Is Email Secure?

Posted May 12, 2009 6:10 am by with 6 comments

This is actually a very easy question to answer: No. And it never has been. But don’t freak out about it. More on that in a moment.

When I say that email isn’t secure, I’m not referring to the username/ password you use to access your account. That’s a local level of security. Email isn’t secure because the vast majority of it is transferred from sender to recipient using nothing but plain unencrypted text. It’s the transport method where the insecurity happens.

Any message sent across the internet unencrypted can be intercepted and read easily because there’s nothing to decode.

In addition, the routing process of each mail you send hops across so many servers that any number of people could intercept your mail.

Side note: If you want to examine exactly how many hops it takes to get from you to a particular server on the internet, this is done using the trace route function.

In Windows: Start / Run / type cmd / press Enter

If you want to know how many hops it takes to get to mail.yahoo.com, type tracert mail.yahoo.com and press Enter once at the command prompt. It will take a few seconds to go show all the hops.

Should you be concerned now, knowing that email is so insecure?

Not really.

You have to remember that each email you send or receive is one of countless millions transferred every day on the internet. The likelihood of your mails being intercepted are extremely slim at best.

There have been those who have tried to make email more secure.

The only method of secure email that has had some limited success is the use of digital signatures.

Using the Microsoft way, Outlook Express and the newer Windows Live Mail can use what’s called a "Digital ID". In Windows Live Mail this is found via Tools / Safety Options / Security tab, then look under the heading "Secure Mail", like this:

image

Clicking "Get Digital ID" brings you to Microsoft Offline Online, because these IDs are tied to not only email but MS Office products as well.

Oh, and by the way, Digital IDs are not free.

Using the free method, you can use PGP. It is a pain to use. The only email client I’ve ever seen do it right is Mozilla Thunderbird outfitted with Enigmail.

On the Enigmail home page, it states under the "What do I need?" section:

You need a supported email client, the GNU Privacy Guard (GnuPG), and a little patience.

Even they know it’s a pain to set up. And yes, I can vouch for this because I actually tried it out once for a few weeks. Sure, it works fine once everything is set proper, but it certainly not a 1-2-3 easy process.

"Are you saying the mail has to be tied to an email client in order to use these secure features?"

No. There is Hushmail. Email from that particular system is encrypted and freely available. It is the only one I know of that has encryption, is web-based and free.

However you have to bear in mind that even though your mail is encrypted, your recipients are most likely still using plain text.

In the end, email is insecure no matter how much you try to make it secure. But don’t lose any sleep over it.

6 responses to Is Email Secure?

  1. SAP May 12th, 2009 at 8:50 am

    Traceroute shows the path taken by ICMP packets from source to target host.

    This is unlikely to be exactly the same as the route taken by mail, which is sent using a store and forward mechanism. Each mail server is supposed to add a header showing when it received the e-mail and where it sent it; these can be seen by looking at the raw mail message.

    I think you would need to use a traceroute for each segment of the chain in order to see all the servers that the mail travelled through, but even that will not be 100% accurate as the routing changes dynamically.

    Also, digital signatures do not prevent e-mail contents from being read, they only provide some assurance that the e-mail contents has not been altered. This assumes that the recipient is able to check the signed e-mail against the sender’s key, and that the recipient can independently establish the validity of the sender’s key.

        Reply

  2. Doctor Gonzo May 12th, 2009 at 9:36 am

    I’ve used Enigmail with Thunderbird, but since I don’t use an email client anymore that option is no longer available. However, there is a solution: a combination of GnuPG and Windows Privacy Tray (WinPT). With this combo, you can copy your email text to the clipboard, then encrypt/sign it by just clicking on an icon in the system tray (or using hotkeys). It’s not as hassle-free as Enigmail, but it’s still pretty easy to use.

        Reply

    • Rich Menga May 12th, 2009 at 1:15 pm

      The WinPT method, while not exactly elegant (grin), does at least overcome being strapped to a client or a particular mail service. Good call.

          Reply

  3. MartYn May 12th, 2009 at 6:58 pm

    What does “Clicking “Get Digital ID” brings you to Microsoft Offline Online” mean?

        Reply

  4. opolis secure mail August 14th, 2010 at 7:54 am

    is email secure?
    well, try out opolis secure mail (http://www.opolis.eu): entirely point-to-point encrypted, and the sender decides (!) what the recipient is allowed to do with an email (copy, print, forward) – so, no forwarding or copying without consent of the sender! …. secure? – yeah! …

        Reply

Leave a Reply