Aliroo Ltd. is touting a product that encrypts e-mail so that no one can illegally get to it, and asks only that ISPs foot startup costs and share revenue—but pay no other up-front fees.

ISP-Planet Staff [October 15, 2001]

Aliroo Ltd. is offering a product called "Secure Delivery Service for ISP customers" (SDS for short).

"We wanted to make encryption as easy as possible for the customer," says Meir Zorea, "so we reduced the number of tasks required to one." The user downloads client software, and the client software handles the encryption.

There are setup costs but there's no setup fee—instead Aliroo asks for a 50-50 revenue split. Zorea expects ISPs to be able to charge $6 per month for the service, with the first month thrown in free.

The secret of 127
The software changes the SMTP address in the customer's computer to 127.00.01, the local computer. All outgoing SMTP mail traffic is re-routed through the SDS Mail-Relay client before going out to the ISP.

E-mail between the customer and the ISP is encrypted in S/MIME with the ISP's public key. The ISP maintains a database of public keys of every subscriber who has signed up for the service.

When a subscriber wishes to send an e-mail to a customer at another ISP, the relay client sends an e-mail to the subscriber saying that the recipient does not have a key stored on the system, and gives the subscriber the option of waiting for the recipient to sign up or sending the e-mail in the clear (it will still be encrypted between the ISP and the subscriber, but will then go unencrypted to the recipient).

So an ISP's subscriber could use the service just to encrypt traffic between the home computer and the ISP, and leave recipients out of the process entirely.

Zorea says that encrypting e-mail between the subscriber and the ISP should provide a significant amount of security, because if anyone is trying to snoop on a specific subscriber, they will probably target the link between the subscriber and the ISP.

If, however, the subscriber wants to encrypt an e-mail all the way to the recipient, the recipient can get a free Triple-DES key or purchase public key generated by a certificate provider such as Verisign or a key from a provider who has generated a public key for the recipient already, such as a bank. Recipients can also purchase a key from the ISP.

Sticky customer security
"So customers start selling the service themselves," says Zorea. As a customer uses the service more, the database acquires more public keys, and customers should be more reluctant to switch ISPs.

Storing the key data requires some resources, but Zorea says an ISP can start with four servers—two for mail, and two for the key database. At $5,000 per server, that's $20,000. An additional $30,000 in marketing and training makes the startup cost a total of about $50,000.

The expected return on investment depends on the number of customers an ISP has, and their level of security concern. Takeup rates for a service like this should be higher among business customers. When Aliroo designed the service, Zorea says, it had the small- and medium-sized business (SMB) market in mind, especially law firms and accounting firms with fewer than fifty employees. Subscribers who work, even occasionally, out of a home office would also be good potential clients.

Zorea says that the point is that people should know who's reading their e-mail. With all of the keys stored at the ISP, the ISP can hand information out under subpoena, but subscribers will usually hear about the subpoena, too.

"It's not meant to stop any legal authority from reading the e-mail," Zorea concludes, "but to prevent people from illegally reading the e-mail."

—End