I am trying to find a way to let a small business (under 50 users)
send secure emails to their clients. The problem is that a good deal
of the clients have web-based emails. Those that don't have web-based
email don't all necessarily use the same client for email either.

I am looking for a secure way to send email to anyone, regardless of
what client they are using for email...whether it be AOL, MSN,
Exchange or Lotus etc.

If it makes a difference we use Exchange 2000 here with Outlook 2000
as the client software.

Hello, dvati0n-ga!
The short answer: yes. Among many other means, PGP is a very popular
way to encrypt messages securely. It does require software on the part
of the recipient, unless you send a self-decrypting email.

If you send a self-decrypting email, the clients need to know the
password. Whoever knows the password, can open the email.

If you send a PGP encrypted email, the recipients can only open the
email with their private encryption key(software).

I've used PGP in the past. I have successfully sent and received secure messages. 

For more info: www.pgp.com (PGP Personal which integrates with Outlook
2000 is $59 US)

It should be noted that there is an Open Source version of PGP called
GPG/GnuPG http://www.gnupg.org/(en)/index.html which can be installed
for free, and a plugin for outlook is available as well.
http://www3.gdata.de/gpg/download.html (click the UK/English flag)
The setup for the GPL'd (free as in freedom, and this case free as in
beer) software isn't as polished as the $59 software, but YGWPF.
I can't vouch for either piece as it's been several years and a few versions ago.

Search strategy: (personal knowledge of PGP and GPG) and 
gnupg in outlook 2000

How would PGP be used with a client getting their email through
web-based email like Yahoo or Hotmail?

You can only do secure email properly if the receiving end supports
the encryption standard you're using.  As far as I know, most of the
major webmail providers don't include built-in encryption / decryption
support.  You could, in theory, take the encrypted email and decrypt
it locally on your PC, but for the average user that would be too
awkward, too difficult, or both.

On a related note, you might want to take a look at Hushmail.  They
offer a complete secure webmail package which handles key generation
and storage for you.  (You'll want to use a very secure password to
compensate for the fact that they store the keys.)  They also offer
business packages for secure instant-messaging and other secure
communication services.

http://www.hushmail.com

dvati0n - The decryption at the webmail end would be a
select-copy-decrypt from clipboard thing.

Yes, hushmail is good, although it would mean that clients must have a
hushmail account for full security, right? (from the "About Us" page:
when one Hush user communicates with another Hush user, the circuit is
complete and the mail they send is completely safe)

And, btw hushmail uses Open PGP which is essentially the same concept
as mentioned above.  (This is not a negative, it's actually a
recommendation).

Brief synopsis: PGP works on key pairs. A public key which everyone
can have, and a private key, which only you have. To be effective, one
encrypts a document with the recipient's public key so only the
recipient can open it with the matching private key. The message is
useless without the proper key combination, and unless you
self-encrypt, even you won't be able to open your encrypted message.

Could you send a password-protected, encrypted, PDF file to your
recipients? They would need Acrobat reader but that is widely
available.

Of course, you still have to find some secure way of sending them the
password separately ...

Owain

"The decryption at the webmail end would be a
select-copy-decrypt from clipboard thing."

cynthias, could you expand on this process? It seems PGP would be a
great option for users of clients like Outlook (I had PGP in mind at
first as well...). But because I didnt think PGP could be of any use
to webmail users, I stopped considering it as an option. If you could
expand on how a webmail user would take advantage of PGP, that would
be most helpful.

owain, interesting idea. I might consider that as a last resort.

dvati0n,
I'm basing this answer on PGPFreeware 7.0.3, which is the version I
installed at least 1 year ago.

This is the above message encrypted to myself:
-----BEGIN PGP MESSAGE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

qANQR1DBwU4Dn4y7s7JgGmUQB/9+L0LeEbUPu1Nrz4x+EHw60SI6Zxuwcyb2Y+Gf
dEHfVWKAAQgiIzv9AZI9stNqzqpabY49T78GgQ9b+OqNPARS2JXpEl0hsn08LwLb
f0MB7y27LErjT49GjSDSwE06Fy1/cEYTdPOlDrT9EVNviPfLMt1JUclj++EfWnJ1
/lBcqswaFbba9N+tqnz90Mb8ByfYdmx8TumIFvA8wyG6HylE8q9yBsAZimTcQ/uL
1E0wLaLXFoKFvkSadgUdTMfMCVbNLRpxp0NyAYCsDMQOrPojb9wicGUzWcczgQh/
d5Yd4d5SR12mD1u81FZaueDPdpsEegAH+03kOvkeWrLWURTzCACwPZIjUQ4NlIX4
n6M3y/rdbGTgkXLR2LtizLzVuxMUa4EA5gyotkVFH26I/1fxYOgWTs0xJXzLnAJG
qO1CejL4OBy8K++n3t2hbBagLc0n2G+2PEg9QKZcm/assklQKlublRnoefnnhRF0
5xhCupukQcZJEefF9ld1u7M2zmB6TPLz6Jpo1veA8W2JBTy3VdENIh+xTkaWnTjq
aPOQAiE8UCw7Xx5XZ1h9Ztd4ri7bANNXI12L98CCrE0kDp1AsdLuZ+IIUHPLXclE
CZZsj+8ftHky+zPj4eT/ApP/0kolSeo1az5XD1uqCa94iD7I0tsXdJh6ih7uKO+7
iUeu+M73yXWLo1/cI4ID7coFhx02P219+XhSO2cXimrLFn3oOYWM47MJlb9SMVXj
cv3qAdEOq6QWyPJPhI+vrxufFdUJy/xnaKSsdhGz9A73zc5vhgD3mzcw5thzbpZd
Q9iPjslHTtLyaXS57BsgMdMXtrF8122b1iFFO3s=
=CUBW
-----END PGP MESSAGE-----

Using the PGP Tools, I merely select the text, copy, click the PGP
Tools/Decrypt option, and press "Clipboard".

Unfortunately, I seem to have misplaced my ancient passphrase, so I
created a new keypair.

There's an easier way than that, as I've just found out... there is a
little icon by the clock. Left click, there's a menu
Current Window-> decrypt & verify. 

Very VERY easy.

I forgot to mention that the clients need PGP software installed as
well. That was noted above by Answer Researcher josh_g-ga and should
not have been glossed over. I thought it was implied in my statements,
but as I've read through the comments again, I feel it needs to be
said.

Hushmail is the best for the price, if you can convince your clients
to change email providers just for you. PGP is best for over-all
security, and can mean that the clients can have more local
possibilities of security besides just communicating. It may be a
small price to pay to not have the clients need to change email
providers.

After playing with PGP and experimenting with the possibilities, I
came here to address just that...that the clients would need PGP as
well...and that won't work with 250 clients =)

I'll look into hushmail.

Seems like there is no easy answer here...

Send self decrypting and have them call for password? :)

have a look at http://privasphere.com - this service has a seamless
way to integrate web-mail users with pgp/gnupg or x509 i.e. SMIME
certs and plain TLS/SSL enabled mail programs such as outlook