• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

EMail encryption

Arus808 said:
How do you know that the server is unsecured, let alone the documents are unsecured?
Click to expand...
The original suggestion was to have a login page to a web server. There were no encryption keys, therefore they were plaintext. That's what I meant by unsecure.
Again, nothing beats face to face
Click to expand...
But you can get pretty close with proper protocols. :)
 
TobiasTheViking said:
With a digital signature it is encrypted so that only the digital signature of the receiver can unlock it.
Click to expand...

I think what you're talking about here is the Danish government-sponsored program for secure identification and encryption. (Correct me if I'm wrong).

It hinges on the social security database + unregistered mail for initial identification. Then, it uses assymetrical encryption for signing and encrypting messages. It is the only login method govt. agencies (tax etc.) will accept. I don't know the exact scheme used.

But it is not available to people who are not Danish residents.

The main thing it has going for it is the semi-secure identification. You can pretty much be sure a user is who he says. On the flip side, if you use these keys for full encryption, you have all the usual problems of having a third party involved: You have to trust their motives and competence.
 
arthwollipot said:
Why should I use it? I don't need it.
Click to expand...
Traffic analysis. If only important emails are encrypted then attackers know exactly what to focus on.

Are you sure you've never sent an email that you wouldn't want the whole world to see? A message to a friend saying that you'll be a TAM on these dates, that a burglar would see as an invitation to an empty target? A note about a friend's minor health issue that an insurance company would see as evidence of a pre-existing condition? What is that quote that goes something like 'give me a paragraph written in a man's own hand about the most innocent subject, and I'll get him hung for treason'?

I'd love to see strong encryption built in to email programs.
 
PGP will create self-decrypting archives that open with a password. Keys are not used. It is therefore less secure. I imagine it's about as secure as a password-protected zip file.

The security auditors my company employs deem both methods acceptable for files containing bank account numbers.
 
commandlinegamer said:
What bugs me is that email encryption has been around forever but so few people use it.
Click to expand...

The main reason for that is pretty much because so few people use it. In order for encryption to be generally used, you need to know that the people you send emails to will be able to decrypt whatever you send to them. Since so few people use encryption, that means I can't start to use it because I'd have to ignore it for the vast majority of my emails anyway.

Then there's the problem of what program people would use. Either you need everyone to use the same program, which just isn't an option, or you need a universal standard, which isn't exactly a strong point in the software industry, or you need everyone to have multiple keys and to know which one to use depending on who they're sending things to. Encryption just isn't something that's easy to implement on a large scale.
 
SkepticScott said:
Traffic analysis. If only important emails are encrypted then attackers know exactly what to focus on.

Are you sure you've never sent an email that you wouldn't want the whole world to see? A message to a friend saying that you'll be a TAM on these dates, that a burglar would see as an invitation to an empty target? A note about a friend's minor health issue that an insurance company would see as evidence of a pre-existing condition? What is that quote that goes something like 'give me a paragraph written in a man's own hand about the most innocent subject, and I'll get him hung for treason'?

I'd love to see strong encryption built in to email programs.
Click to expand...
If I were paranoid enough to think that burglars were actually targeting me specifically, or that an insurance company would violate privacy laws to read third-party emails, then I might think like you do.

Encryption is an extra layer of complication that I don't need. I'm reasonably careful about what I put online. I'm very aware that any time I put something online someone I don't know might read it, and that goes for emails as well.

It's like locking your front door when leaving the house. Anyone determined enough to get inside will do so regardless of whether the door is locked or not. Locking the door doesn't provide anything more than a deterrent for casual burglars.

I use a moderately strong password on my emails. If someone is really determined to look into my emails specifically, then they will do so regardless of what I do to try and prevent them. If necessary, they can steal my laptop and brute force crack my password, in which case any encryption I use is completely useless.
 
Thanks guys...some really good stuff here.

Encryption is a great idea, but until it becomes more accessible to the rank and file it really isn't going to take off.

