email security

ricky31415

Does anyone think standard email transfer is secure?
If you wanted to, how could you make it more secure if possible?

Webmaster

As mostly with things like this, it's not a matter of opinion. Standard email simply isn't safe, unless send over a secure medium of course. Read my Security+ TechNotes about Email Security for more information:
www.techexams.net/technotes/securityplus/emailsecurity.shtml

JDMurray

Most file and data transfers performed over the public Internet, including email, Web browsing, FTP, and P2P file sharing are all performed "in the clear" and are therefore insecure.

If you want to send email securely over the public Internet, your best and cheapest solution is to encrypt the contents of the email messages using PGP. The receiver of the email would then decrypt the contents also using PGP. You would also not need to share a common password with the people you are emailing. Using an encrypted tunnel solution, such as a VPN, is not a practical solution for general email service.

jmc724

same answer as JD, you can use third pary s/w to do the encryption/decryption eg. Entrust.

Webmaster

I wasn't suggesting using a VPN, even though a remote access vpn for checking email in a corporate network, or exchanging email over an IPsec protected connection between servers at branch offices, is very practical as well as common. However, I was merely stating that even standard email (as in smtp, pop3, just as telnet, ftp, and other clear text protocols) can be secure when used over a secure medium. Also, PGP, and S/MIME, the two main methods for protecting email, is exactly what's in those TechNotes.

JDMurray

People often think that because the connection between their Web browser and email service is via HTTPS, such as with gmail, that their email is completely hidden from all eyes but the receiver's. This just isn't the case. The same is true with checking your corporate email over a VPN. Only the link between your client computer and the corporate email server is secure. The email may have been public before it reached the server, so no real security there either.

Webmaster

A VPN can of course not guarantee security for information that has also been transmitted over a public network prior to entering the VPN (or stored unsecure before or after being transmitted). That doesn't make a VPN less practical or less common for protecting email traffic (again, I wasn't and am not suggesting a VPN to protect email in particular), just means it doesn't provide end-to-end security between the sender and the receiver. But for the VPN part itself, the security is very real. And as for those 'people', those are 'users' right? I doubt many IT pros think they have secure mail using a web browser+https connection to access a web interface on some gmail server, as they don't know of the sender's means of sending email.

keatron

This is a very good discussion. I'll add a few things. First off we always have to consider relativity when having discussions like this. When someone asks me if something is secure, I often ask the question "relative to what?".

Johan made a good point by brining up the fact that a "layer" of security in fact does exist when communicating per VPN's (and of course this depends on the security of that infrastructure). It's kinda like saying that transporting $200,000 in laundry bags is ont secure, but it is made more secure if the person carrying the money is an armed armored truck worker, backed up by 6 other officers. money is being transported by an armored truck company. So in my opinion