IS YOUR EMAIL PRIVATE?

Encryption, digital signatures, digital certificates…there are several ways of keeping your e-mail safe from prying eyes

E-mail is often likened to a postcard—it is as easy to view and read on the digital journey to its destination as is its snail-mail counterpart. While you may believe that nobody would really be interested in knowing the nitty-gritty of your workday or exchanges with your friends and family, securing e-mail is still important. Some of the vast volume of your e-mail may contain personal details—such as telephone numbers or bank account numbers, or work-related information like ideas about a new product or service, strategies, or other intellectual property that would be of interest to your business rivals.

 

Sophisticated technologies exist to intercept e-mail en route from sender to recipient, and data-mining techniques make it easier to sift through the increasing volume of electronic messages. In this scenario, you may like to consider the means available to keep your e-mail tamper-proof and private.

 

Risks to e-mail

There are several inherent risks in the way e-mail functions. When you send e-mail to a recipient, it travels to an SMTP (Simple Mail Transfer Protocol) server either directly (if you’re using an e-mail client such as Outlook) or via a Web server (if you’re using Web-based mail, such as Hotmail). The recipient will receive your e-mail directly from the SMTP server or via a Web server.

 

During this journey, any unauthorized person can access your messages by exploiting vulnerabilities on the SMTP or Web servers. Your messages can be read and copied by anyone who has access to the computers and networks through which your messages travel. In fact, authorized system administrators on the SMTP servers can also read, copy, save, delete, and modify your messages before sending them on.

 

During this ‘eavesdropping’, it may be possible to gain access to your usernames and passwords. The mischief-monger can then wreak havoc by sending messages on your behalf. You may also receive messages from known e-mail IDs that have been created and sent by unauthorized users; such messages usually contain viruses, Trojans or ask you to reply to the message with sensitive personal information, such as bank-account or credit-card details.

 

What’s more, mail backups on SMTP servers store the e-mail in plain text; sometimes, messages that you sent or received years ago are easily available on these backups, long after you have deleted them.

The issues with e-mail are, therefore, manifold - the sender’s e-mail ID may be stolen and misused, without the recipient knowing about it; messages may be intercepted; or messages may be stored such that their content is easily accessible. 

 

Encryption, digital signatures, and digital certificates are some ways of securing e-mail from these threats.

Encrypting e-mail

 

Encryption means scrambling the text of your message to a seemingly gibberish combination of letters and numbers, so that anyone who reads it en route can make no sense of it. Only the recipient is able to decrypt the message.

 

Using public keys is the most common form of encryption. This requires the use of two keys - a public key and a private key. The private key resides on your computer and you share the public key with the recipients to which you wish to send encrypted messages. When you wish to send the message, you encrypt it with the public key. On the other end, the recipient needs its own private key and your public key to decrypt the message. Since the message is decrypted using your public key, it proves that you sent the message. You can encrypt messages as well as attachments.

 

If you use Outlook as your e-mail client, encryption is built into it via digital IDs, which enable you to encrypt your message and digitally sign it as well. You can also use the popular public-key encryption system, PGP (Pretty Good Privacy), with Outlook itself and with other e-mail clients. This utility is available as freeware on www.pgpi.org.

 

Digital IDs and Signatures

 

Having a digital ID enables you to add another layer of security to your e-mail via digital signatures. A digital ID ties your identity information—name or e-mail ID, for instance—with your public key.

 

When you use this ID to digitally sign your messages, a part of your message is encrypted with your private key, so that the recipient knows that the message came from you; if you encrypt the message in addition, then the signature and the message are encrypted with your public key. This enables the recipient to know whether the message has been accessed or modified en route.

 

Digital IDs are provided via e-mail certificates, which are usually issued by external certification authorities (CAs). In organizations, sometimes, the administrator of your Exchange Server generates these certificates for users.

 

If you use Outlook, you can get e-mail certificates from CAs. Some like Comodo offer these free of charge for personal use; for commercial use, different schemes are available from various CAs.

Digital Certificates and SSL

These are often used by Web servers for authentication—they help you ensure that you have connected to the right Web server and that your communication with the server will be secure.

 

SSL (Secure Socket Layer) is a security protocol used by browsers and Web servers. Sites that use SSL have URLs beginning with https, instead of http. In communicating with such sites, the server then creates a symmetric key (a key that can be used to encrypt and decrypt messages) and sends it to your computer after encrypting it with a public key. The other computer decrypts the symmetric key, so that communication between both computers is encrypted en route, and only the two computers can decrypt it. SSL is often used for transactions that require you to share sensitive information, such as online banking or e-commerce transactions. To ensure that your Web-based e-mail is secure, you could use an e-mail provider who uses SSL.

 

Digital certificates are issued by CAs to authenticate servers. They contain the name of the server (or organization), the validity period for the certificate, the server’s public key, and other information. They show that the server is what it claims to be and provide the public key which can be used to encrypt messages to the server. When connecting to some sites, you may have encountered error messages, such as the certificate has expired or that it was issued to a server with a different name. These could indicate chances of your communication being intercepted; so, it’s better to check back with the site later or to get in touch with the organization to find out if the error is due to a technical snag.

 

You may find e-mail security a time-consuming task the first time round, but it’s worth the effort in the long run.