I put everything in a nice compact message and told him to take a look at each solution and see if anything works for him.

I also suggested he get a waiver from anyone that wants their tax return sent via email, regardless of the method he chooses. People with easily agree to things out loud, but when they see the actual dangers in writing it may give them pause.

One thing of interest that I did come across: Truecrypt. Not really a program for encrypting email, but pretty cool anyway. It builds an encrypted folder (or will encrypt and entire disk) and is free to download. http://www.truecrypt.org/
 
Ducky said:
Outlook 2007 can also encrypt emails, but I don't know the hows of such things. GreNME may know that. (I use mutt and gpg.)
Click to expand...

The hows basically involve your computer (with Office 2007 installed) creating a "digital signature" that is pretty much a security certificate that you can send to a recipient in order to decrypt the encrypted mail that's sent. A few flaws in it that keep it out of regular use for me is that the signature is not easily portable (outside of sending to recipients), it's not exactly cross-platform, and if your recipient doesn't have your signature attached to the encrypted e-mail, then they can't open it. None of these are a big deal, and inside of an Exchange system (which isn't the case of the OP) it actually works pretty nicely for internal traffic security. However, it requires a slight change to how someone uses Outlook, and that tends to be a stumbling block for it becoming widely used.

As for how well it works between different e-mail clients, I'd have to test it since I've never had to run into it personally. For anyone interested in learning how to set up e-mail encryption on their Office 2007 install, here are some basic directions.

The problem with encryption of e-mail is that while many of the options out there are similar, there's not one that has made its way to being acceptable by most platforms and vendors, and even then it'll be a matter of time as the older generation software phases out of use before it becomes the norm. Also, naturally, the issue of key management comes into play as well, but perhaps this is something where cloud computing may very well be to the benefit of getting popular and simple acceptance to e-mail encryption-- have an e-mail "profile" saved on the cloud with settings, preferences, and saved keys, and sync them up with your e-mail client of choice when you install or reinstall the client software.
 
GreNME said:
The hows basically involve your computer (with Office 2007 installed) creating a "digital signature" that is pretty much a security certificate that you can send to a recipient in order to decrypt the encrypted mail that's sent. A few flaws in it that keep it out of regular use for me is that the signature is not easily portable (outside of sending to recipients), it's not exactly cross-platform, and if your recipient doesn't have your signature attached to the encrypted e-mail, then they can't open it. None of these are a big deal, and inside of an Exchange system (which isn't the case of the OP) it actually works pretty nicely for internal traffic security. However, it requires a slight change to how someone uses Outlook, and that tends to be a stumbling block for it becoming widely used.

As for how well it works between different e-mail clients, I'd have to test it since I've never had to run into it personally. For anyone interested in learning how to set up e-mail encryption on their Office 2007 install, here are some basic directions.

The problem with encryption of e-mail is that while many of the options out there are similar, there's not one that has made its way to being acceptable by most platforms and vendors, and even then it'll be a matter of time as the older generation software phases out of use before it becomes the norm. Also, naturally, the issue of key management comes into play as well, but perhaps this is something where cloud computing may very well be to the benefit of getting popular and simple acceptance to e-mail encryption-- have an e-mail "profile" saved on the cloud with settings, preferences, and saved keys, and sync them up with your e-mail client of choice when you install or reinstall the client software.
Click to expand...

Say "cloud" one more time and I put you on ignore. ;)
 
At work we put [secure] in the subject line to encrypt E-mail. I have no idea how secure it actually is.
 
Smackety said:
Really? I was told that made the E-mail HIPAA compliant. That is strange if it does not actually do anything.
Click to expand...

This could be as simple as all emails with that in the subject being stored in encrypted form, or it could be a trigger for mail delivery server-side for encryption.

Or it could be nothing. Dunno.

Unless it actually triggers your mail client to encrypt it, it's still going clear text to the server.
 
You must log in or register to reply here.

Back
Top Bottom