How to: secure your email
By Eric Geier
November 20, 2008
Find out how to protect your email communications by securing the connection between email servers and email software, such as Microsoft Outlook or Thunderbird.
Email has become such a common method of communication that many of us, including small business owners and their employees, regularly send sensitive messages without worrying about security. In this tutorial, we will see how to secure the connection between mail servers and mail software (such as Microsoft Outlook or Thunderbird) and protect the content and attachments of the messages we send and receive. e-mails
When you use email software, such as Microsoft Outlook or Thunderbird, without proper protection, account credentials that connect you to inbound and outbound email servers are sent in clear text from your computer, over the local network, and Internet. , to your servers.
All e-mail messages you send or receive are also in clear text. This means that if you are surfing the Net on an unsecured or unencrypted network, such as using a Wi-Fi hotspot or public internet port, anyone with the right tools can capture the packets. network and read your account credentials and messages.
To better understand what a spy can see on an unprotected network, we sent an email (see Figure 1) and captured its raw data packets as it was received from the network’s mail server. recipient.
As shown in Figure 2, you can see the server connection information. We opened Outlook and clicked the Send / Receive button, which connected to our mail server (POP3) and downloaded the email waiting to be picked up and displayed it in our inbox. Figure 3 shows the body of the message we downloaded in Outlook, formed by the rearranged view created by the raw data capture tool.
If you are using a web-only mail service, such as Gmail, Yahoo Mail, or AOL Mail, you also have a client-server security issue. As we will see later, if you do not follow an important guideline when using webmail services, your messages and login information may also be compromised when you travel to and from your computer and their web / debit servers. messaging. .
Additionally, if you are using an email application in conjunction with your webmail service, you must ensure that you secure both web access and client application access.
You should also be concerned about compromising the security of the e-mail messages you send and any attachments they may contain once they have left your mail server. This concern applies whether it is a computer-based e-mail software application or web-based e-mail.
Even when using encrypted connections To your mail servers, the messages you send can still be in clear text when they reside to your mail server and when they let your server. For example, your messages may pass through other servers on the World Wide Web, as they travel to the recipient’s server, which may be insecure and monitored by hackers.
Additionally, the recipient cannot use encrypted connections to their servers. Therefore, Joe Hacker might intercept the message you sent containing your sensitive information when the recipient downloads your message from their incoming mail server.
Now that we know the top two email security issues, we can fix them, and information encryption is the solution. Even though Joe Hacker can extract network traffic from a wired network and intercept packets from Wi-Fi connections, everything is safe if account credentials and email messages are encrypted. Joe will only see a bunch of gibberish. mail servers
If you only access your email through a web browser, you just need to make sure that the connection is secure with Secure Sockets Layer (SSL) encryption, in order to combat the client-server issue. The web address must start with https rather than http, and you should see a padlock icon appear next to the address bar or on the status bar at the bottom of the browser.
If you are using a software application, such as Outlook or Thunderbird, for e-mailing, be sure to configure the server connection settings with SSL enabled (see Figure 4).
Instead of using the classic mail ports (110 for POP3 or 143 for IMAP4 and port 25 for SMTP), you must use port 995 for POP3 or 993 for IMAP4 on your incoming server and port 465 for your SMTP server outgoing. Your email provider should be able to provide documentation on exactly how to configure client applications.
However, using encrypted connections depends on whether they are supported by your email provider. If you find that your provider does not support SSL connections for email, you might want to find one that does. Many companies only provide an e-mail service, which supports secure connections.
If you have your own website, be sure to sign up for a service that provides branded email addresses, such as [email protected] Some services provide email addresses only from the domain of the host company, such as [email protected]
Here are a few secure email providers you might want to check out:
Encryption of your emails
As we will see later, we may use encryption utilities that follow the OpenPGP standard and digital certificates to encrypt sensitive emails we send and decrypt encrypted messages we receive. It is important to remember that both the sender and the recipient must use email software or a web service that supports encrypted emails.
To use email encryption, you create a public and private key using a utility or service. You give the public key to people who want to send you encrypted emails, which they upload to their email client. Since the public key can only encrypt messages, you can even post it on your website.
In fact, there are PGP directories where you can list your public key, so other people can find it easier. The private key is what you and you alone keep, which has the power to decrypt. You load it on your email client so that you can read messages encrypted with your corresponding private key. If you want to send someone encrypted emails, they need to send you their public key.
Here are a few companies that offer free email encryption keys: Thawte, Comodo, and Ascertia.
To take with
Remember that email security cannot be 100% guaranteed. While your message may be safe as it travels across networks and the Internet, you don’t know what will happen to email when it is on the recipient’s computer.
What if someone accesses or steals their computer and checks their old mail? Well, that’s a whole different story. Securing our conversations and digital data takes a team effort. Do what you can to help, starting with using secure email connections and, if necessary, using email encryption.
Eric Geier is the author of numerous books on networks and computing, notably All-in-one home networking desktop reference for dummies (Wiley 2008) and 100 things you should know about Microsoft Windows Vista (Quebec 2007). Article courtesy of SmallBusinessComputing.com.