It is again another case of using security technologies for criminal purposes. Let’s take HTTPs as an example. When attacking a Web server, HTTPs is the attacker’s best friend because it could potentially bypasses whatever security appliances the victim might have in between (IDS, IPS, etc). I am not saying that this is universal but it works very often. In simple words, because the traffic is encrypted, the security appliance wont be able to understand what the encrypted channel holds and as such wont do anything if an attack is launched against the destination server. This is an example of a security technology which is designed to prevent attacks but at the same time turns to be a huge advantage in the wrong hands.
Ok this is boring. Let’s think about SPAM and Drive by Download attacks. SPAM – harder but not impossible. Google does an excellent job to remove spam from my mail box. But what if the SPAM is encrypted? There is no way you can tell whether the message inside is worth something. Not to mention that emails and public keys which are required to encrypt the message and send it to the right people, are two types of information which are available online for free. There are many Public Key Servers which attackers/spammers can use.