>I start to wonder if the "difficulty" in email encryption is actually people just being lazy
I think it's a combination of this and perhaps some ignorance as to the implications of skipping these processes, hence they aren't taken seriously. I'm not sure if more education on this is the solution or not, since it seems a lot of people don't really care about these internals and don't want to take the time to understand what's going on. I'm not sure I'd describe this as laziness or just stubbornness.
Users tend to be very goal-oriented and with (for example) TLS certificate validation errors, these simply stand in the way of what the end-user is trying to achieve. There have been a couple of studies done on how users tend to just dismiss these errors http://static.usenix.org/legacy/events/sec09/tech/full_paper...
I've had the "security" conversation with my father-in-law a few times. He is a wanna be computer nerd.
I tried to explain to him the benefits of all traffic being encrypted. It means "the man" can't see anything you are doing. Why would you want this? Because it sets a precedent that you aren't hiding something. I had a job once where coworkers only spoke Spanish when they wanted to talk about someone without their knowledge. It was obvious and even those who didn't speak the language could see it was happening. If they just spoke it all the time no one would have suspected they were making fun of someone, and no one would have paid that close of attention to what they were saying. It would have become a non-issue.
> not sure if more education on this is the solution
Security education is a never ending battle. Just like "use condoms", "floss your teeth", "wash your hands", etc. It also changes. Today "Use a password manager" is the new "change your password".
I think it's a combination of this and perhaps some ignorance as to the implications of skipping these processes, hence they aren't taken seriously. I'm not sure if more education on this is the solution or not, since it seems a lot of people don't really care about these internals and don't want to take the time to understand what's going on. I'm not sure I'd describe this as laziness or just stubbornness.
Users tend to be very goal-oriented and with (for example) TLS certificate validation errors, these simply stand in the way of what the end-user is trying to achieve. There have been a couple of studies done on how users tend to just dismiss these errors http://static.usenix.org/legacy/events/sec09/tech/full_paper...