On e-mail encryption

Upon receiving an e-mail from Cory Doctorow, I noticed that he happens to encrypt his messages. To accomplish this, he is using OpenPGP through Enigmail.  In the first place, I thought it was very cool to see that. You know, it is something different, something I had not seen before — especially considering that I am on the Net for quite some time now. So to me it was kind of special, unique in a sense, undergroud, straight from the Net’s darkest trenches  or catacombs I would say. But why do you have to use encryption? And is it safe at all?

Anyway, I have never fully grasped how the mechanisms behind PGP works though, the encryption Doctorow uses. What I understand is that the cryptography is based upon assymetric cryptography, meaning that there are two keys: one to encrypt and one to decrypt the information. But the thing is, encryption doesn’t make much sense when the receiving party does not apply it. You have to add the public key of your receivers to your public keyring. And of course you also need a private key to decrypt the data. That’s one observation.

My point is that encrypting e-mails can be useful, but it is not very secure in the end. In the remainder I will explain you why.

To begin with, the e-mail SMTP protocol is a very little secured protocol as the SMTP protocol requires no authentication. With a scripting language like PHP, you can easily send an e-mail by implementing the mail() function. But it doesn’t have to be that difficult. In fact, one can e-mail from every computer using the network protocol telnet. What is more alarming, is that telnet is present on every Unix machine. So when your colleague is away from the computer, it takes very little effort to open a command prompt when they did not lock their machine. Not only will you then be able to send on their behalf, but also from their IP address and hunting down the SMTP server is also a piece of cake. Regarding a telent session, it is worth knowing though that it interprets character by character, so also when using the backspace for instance, it will be displayed in the message you intend to send. The bottom line is that every character has to be right.

Secondly, e-mails are also insecure because they can be read while they are in transit over networks, or when they are in e-mail servers.  So no real guarantee exists that information in transit is secure. That brings me to e-mail encryption. In the corporate world, it is usually advised to encrypt e-mails that contain confidential information using Digital Certificates. Read for example how to use Digital Certificates in Microsoft Outlook.  I think it is very useful to extend the idea of using e-mail encryption to our personal lives to, for our own sake, privacy and trust, like Doctorow does. Webmail services like gmail can help in this, by enabling e-mail encryption by default. That however introduces another problem here, since it is not always easy for us to make the right decisions on what is to be classified as highly confidential information. In companies, there are usually policies available for this matter, but for the individual it is entirely up to him or her to decide if the receiving party can be trusted with a particular type of information. Let’s just not forget that information indeed is power. Human behavior can be influenced by technology though, and in this case by giving the means, right incentives and tools to use encryption when e-mailing.

If applied correctly, e-mail encryption can be useful for business needs like protecting classified information or to share information with the ones you trust in general. It helps to keep the barrier between our public and private matters alive. However, there is a catch to it. Ironically, just because the e-mail protocol is inherently so insecure by design, encrypted e-mails cannot be checked for viruses by, for instance an exchange server or by any other anti-virus systems. Indeed, the purpose of encryption is that it should be decrypted by the receiver’s computer only and not by the server. And viruses can be propagated not only in attachments, but also in the body of a message. Therefore, also be aware that you should not open encrypted messages from anyone unless you have previously arranged to exchange encrypted messages with them.

One thought on “On e-mail encryption”

Leave a Reply

Your email address will not be published. Required fields are marked *