Are email communications really as secure as you have been led to believe?

Its a big question. An important question because billions of emails are sent over the internet every day.

Many people that use email simply think that because they use a username and password for their email, then the email contents are safe. Think again.

Email communications ARE NOT secure UNLESS you take certain measures.

Unless you use SSL to connect to your mail server and have encrypted your emails properly then its possible for your email and your user details to be intercepted and your messages read by a third party.

To keep costs down, 90% of mail hosts don’t provide SSL support so its my guess that your email is currently transmitted unencrypted.

Here are some things to consider when using unencrypted email:

- email is sent over plain text protocols meaning that if its intercepted, it can be opended and read by anyone who is familiar with “packet sniffing”. Packet sniffing is often performed over wireless networks especially in public wifi areas. (which is why you never ever post sensitive data to the internet in public areas)

- POP and IMAP are insecure because username and password are sent in clear text - these also can be easily sniffed.

- email is sent using intermediary servers before reaching their destination which means that its easy for someone who knows how to, to intercept and read your messages.

- many Internet Service Providers (ISP’s) store messages on their servers before they are delivered, sometimes they will keep them for months, even if you delete them in your mailbox.

- headers (which cannot be encrypted) and other information in the e-mail can often identify the sender, preventing anonymous communication.

So, what is the answer to the two main questions raised here?

Question 1: How do I encrypt my email communications so they are secure?

Question 2: What do I need to do in order to connect to my mail POP or IMAP server using SSL?

How do I encrypt my email communications so they are secure?
There are really only two ways to send secure email messages, both provide secure messaging communications but it depends of course on your situation.

Simple Method – used when occasional message needs to be kept hidden

Encrypt the text in your email using a simple online encrypter with a cipher key. This method would only be for the text in the email and would not support attachments or html emails.

Its a simple method say in the case you want to send someone a password or confidential information but only want certain people to access that information.

You do of course have to generate the encrypted code and the cipher key and you need a method to send the cipher key to the other person because you cannot send the encrypted code and the cipher key in an email for example, thats pointless because if someone intercepted the email, then it can be easily opened.

However if you sent the encrypted data in an email and sent the cipher key by say a mobile phone then thats fine.

Pros

- Free and Simple
- No software to install
- Can be accessed online
- Uses government strength encryption
- Encrypted data can be sent via different means

Cons

- Transport of the cipher key to the end user can be complicated
- End party needs to know where to decrypt the data
- Loss of cipher key means data cannot be accessed

Advanced Method – used in corporate situations where security is key
You can choose to opt to use an encryption protocol such as S/MIME, PGP, Identity Based Encryption. This usually suport text, attachments, files as well as html emails.

Encypting email using one of these protocols is a pretty serious business and not for the faint hearted, it can be complicated to configure and maintan but if you send sensitive corporate information, usernames and passwords or clients details, then usually its worth the extra effort and cost to take the added measure of securing your email communications. In most corporate situation you will have an IT person available to help you, if not then you would have to research this yourself.

One of the most popular methods of securing your email communications is using PGP, which stands for ‘pretty good privacy’.

The PGP Desktop 9.x application from pgp.com includes desktop e-mail, digital signatures, IM security, laptop whole disk encryption, file and folder security, self decrypting archives, and secure shredding of deleted files.

The process involves installing the PGP software on your desktop or laptop on the sending and receiving computer (bot machines need to support PGP in order to use it). You also need to create a digital signature on their secure platform server.

PGP perfoms many functions but the main two that you would use the most would be:
1) Use of Digital Signatures. The software authenticates that an email or file sent to you is from the actual person that it should have been sent from. using digital signatures the pgp software will tell you if the email sent is really from the person who sent it.

2) File and Email Encryption. When you send or receive files you can encrypt the email so that it can only be read by certain digital signatures. This means if you send an email to a collaugue and you have specified that only their digiatl signature may open the email, then only that person will be able to open it.

Pros
- Secure, Automated communication between two parties
- Ability to encrypt html emails and attachments- PGP software can be used to encrypt hard disk space on your computer
- Use of digital signatures allows authentication

Cons
- PGP is not Free and requires subscription
- Can be complicated to set up and maintain

So to summarise, use pgp is you have serious corporate information to send by email. If you have to send the occasional bit of confidential data, then use the simple method of securing email information.

If you are surfing on the internet or sending email via a an internet cafe or wifi hotspot, then only use login information where there is an SSL certificate on the web page, otherwise just assume that its not safe. Never send confidential data via web mail.