One of the things that has always been very important to us is the privacy and security of information and the transmission of information including emails. Back in the early 2000’s, we were strong proponents of the use of PGP/GPG (Pretty Good Privacy) in email encryption and signing and as much as possible, promoted and encouraged its use. We also provided consulting to law firms and others who wanted to have some assurances that their emails were not simply being transmitted in clear text, and readable by anyone who could install sniffers on routers or break into email servers where the email was stored.

In addition, we provided consulting to e-commerce clients and helped them institute policies and procedures regarding online e-commerce orders that contained sensitive information including credit cards, when real-time transactions were extremely expensive.

PGP/GnuPG is not just for emails and can be used for very secure encryption of files. While many people balk at using PGP/GnuPGP and say things like, “I’ve got nothing to hide,” we believe that this is an extremely naive way of thinking about electronic communications and file storage. In fact, sending an email is almost akin to sending information on a postcard without an envelope around your message. You have no idea who the email administrators are at your ISP or cloud email provider. Maybe one of your neighbours works for Microsoft, or your local ISP and has enough administrative rights to browse your emails. How comfortable would you be with that? Are you sure you still “have nothing to hide?”

If your a business, maybe one of your competitors’ kids works for the local ISP. You don’t know. In fact, we have personal experience during the early days of our business, during a very competitive time when there were takeovers and plans to takeover ISP’s, when email sitting on a server was compromised revealing important and critical information. The use of PGP/GnuPGP would have made the revelations all but impossible.

Securing Client Data

Often we require sensitive information from our clients including their website admin credentials and even registrar credentials in order to assist with critical updates and maintenance. If this information should fall into the wrong hands, this could wreak havoc for our clients and their business. Most clients don’t have concerns about sending us credentials in plain text email, and truth be told, it is much easier to deal with an actual copy/paste of a username and accompanying password than it is to try to ensure correct transcribing during a telephone call.

Other clients however, insist on a telephone call because they are rightfully very concerned about their sensitive information being sent via email in clear text, and that could be read in transit by unscrupulous individuals or organizations. And we respect that. At the same time, as mentioned, this is also an inconvenient and often mistake-prone way of transmitting what sometimes can be complicated passwords.

What we have done is implemented an extremely secure form where such details can be transmitted to us with the virtually unbreakable security of PGP encryption. Your protected at every stage including the fact you are entering information on our form that is protected by SSL security (using the https protocol) on the webpage. When using the https protocol, all information between the browser and the website is encrypted.

When you hit the submit button, the message is immediately encrypted to our public key using PGP/GPG and arrives to our inbox encrypted. Anyone trying to “listen” in (snooping) routers or email servers will only see something like this:

