consume lots of CPU. Increased CPU cost per message means increased operational cost per message for the webmail provider, directly reducing the bottom line (another cost to offset). c) If webmail users are to be able to sign or decrypt mail using the webmail service itself, their keys must be stored by the webmail provider. That's a can of worms, a massive headache for the webmail providers that they'd rather avoid (and do). Then there's the whole matter of "expectation of privacy", and other legal matters that vary by country. The webmail providers believe they have MUCH less liability if their users have little expectation of privacy for their email. And as we know, most users don't actually value their privacy much. IMO, that's the real problem for all forms of "secure" email. >> I want to see a signed email scheme that becomes adopted by both MUAs >> (such as Outlook Express and Thunderbird) and by WebMail, *AND* that >> preserved the egalitarian nature of internet email -- that is, that >> allows ordinary users to send and receive signed emails. >> > Me too...speak to the providers... >> Sure, right after I see it in use on Yahoo. :-) > See above.... Let me put it another way. Remember that I helped all the computer users in my extended family to setup and use Netscape/Mozilla email clients. I did that so they could all have access to secure email (something that people of my parent's generation seemed to value more than anyone younger). Today, now that they've nearly all switched to webmail, I CANNOT send them a signed or encrypted email, and they cannot send any of those to me. (If I send them a signed email, the signature is lost, and useless to them.) The value of "secure email" is largely lost to me, even though my MUA supports it fully. I'm inclined to back any system that re-enables my kin to use secured email while they remain devout webmail users. It must enable secure email between MUA users and webmail users alike. Mail security has to work for both MUA users and webmail users or it will fail. /Nelson (who really wants to see secure email for the masses) _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
