One of the things that has always been very important to us is the privacy and security of information and the transmission of information including emails. Back in the early 2000’s, we were strong proponents of the use of PGP/GPG (Pretty Good Privacy) in email encryption and signing and as much as possible, promoted and encouraged its use. We also provided consulting to law firms and others who wanted to have some assurances that their emails were not simply being transmitted in clear text, and readable by anyone who could install sniffers on routers or break into email servers where the email was stored.
In addition, we provided consulting to e-commerce clients and helped them institute policies and procedures regarding online e-commerce orders that contained sensitive information including credit cards, when real-time transactions were extremely expensive.
PGP/GnuPG is not just for emails and can be used for very secure encryption of files. While many people balk at using PGP/GnuPGP and say things like, “I’ve got nothing to hide,” we believe that this is an extremely naive way of thinking about electronic communications and file storage. In fact, sending an email is almost akin to sending information on a postcard without an envelope around your message. You have no idea who the email administrators are at your ISP or cloud email provider. Maybe one of your neighbours works for Microsoft, or your local ISP and has enough administrative rights to browse your emails. How comfortable would you be with that? Are you sure you still “have nothing to hide?”
If your a business, maybe one of your competitors’ kids works for the local ISP. You don’t know. In fact, we have personal experience during the early days of our business, during a very competitive time when there were takeovers and plans to takeover ISP’s, when email sitting on a server was compromised revealing important and critical information. The use of PGP/GnuPGP would have made the revelations all but impossible.
Securing Client Data
Often we require sensitive information from our clients including their website admin credentials and even registrar credentials in order to assist with critical updates and maintenance. If this information should fall into the wrong hands, this could wreak havoc for our clients and their business. Most clients don’t have concerns about sending us credentials in plain text email, and truth be told, it is much easier to deal with an actual copy/paste of a username and accompanying password than it is to try to ensure correct transcribing during a telephone call.
Other clients however, insist on a telephone call because they are rightfully very concerned about their sensitive information being sent via email in clear text, and that could be read in transit by unscrupulous individuals or organizations. And we respect that. At the same time, as mentioned, this is also an inconvenient and often mistake-prone way of transmitting what sometimes can be complicated passwords.
What we have done is implemented an extremely secure form where such details can be transmitted to us with the virtually unbreakable security of PGP encryption. Your protected at every stage including the fact you are entering information on our form that is protected by SSL security (using the https protocol) on the webpage. When using the https protocol, all information between the browser and the website is encrypted.
When you hit the submit button, the message is immediately encrypted to our public key using PGP/GPG and arrives to our inbox encrypted. Anyone trying to “listen” in (snooping) routers or email servers will only see something like this:
—–BEGIN PGP MESSAGE—–
—–END PGP MESSAGE—–
The above, by the way, is an actual encrypted message using our form.
The only way the above message can be decrypted is with both our private key and our passphrase. Without both, it is almost impossible (except for perhaps the NSA, and that’s debatable) to decrypt.
Going Even Further To Secure Our Clients’ Information
Not only have we implemented the above, but it has also always been our practice to encrypt files that contain our clients’ sensitive information on our own devices. Obviously, if we are going to continue to work on your website, we need to have some records kept as to your credentials. Since 2001, it has been our practice to store that information on our devices (laptop and/or PC) in encrypted files, decrypting it only when necessary. Many times, when we have this information, we don’t even keep our clients’ credentials at all, if we don’t think we are going to being required to need it further.
Yes, it can be an extra step to be required to decrypt the file, but we believe it is a good standard and policy.
Why We Use PGP/GnuPG
There are a lot of so-called encryption methods available, including proprietary encryption that make claims about security. We choose to use only PGP/GnPG which is open source, constantly tested, and uses a “public/private” key cryptography. It is beyond the scope of this post to explain this cryptography and PGP/GnuPG in general, but we encourage everyone that we can to look into it and implement it not only for their sensitive business communications but even personal communications, as much as possible.
PGP, or “Pretty Good Privacy,” was originally created by Phil Zimmerman back in 1992 and has become a standard for encrypted communications between users. Since then, the open source GnuPG is available for a multitude of operating systems (gpg4win for Windows). While it can seem to be overwhelming at first to understand PGP, it is not difficult to implement and you may want to learn more about it.