—–BEGIN PGP MESSAGE—–

wf8AAAIMA4ZlyplmzhIBARAAzfGSFMS0h0Mh1tVaG4fb8cByCXF+E/2lS1wvFDQD
zQ24gS8Pcgb4ysgcoP8N80MkrIXlyhmslxk9InHfPaTWiSSd9v0w0baWHnKb0vyY
yGkV3DoPyw+3b5OIjrooxHJJMaJbgO3sRvjqFOxyvfHlxMZ/ItukrjsDhNDFm/ZZ
AX0RyEVvj0XWLVaBpAy55xMckISZwFRL4IJeGkx0H7m2t+xb6Ru8K0hY/XW2EaBS
u7uKTEsA8SkINALSXE/csi/utOkkfsXazEsPmXHNkRtPeVezZVeeKyTkIa74jU3h
ufsTNQMsyfw4wmwFRZN+aDcPuL+NPMfM36wlHi5s5LlMvQMu+4Hh0Kg1cqdZr9BV
4b/chV7QLPWbMdkdxna+4LVU0qxfhdm74JKDY3aOUy5Wx4CzTnH7rFGZHMNSIxfs
LPZGeaB7XFFXZ3FFSK2Fnbj8s9KjOBUMRgP93VOCdgtZsTro8QOo9tHSDaTiG4L+
+sszNKhEHHhzhF6LND3acQlMkYZbtOlacERY4ovykMopa/El6xGtIwrgbwdhhHWQ
qV1te4QXPMlbE4N125P/iO9YmsTleAcgji5VxfZLGLeifzkDeGIE6kUyY0V1/Yfg
s2SFOB+FzmiHIZdQQqpi9AM6zRdavLnZojGgHwuYWi18UIoXyWoS78Lf9HyAWHTy
5JHB/wAAAgwDIgBwEVWtAroBD/9Ie1cxczi4AAPGST3mvbF/TarU927D5nsfyXpp
jI1JmGqTmCl9rpb2Iq7dLhcYzwtWRSd/A7/QkRiJ9pzErt8QvMLniDgm13xeOrQu
hTqDhHQoHYwlMTMSm2KdoxFhPfPMF9OyWrkf3FZuiO4Wk3EUnhK6nQqeffIT341P
PujEOXOs1rnWQ+CKYqZX0tzXuo1b4FgmjVha4KCrGfir3dL73x0BMivGcrG74dbl
QOCkL/px82FUKbGjkvX4LZwdGlXV4aRPQXI9gVczmD/Nspa4zwO0EqpI3JpvVybV
kxUDVOLkoZO0TeG1n21/XaGEO/38KCsQMtLXvceBfVgUw6wVya5m/M89JmPCE1Sv
GSavL+EgNIgpURE79+ZjLrnyppKEfL+rHCCJX1LhrfSwuYx58JYDDHjgeR9JoPwn
h9F0iseAfMbh4FRT4/ryIz6OcaZKnOaRljw/ptHPkQImBwUSVe3iQN8zw8qN3JEM
vHvXMFALFeww0+MgOhOk3JsvY4CLFGXL9+jXlxne6Hvsa+wQy/n/QgYSv/uscpse
e6N/mIwhCS4zSegz6XkiKkZVW6OVykABLyrVKH+Hr3jpSlMpPvERuRXZ7m4HHuCy
muoQqdkisULfxk9JQzqW04vfkqJk2iUZaBIOLdkfPhb/yAgwkx0+WuEsTldtJVGA
LzkQJtL/AAAL7gEGF8eknZRUb9oTci4EnctkuEe7YHFU/U9f1dNg7TtZ+lFWBZH3
NNnFHyE4H7aY58Iz3ZOUtRTgS4GQHcql5uP37L1oDBTi38Sf+JrBEBu0J5oMWwAJ
UGiM+TWD4ZBmuvU9lwQLn1xp/dhphGNkJovrCCUbsUqdtnRtBLI4rtcRVPLefAjP
A7Nr6zHGB3ZMQuShJNVw+dDlMGw/4R5klgkh6XrUdGJiFrek1l2emHYWvSdJfDzY
uXr1l/Sv+OBC2g8K/0trXt0d15C95tDhCfuWuTHbXuIEcrIFtdzghcynoiw0sFzi
oaGrJpRublXZyJxtQq+Tde+WKKB/97hPRZNYxxcrAFzIycwxSCy7h7wrb+rZvzu3
TxFpj8HUIofq4kYhQLqzs9tPHSdvRDU1gn+qt+YCo+7zmL33Zi6gke+QDcCpmgLB
6ZtwB4Vrrmh3MazCd0sKrTo7hVavwSE2ZNpIsTRo/P177rnw51X2ZlPwGBK24bGb
CSR7QooM/lyEZxLr6hCiUOE4alGDS9K+gr/KLKvQm6J6vZ9R0N2Z2KmlS5QkqpGo
TYpysMy2XHngrnm26gDIRCgEUM3alPfZDjRLOhaHIIIxfM/gvhcHx2/FOag3x/aE
CJQ3mFk7veJAv52H5xi8pK3VXV8s12jLZdj4tR4+ZG1f42ek9FlEOKk4LyKTlgPG
iGLMcRGjY92cqJ6EtF5MxL4nvPhf8tC9cn9gWlFfGcpf91c45uJhj9YTuqk93xpb
g7izT3Ql4Hv8lWnJXBhcrKVxGucPm/P30AB3d7zkDtMh/yqtgkRrAR70RGCFuj7w
z6YJSvpUaLi6QDWHgvwq3ZYO+NjfsIgkUWhHN3rGByefPeu640Mft7dWSY+D3RaI
CMQl18u2Sd+HxFdgfWLXWqOZ2LK8ajE6u4bST32kJwmKT8RxzIrs3pLRIiWZOISQ
QyQGOZB/EZh8ghpvvZYFHB7X0cfGPhygos543CiG5LuIJHGGX01jFK/vdi25j0oN
A/gv3AGXGrb3GZA/5JKxTRn8/9Fl+tNKzqbIzUc287HXQLYABBnWv9TgOZo/IzUt
wvlNXwFBRsR8qi6NdXiR9rJ832v5iXead6OShiWGs/YsXDEtDGJlDWvb1y6w25sk
DWqzAxP3xo45IV2Of7OnodipHWlB+wiVBBlBQA/471vhOp18BAJc5f1HYBOxELNd
xkPzRnaNfAlMG7WBdsgWX9LIJTyNJKrGM0a+ufHMFLBq0R91I8xuw+mORgc3w3p9
mbK4QTbFyCLVfMqPlmeQ4ytqslDtVm4PXF7BppetaJa2R/y9I29MEM6CUzQlx6RE
