Email Security and Privacy
Introduction
We have seen communication over the internet expand over the last 20 years. Once it was just the realm of those in academia and science. Today nearly everyone uses the internet regularly to communicate with others. Along with this rise in popularity has been a heightened concern for privacy and security. People (and businesses) want to be able to communicate and not fear hackers or even their own government. From all the clamor we see related to how our content and messages are used by the social media sites, and how various laws affect what the government can access with or without a warrant, you would think that there are no safeguards available to combat perceived or real threats to our privacy. But fortunately, that perception is without merit.
Encryption
The perception is without merit because it is possible to secure your email so that only the intended recipient(s) can view it using encryption. Better news is that this is easier to accomplish than you might believe. There are actually two types of encryption that can be utilized, symmetric and asymmetric encryption. The details of these are beyond the scope of this blog, but for more information please visit http://resources.infosecinstitute.com/symmetric-asymmetric-encryption/. Here we are going to focus on asymmetric encryption and using it to send and receive email securely.
SSL (S/MIME) and PGP (or GnuPG)
There are two main methods to send and receive secure email. Most modern email clients (Outlook, Thunderbird, Evolution, etc) natively support one or both methods. You don't need to understand the technology beneath these two systems, only how they differ with respect to setting up and using your email client.
SSL (S/SMIME)
When an email client uses SSL to secure messages, it is also called S/MIME. This encryption (and electronic signing) is very similar to how web sites using HTTPS are encrypted. The certificates used are commonly purchased from a known vendor of SSL Certificates. Examples of these companies are Thawte, Digicert, and Verisign. A source of free SSL certificates is CAcert, but its root certificates are not usually included in the bundles that come with operating systems and software. If desired (especially for testing), those of you who are more technical could create your own certificates using OpenSSL.
PGP (or GnuPG)
PGP stands for Pretty Good Privacy. First written and released as freeware, it has since become commercialized, now part of Symantec. Some older versions of PGP can be found at http://www.pgpi.org/. The most common current opensource derivative is GnuPG or GNU Privacy Guard. PGP was originally created to securely store messages and files on bulletin board systems (BBS) in 1991.
Summary
We will start getting into the details of using these technologies to secure email communications in part 2 of this series. For now, please take some time to visit some of the links posted above to learn more. Feel free to post comments or questions.
Thank you.
No comments:
Post a Comment