Wednesday 23/2/2005

To Piccadilly, to see a little-known yet intriguing company called Ciphire. A Swiss/German concern, it is busy finishing off its first product -- an eponymous mail add-on that automatically handles encryption and signing. Ciphire Mail is in late beta -- you can download a copy from ciphire.com -- and from a few days playing with it, it looks to me as if the company has brought a great deal of sanity and good thinking to the problem.

Because it seems simple, people don't give email much thought. You rarely hear of email servers being hacked into and vast amounts of virtual post being siphoned off, although that must happen: the most important single service on the Internet is simultaneously the least secure and the least regarded.

While we could all run PGP, we don't -- it's too complicated. I fall into the 'Tried it, gave up' camp, and given the lack of PGP keys in footer files these days I'm not alone in this. I did ask Ciphire how many people used PGP, as I've never seen a reliable figure: neither have they, and they've looked pretty hard.

Ciphire Mail bends over backwards to be nice to you. It intercepts all ingoing and outgoing mail, works out whether to encrypt or decrypt what it finds, and adds a cryptographic fingerprint to everything you send whether it's going to another Ciphire user or not. Ciphired recipients get their goodies encrypted automatically. I'll do a full review of the system when it comes out of beta, but so far I'm very impressed by how easy it is to install and use. It'll always be free for individuals: corporates please apply for details.

The company impresses in other ways. They're very open in every sense: there's a lot of documentation on the site about what they do and how, they've commissioned proper independent analyses by people like Bruce Schneier, and they promise to show all the code by the end of the year. Compare that with Skype, which makes big noise about its VoIP and messaging encryption but gives nowhere near enough detail for trust.

With a few niggles, I can't think of anything they could be doing better -- we'll have to see how things pan out. But I'm still not sure it'll be quite enough. The company is talking to ISPs in order to make the system part of the package offered to broadband subscribers: they quote antivirus and anti-spam products as a precedent. But these give direct benefits to the ISPs by cutting down support calls and volume of traffic -- encrypted email does not, and given the shocking lack of public demand for it, why would an ISP bother?

What Ciphire needs -- what we all need, as easy encrypted email is a good thing -- is for this to become a standard component with email systems as shipped. They haven't got a hope with Microsoft, of course, but getting the software into, say, Apple would be a splendid deal all round.

One to watch.