Vdr35ik3McZMVC/WsbDLk0ZzfvRMIxMk14h9QWQi4nHh7Aun0MDIj1RIzx3EVJNA
a1zw1Xu/WrXH+zSuTVemeM0P7PoiBobdEF7RkIqTvs1LAUBpNFuHUTLkK99QjVOG
8FM/iu48DjRtDT5LQXV5Yhtlf0nNRi4EjbWxaPnirBCJ/2ekqr2acmynzXg0K0Bt
h7ECIKkCAyLGy2tnIfAo1dcp/xteJFqTlnsT1RrZLz7n+GJJc2znzGHo4oBN4hLq
SIWUlZfVJqoOEIshTd9aU44anl7urr2XXDE9MGURl9FEqX9at+bsYHzzgd30x6f3
EFi//vxHpxvOZ/AEbuX8GvVBXZPHCO/dn/0NAsVnFbIDXRyla+4iUumaiGtEr/Fj
1IwvODCeLc3E4FEUGvpyMKaa3WtT1tfldH78J6COA2Vd7F2U8FFE3qlB2NZhhHku
1doz2abMMGe8fsHmukZ1C0S59ke2PT+aCwJoUPh+g6JxYiKLGzm4chzJtBvSv/qK
KyQf/nJH5KT7Xo/OzNqQTWqpXAzluOKbUMUIrpvKcS7vHziC6REHvxxMRohOJKnT
maSlAS8RJIyd57EF6jr9Wg8725ebLTT4GQGC9E+GYSiU5noX8HNoBe5IXu7hxbX1
08pt7QqrD2ZuxKyv9JNa2EU1ZUY4s2o5DdMucoUj0M54cFiG5UXHFrm6KxxQfmej
F4FNCU6qRstsL29SgRkU9dMS2br1cPYy7+TPIBkxuIocXhRkOlTpjC8dQyQYeFpa
J5GrTw8//bDQ8kwPdvyz3bcMSKL9c7jaRd5U7mG9NlRHmo+UyawFERcTT05UG6uV
cncW8c/ih3/nHD7VtWjEhWKDfWyFPVf8QxRZMiK9/ldBduDCih/S1dYQ74Cy2BVa
7LSDE7zlWhe308RZyEgS3iuzMDN9uGPKwa4d0C6hej4o3w6EVpzgqgpjowugICiY
7o0bu5fWZ81NVqCTvsKtvSEUrUYieICA/e5CGQp17CJKx9I+VH0/6genWqnkWhnT
lo3v5p7LzIZlbrTvkQ0SxzZyt+xHvfAq60JVEZHgCRlDRaJApPsmQCm38xXFxzRp
+weiHSEWA/mVZGrfVir0FWDkvMa+lXTpl7+7YE342Uwht+9rjeoHLiG4Da0fhiEX
Tb3tnnbyNljpXSSQ4qKMfbKv3Ej5VtG0RXMPjzu8PYqD9bsqu+NhMbyZtiH7E4Ph
y2S1F5Zp6ogoWlDKMkq0uMRvPXvcLKWL1c9GzM8FlXsSVdYZ0ERr6TuVxH6KqDhr
hk4deH9DeIPxLfPwR+efiIXZdYs5ZcYoyBYCzyUJ1LtHKBSrI+JPCR51MdB1X3nn
IRYqTe8nf7Y1NkzlTX2N/yJReAyoh+J2jPduDWvwutiynP8Qnl1JBUA6Zf4U+cWC
EUxIgzZgY8uha1pM/D2WrXqMZay2Yl3dA1RUagtBsUebhytwBprDG8US8KyujQKm
2xDPWu1cXU0rHthByUfAgYc4SM1WcNji4fGuhUGKdzYz0NC+xqZcYBJAMo33jnYd
TJjnHJk+2Gl/Y9DhmWZuyTuASlV3Ns0O8pB6cujXeZDnsw9LiXtdulCtL5qKGjIV
p9pX9sjT0xQKqoRo5SH5qSq++vwNGEkS1PyK1egVGlH0KPr0QXdEtl5gLcQjlP6Q
s4AJ02L7CaLozUw3VCGVO0tG9Q8Omz3q6ScDTxzm27cFr6P9NqVF8RfW2aj8MBid
XhUWku3E/9GnLsqI4/dWrUDU2b3B5PcAhU4DPu1LfJ/aj0+3Ex6WpaAN5PEePiiL
bE3jd0O+08v6fLtUjFpisJT7HQgBhcMR1gwfV28TDVSyCzzV562rRPEM2LLcQSZj
l30iVc97PtzdHxHT3iWikpA2cr+YIOV8JSqxqrI5K6TodvZa4MrF3zOasQBljhHW
O1sfvDFPGifMQcA8uvgwcLQAu+NdRYxln5SXcUA/w3KbBsH+AsltLL2EBdV9IR4T
CxTqeX207CCH55HNG3E4aLpNlohaPa8UJT0EbM4Kb85biyQKu7YlEXAQPz/ESqt/
gkim3wWVgxuOPplujhzQx6wNFbRUEpXwrCz2YaBUWNV28wJ/5QjpqU8odvT/a8+I
h3dT76R1aJdMyE1GDxZuWOnreJp3Szzq+uBmip/UGzf7zqZkpGmJFaB3v0Wk4AlB
Qa75g+voxhSlZEnesRBmxMwiGJV1wnDLR7v80b0REEvd39efEXsCk3SLuqNBSx7x
l5iIikbM5VEgNiDSHAXVeRTEjZ6NZdqMa677tPMJh6ymsASbUExI0cIR7vFXAlyw
NXMJaJQ3urY4kpqB3P547wtUQCkxVOyyzwCZWc9qm6LMqPaoj2Ir6phSQ6VCJ48x
OA1zAb75j1Afw8Jzuyk0ZSqlclCEdCoRjOPMzawR2/ZB5UINHX4g/EPgKxkQyEYB
5Ij9u2h/p4NUNTXa4vGbnPbH33M8DwALecoUiQj1Ua/KyWCMXJV4G+PCYmciTZQs
3Ul4nFdFaMQAvxhffMx9aOWTseYMQqkApSd5ZQwY+XDMdLrJPHRWYt6NFTn/bRPn
SyZRFEuorNBmOmQp9CDJDAOrhCxRRfKjWMJnW+tjCMKVr3KpAIs0ywYvuMkL40ib
htj9p9bHW3Ax/J6RNMlriWW917FP22Lo10s5YZLVi04et0ZtGkWeHlQ2eisopF2j
RvkypGAKIEc3QkDageEWMycjVrTVl/Bnel4HII5yVpfKX7GNsCEJRw==
=YQCZ
—–END PGP MESSAGE—–

