How secure is email and what is so unsecure about it?

Hello Dpers,

I know that email is not a secure messaging method and I would like to explain it to some of my clients.

Is there some simple explanations of this on the web somehwhere where I can send my clients to so that they will "get it"?

I would like to point out to some clients that even though they have a username and password for their email account, in general its not secure.

The question they will ask me is "well why is that?".

I just need some easy reference material for some of simpletons.

 

I don't have any references off hand but the main points to remember about email is that:

* Messages are sent in clear text, so they can be read by anyone packet sniffing anywhere along the email route.
* POP and IMAP are insecure because username and password are also sent in clear text - these also can be easily sniffed (advise people if possible to use ssl for pop, imap and webmail).

* The sniffing can be highlighted by using public wireless access points as an example. An open wireless connection can be easily sniffed so a person using POP3 to read their email can have their password stolen and all email read.

Hope this helps.

The answer is encryption. SSL and Encrypted Wireless. If using unencrypted wireless access always use encrypted protocols.

 

Because the current email transmission Protocol (MIME) is not secured. S/MIME may be used in the future, it's secured.

E-mail privacy, without some security precautions, can be compromised because:

* e-mail messages are generally not encrypted;
* e-mail messages have to go through intermediate computers before reaching their destination, meaning it is relatively easy for others to intercept and read messages;
* many Internet Service Providers (ISP) store copies of your e-mail messages on their mail servers before they are delivered. The backups of these can remain up to several months on their server, even if you delete them in your mailbox;
* the Received: headers and other information in the e-mail can often identify the sender, preventing anonymous communication.

More on http://en.wikipedia.org/wiki/Email and http://en.wikipedia.org/wiki/E-mail_encryption

 

My favourite method is a quick demonstration.

Jump on their network and fire up your packet sniffer. It shouldn't be more than a few minutes before you have half the company's usernames and passwords. This works quite well for FTP and open wireless networks as well.

 

I reccomend reading Digital Fortress by Dan Brown, yes it is fiction, but a lot of real issues regarding email security.

 

This email service is using 1024 bit SSL certificate. So the communication between the browser and the mailserver is pretty safe.
And they offer 256 bit AES encryption of the email content.
If an mail is encrypted the only thing that is needed to decrypt is the password. This can be set before encryption.
If the recipient doesn't know it, he can't decrypt.
Encryption/Decryption is computed on the clients computer (javascript).
If the recipient has no safermail.biz email account, he can decrypt the message at

https://safermail.biz/index.php?option=com_wrapper&view=wrapper&Itemid=55

if he has the password.

The service is 10 US$ per year.

This is technically a superior solution since the encryption/decryption is calculated 100% on the clients computer - no passwords are transferred.

The webmailer is an upgraded horde with POP, IMAP.

regards

Rene Andre Poeltl

 

Stop your stupid spam. It's even much less of a problem that this is spam, but it's also completely misleading and bogus.

 

yeah, I did actually go to the site too and a warning popped up saying there is something wrong with the security certificate, not a good sign either.

 

This is not true. My post was not spam, but a spam filter is included with every safermail.biz account. And concerning misleading and bogus: You can't prove that - because it's not true ... I guess you're just trying to put me down.

But I saw your website and you titled Mediocrity is a sin. Well in that case you can't say anything against me, since that website is not even mediocre. (technology,topics,etc.)

On the other hand safermail.biz is the high-tech approach for secure email communication from a users point of view on a global scale - worldwide - really - I did my homework.

And your posts in the past do not qualify you for being an expert on this topic.

René André Poeltl

 

That's the warning for all self signed certificates. There's nothing wrong about it if you compare the fingerprint as the website recommends. If you want 1024 bit super safe SSL you cannot buy a certificate from Verisign or Thawte. There were rumors in the net, that government agencies like nsa might have a masterkey from those - but they don't have one for safermail.biz. So there was no alternative to self-sign one. If you expect a super-easy "if it's not exactly like my google or yahoo account, than it's bullshit", well than you get not a secure email communications solution. But it's really easy once you installed the certificate - everything like a usual. But I know that the security warning from the browser is something that can alert users. Well you can also avoid it and surf to a non SSL url: safermail.biz that won't show the warning. Than you can read the info concerning the certificate and so on.

 

Reading this thread I think the important thing to note about secure email is that not all mail needs to be sent securely - it is up to the user to determine whether the contents need to be secure. It is true email can be sniffed using man in the middle techniques, this is relatively difficult to do and the biggest threat probably comes from hacked user accounts, as generally users passwords are weak. How many email message contain sensitive information in your email account - have a look, it's quite surprising.

Secure mail services have matured since the start of this thread back in 2006 and we suggest that users use digipost (www.digipostsecure.com) to compliment their normal email rather than using it for all email communication. The reason for this is there is a minor inconvenience with secure email but equally you can be sure to protect confidential information such as bank account details, signed documents, passwords etc when you need to.

TJ.

 

get email certificate to secure your mail from hackers, you cam avoid scams

 

Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it will retrieve the site's SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL.