The No. 1 Internet application is, and has been since the beginning, electronic mail. Everyone reading this column has e-mail, and so do some of your children, parents and grandparents. So why is it that in 2001 we continue to exchange e-mail so insecurely?
If we used postal mail (p-mail) as haphazardly as we do e- mail, p-mail would work something like this:
* We would always send mail on postcards.
* We would leave it for delivery on the kitchen counter, where anyone could read it.
* We'd hand it to someone passing by in front of our house, who seemed to be walking in the right direction, and ask them if they would mind carrying our mail with them to get it closer to the intended recipient.
* That person would take it as far as she could and then hand it to someone else, who could read it if he so wanted.
* The intended recipient would finally receive it. He would assume that no one read it along the way, that no one changed anything in the letter and that it really did come from the one and only you, even though you neglected to sign the letter.
Exaggeration? Maybe some. But we often act as if e-mail was as safe, secure and trustable as "certified with receipt requested" p-mail that the sender has signed and a notary public has confirmed.
Why We Should Care
A few years ago at a university attended by a colleague's son, a prankster forged e-mail to a professor as if it came from the chancellor of the school, firing the professor. The unfortunate victim should have known better, but he did believe it. Does anyone think that this is an isolated case? People "believe" what computers tell them.
Just as a common, strong and stable currency is required for commerce, a common, strong and safe e-mail is required for e-business. Also, safe and trustable e-mail is needed because people think that e-mail already is safe (from tampering and eavesdropping) and able to be trusted. Because of this, all sorts of personal, private, or company confidential data are exchanged by e-mail, putting at risk reputations, fortunes and livelihoods.
What You Should Do
Secure e-mail solutions have been around for 10 years, and never before have they been as available and accessible. Secure e-mail systems support the following:
* Confidentiality (keeping the message safe from unintended readers)
* Authentication (the ability to know who sent the message)
* Non-repudiation (the ability to prove that the sender must have sent it)
To achieve this security, e-mail security systems use digital certificates and public key cryptography (as discussed in my November 2000 column .)
E-mail security systems come in three flavors:
* Stand-alone systems that work alongside of, but not integrated with, other e-mail solutions.
* Systems that use a Web site to facilitate secure e-mail.
* Secure e-mail integrated into your e-mail client software.
One example of a stand-alone system is "ZixMail". To compose and send ZixMail, you must use the ZixMail client software. It uses the Zixit certificate server to authenticate and encrypt. Using their usual e-mail client program, recipients receive the encrypted message as an attachment (or optionally -- if they do not have the ZixMail client, they will be directed to a Web site to read their e-mail over a SSL-protected link).
The Web-based e-mail provided by Yahoo! offers secure e- mail services in partnership with SecureDelivery.com. (The Netscape and AltaVista portals do not, but perhaps there are others that do.) The recipient of the e-mail receives a message with a pointer to the SecureDelivery.com site. Presumably, the e-mail is stored encrypted on the SecureDelivery site. Unfortunately, when the sender is composing the message for sending, the e-mail is composed and sent to Yahoo! over an open (unencrypted) connection.
There are integrated solutions -- those tacked on popular e-mail clients -- based on proprietary protocols, such as the MailGuard enterprise e-mail solution from VanGuard.
The most common integrated solutions are based on either PGP or S/MIME. Both Microsoft Outlook and Netscape Messenger (pre-version 6.0) support S/MIME secure e-mail "out of the box." PGP integrates with both, as well as Qualcomm Eudora and other e-mail products.
So, what should you do? Get a secure e-mail system and start using it with your friends and co-workers. Try it; you'll like it. Try it; you need it.
About the author:
Fred Avolio is the president and founder of Avolio Consulting, Inc., a Maryland-based corporation specializing in computer and network security, and dedicated to improving the state of corporate and Internet security through education and testing.
Items of interest:
Rose, Marshall, and Strom, David, "Internet Messaging: From the Desktop to the Enterprise" (ISBN 0139786104).
Help with Outlook and Netscape
The November 15, 2000 "Crypto-Gram" from Bruce Schneier has a very interesting article entitled, "Why digital signatures are not signatures."Highly recommended.