The No. 1 Internet application is, and has been since the
beginning, electronic mail. Everyone reading this column
has e-mail, and so do some of your children, parents and
grandparents. So why is it that in 2001 we continue to
exchange e-mail so insecurely?
If we used postal mail (p-mail) as haphazardly as we do e-
mail, p-mail would work something like this:
* We would always send mail on postcards.
* We would leave it for delivery on the kitchen counter,
where anyone could read it.
* We'd hand it to someone passing by in front of our
house, who seemed to be walking in the right direction, and
ask them if they would mind carrying our mail with them to
get it closer to the intended recipient.
* That person would take it as far as she could and then
hand it to someone else, who could read it if he so wanted.
* The intended recipient would finally receive it. He
would assume that no one read it along the way, that no one
changed anything in the letter and that it really did come
from the one and only you, even though you neglected to
sign the letter.
Exaggeration? Maybe some. But we often act as if e-mail was
as safe, secure and trustable as "certified with receipt
requested" p-mail that the sender has signed and a notary
public has confirmed.
Why We Should Care
A few years ago at a university attended by a colleague's
son, a prankster forged e-mail to a professor as if it came
from the chancellor of the school, firing the professor.
The unfortunate victim should have known better, but he did
believe it. Does anyone think that this is an isolated
case? People "believe" what computers tell them.
Just as a common, strong and stable currency is required
for commerce, a common, strong and safe e-mail is required
for e-business. Also, safe and trustable e-mail is needed
because people think that e-mail already is safe (from
tampering and eavesdropping) and able to be trusted.
Because of this, all sorts of personal, private, or company
confidential data are exchanged by e-mail, putting at risk
reputations, fortunes and livelihoods.
What You Should Do
Secure e-mail solutions have been around for 10 years, and
never before have they been as available and accessible.
Secure e-mail systems support the following:
* Confidentiality (keeping the message safe from
unintended readers)
* Authentication (the ability to know who sent the
message)
* Non-repudiation (the ability to prove that the sender
must have sent it)
To achieve this security, e-mail security systems use
digital certificates and public key cryptography (as
discussed in my November 2000 column .)
E-mail security systems come in three flavors:
* Stand-alone systems that work alongside of, but not
integrated with, other e-mail solutions.
* Systems that use a Web site to facilitate secure e-mail.
* Secure e-mail integrated into your e-mail client
software.
Stand-Alone
One example of a stand-alone system is "ZixMail". To compose and send ZixMail, you
must use the ZixMail client software. It uses the Zixit
certificate server to authenticate and encrypt. Using their
usual e-mail client program, recipients receive the
encrypted message as an attachment (or optionally -- if
they do not have the ZixMail client, they will be directed
to a Web site to read their e-mail over a SSL-protected
link).
Web Interfaces
The Web-based e-mail provided by Yahoo! offers secure e-
mail services in partnership with SecureDelivery.com. (The
Netscape and AltaVista portals do not, but perhaps there
are others that do.) The recipient of the e-mail receives a
message with a pointer to the SecureDelivery.com site.
Presumably, the e-mail is stored encrypted on the
SecureDelivery site. Unfortunately, when the sender is
composing the message for sending, the e-mail is composed
and sent to Yahoo! over an open (unencrypted) connection.
Integrated Solutions
There are integrated solutions -- those tacked on popular
e-mail clients -- based on proprietary protocols, such as
the MailGuard enterprise e-mail solution from VanGuard.
The most common integrated solutions are based on either
PGP or S/MIME. Both Microsoft Outlook and Netscape
Messenger (pre-version 6.0) support S/MIME secure e-mail
"out of the box." PGP integrates with both, as well as
Qualcomm Eudora and other e-mail products.
So, what should you do? Get a secure e-mail system and
start using it with your friends and co-workers. Try it;
you'll like it. Try it; you need it.
About the author:
Fred Avolio is the president and founder of Avolio Consulting,
Inc., a Maryland-based corporation specializing in computer and
network security, and dedicated to improving the state of corporate
and Internet security through education and testing.
Items of interest:
Rose, Marshall, and Strom, David, "Internet Messaging: From
the Desktop to the Enterprise" (ISBN 0139786104).
Help with Outlook and Netscape
The November 15, 2000 "Crypto-Gram" from Bruce Schneier has
a very interesting article entitled, "Why digital
signatures are not signatures."Highly recommended.
