Kevin Nixon ran a fascinating article on encryption at Information Security Resources yesterday, disputing the need for end-to-end encryption, saying that it’s not such a great idea after all.

I’ve never used encryption for my email personally, though plenty of people do. And for some users, like the President when he’s using his BlackBerry, I’d have to say that it’s essential. But Kevin’s argument bears consideration, especially when applied to ordinary usage.

A couple of simple examples of end-to-end are VPNs, where encryption starts at a VPN client in a remote location, and ends at the VPN server in the main office. Also, SSL–which is used widely over the Web–provides another example: End-to-end starts at the user’s Web browser and ends at the Web server on the back end. The limitation here, according to Kevin, is that the traffic arrives at its destination before being evaluated. He makes a good point. The concept behind end-to-end encryption may be a good one, but it needs an extra step.

Security experts advocate multiple layers of security; for example, both perimeter security and endpoint security are considered essential. But, when traffic (including email) is encrypted, it may not be able to be analyzed by the firewall or by any perimeter-based intrusion detection engines, thereby eliminating the effectiveness of one of multiple layers. Kevin also cites S/MIME as a particular concern, since the contents of an encrypted email cannot be analyzed for malicious content until after it has been decrypted. This means that the malware prevention has to take place on the desktop for the first time–instead of using the desktop security as a “final check” after traffic has already run the gauntlet of other perimeter-based security.

There are some solutions, which involves an extra device or a firewall that is equipped to analyze encrypted traffic; this approach decrypts traffic, analyzes it for malicious content, and then either sends it in the clear or re-crypts it for the rest of the journey.