The above, by the way, is an actual encrypted message using our form.

The only way the above message can be decrypted is with both our private key and our passphrase. Without both, it is almost impossible (except for perhaps the NSA, and that’s debatable) to decrypt.

Going Even Further To Secure Our Clients’ Information

Not only have we implemented the above, but it has also always been our practice to encrypt files that contain our clients’ sensitive information on our own devices. Obviously, if we are going to continue to work on your website, we need to have some records kept as to your credentials. Since 2001, it has been our practice to store that information on our devices (laptop and/or PC) in encrypted files, decrypting it only when necessary. Many times, when we have this information, we don’t even keep our clients’ credentials at all, if we don’t think we are going to being required to need it further.

Yes, it can be an extra step to be required to decrypt the file, but we believe it is a good standard and policy.

Why We Use PGP/GnuPG

There are a lot of so-called encryption methods available, including proprietary encryption that make claims about security. We choose to use only PGP/GnPG which is open source, constantly tested, and uses a “public/private” key cryptography. It is beyond the scope of this post to explain this cryptography and PGP/GnuPG in general, but we encourage everyone that we can to look into it and implement it not only for their sensitive business communications but even personal communications, as much as possible.

PGP, or “Pretty Good Privacy,” was originally created by Phil Zimmerman back in 1992 and has become a standard for encrypted communications between users. Since then, the open source GnuPG is available for a multitude of operating systems (gpg4win for Windows). While it can seem to be overwhelming at first to understand PGP, it is not difficult to implement and you may want to learn more about it.

Resources:

GnuPG
OpenPGP History
Pretty Good Privacy – Wikipedia