Safe Browsing Part 3, Encrypting your email

Published on 2001-08-28 by John Collins. Please follow me on Twitter for more: 

Introduction

Sending email across the Internet creates the illusion of safety. When you click that send button it is not only your intended recipient that may have access to your message. Email may be left on a server for many months, while some servers may create backup copies of your emails. Apart from firewall systems and network security options, email server companies also have the responsibility to take care of the "real world" security of your email. For example the server may be located in an office, the office may be unlocked, and the physical server machine may be vulnerable to attack via direct access.

The only sure way to protect the security of you email message and attachments is to encrypt them. Encryption programs basically scramble the original file so that when it is accessed without your knowledge it is unreadable. The only way to decrypt the file is if you have the necessary password and software to do so. There are many encryption programs available for free on the Net, many are even free to use.

Encryption protocol

The only way to make encrypted transaction of information possible is to ensure that the person (or people) you wish to communicate with are using the right software and have the correct password to decrypt your messages. The exchange of passwords is the weak link; this should be changed monthly to a new password, and should be long and difficult for anyone to guess (a random combination of numbers and letters is best). The integrity of the system relies on you managing and protecting your passwords effectively.

The whole idea of this method of information security is that even if somebody gains access to a file (either through hacking or direct access), it is effectively useless to them as they cannot read the files contents. Therefore it is logical to NEVER save decrypted versions of your files on a server or personal computer, as this defeats the purpose.

Only for the really paranoid

Before you and your colleagues embark on a data encryption policy, you should first ask yourselves if it is really necessary to do so. What kind of information do you need to protect, and why? For the casual Net user encryption is not necessary, although we all need our privacy to be respected. For a company protecting its client's personal details (credit card numbers, phone numbers, order information etc.), encryption protocols are essential. A company may also need to protect its information from rivals from within their industry, for such a company encryption provides a safe method to communicate via email without having to worry about the security of their email contents.

It is worth mentioning that encryption is actually illegal in some countries, while some encryption algorithms are safer than others. When choosing what's right for you always consult the help files and "readme" files of the individual package in question.


Updated 2020 : note that the above post is out-of-date, given this post was originally published in 2001, but is left here for archival purposes. It saddens me that we have at our disposal technologies like PGP (ref: https://en.wikipedia.org/wiki/Pretty_Good_Privacy ) to make email secure, but we are instead accepting that our emails are not secure with a shrug. "Secure by default" email communication remains a dream for me.

Some positive progress is being made however in integrating OpenPGP into Thunderbird, without the need for 3rd party plugins: https://wiki.mozilla.org/Thunderbird:OpenPGP