Tip

Think your e-mail is secure? Think again

The No. 1 Internet application is, and has been since the beginning, electronic mail. Everyone reading this column has e-mail, and so do some of your children, parents and grandparents. So why is it that in 2001 we continue to exchange e-mail so insecurely?

If we used postal mail (p-mail) as haphazardly as we do e- mail, p-mail would work something like this:

* We would always send mail on postcards.

* We would leave it for delivery on the kitchen counter, where anyone could read it.

* We'd hand it to someone passing by in front of our house, who seemed to be walking in the right direction, and ask them if they would mind carrying our mail with them to get it closer to the intended recipient.

* That person would take it as far as she could and then hand it to someone else, who could read it if he so wanted.

* The intended recipient would finally receive it. He would assume that no one read it along the way, that no one changed anything in the letter and that it really did come from the one and only you, even though you neglected to sign the letter.

Exaggeration? Maybe some. But we often act as if e-mail was as safe, secure and trustable as "certified with receipt requested" p-mail that the sender has signed and a notary public has confirmed.

Why We Should Care
A few years ago at a university attended by a colleague's son, a prankster forged e-mail to a professor as if it came from the

Requires Free Membership to View

chancellor of the school, firing the professor. The unfortunate victim should have known better, but he did believe it. Does anyone think that this is an isolated case? People "believe" what computers tell them.

Just as a common, strong and stable currency is required for commerce, a common, strong and safe e-mail is required for e-business. Also, safe and trustable e-mail is needed because people think that e-mail already is safe (from tampering and eavesdropping) and able to be trusted. Because of this, all sorts of personal, private, or company confidential data are exchanged by e-mail, putting at risk reputations, fortunes and livelihoods.

What You Should Do
Secure e-mail solutions have been around for 10 years, and never before have they been as available and accessible. Secure e-mail systems support the following:

* Confidentiality (keeping the message safe from unintended readers)

* Authentication (the ability to know who sent the message)

* Non-repudiation (the ability to prove that the sender must have sent it)

To achieve this security, e-mail security systems use digital certificates and public key cryptography (as discussed in my November 2000 column .)

E-mail security systems come in three flavors:

* Stand-alone systems that work alongside of, but not integrated with, other e-mail solutions.

* Systems that use a Web site to facilitate secure e-mail.

* Secure e-mail integrated into your e-mail client software.

Stand-Alone

One example of a stand-alone system is "ZixMail". To compose and send ZixMail, you must use the ZixMail client software. It uses the Zixit certificate server to authenticate and encrypt. Using their usual e-mail client program, recipients receive the encrypted message as an attachment (or optionally -- if they do not have the ZixMail client, they will be directed to a Web site to read their e-mail over a SSL-protected link).

Web Interfaces

The Web-based e-mail provided by Yahoo! offers secure e- mail services in partnership with SecureDelivery.com. (The Netscape and AltaVista portals do not, but perhaps there are others that do.) The recipient of the e-mail receives a message with a pointer to the SecureDelivery.com site. Presumably, the e-mail is stored encrypted on the SecureDelivery site. Unfortunately, when the sender is composing the message for sending, the e-mail is composed and sent to Yahoo! over an open (unencrypted) connection.

Integrated Solutions

There are integrated solutions -- those tacked on popular e-mail clients -- based on proprietary protocols, such as the MailGuard enterprise e-mail solution from VanGuard.

The most common integrated solutions are based on either PGP or S/MIME. Both Microsoft Outlook and Netscape Messenger (pre-version 6.0) support S/MIME secure e-mail "out of the box." PGP integrates with both, as well as Qualcomm Eudora and other e-mail products.

So, what should you do? Get a secure e-mail system and start using it with your friends and co-workers. Try it; you'll like it. Try it; you need it.

About the author:

Fred Avolio is the president and founder of Avolio Consulting, Inc., a Maryland-based corporation specializing in computer and network security, and dedicated to improving the state of corporate and Internet security through education and testing.

Items of interest:

Rose, Marshall, and Strom, David, "Internet Messaging: From the Desktop to the Enterprise" (ISBN 0139786104).

Help with Outlook and Netscape

The November 15, 2000 "Crypto-Gram" from Bruce Schneier has a very interesting article entitled, "Why digital signatures are not signatures."Highly recommended.


This was first published in February 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.