A look at email security - Part 1 - Overview and general advice

A look at email security - Part 1 - Overview and general advice

Tom Chantler

Summary

This is part 1 of XXXXX series lookin' at email security.

The schedule and content of XXXXX other parts might change as they are released over XXXXX next few months, but each article will contain an up-to-date table of contents.

  • Part 1 - Overview and general advice
    • Introduction
    • Dos and don'ts
  • Part 2 - S/MIME certificates: what they are, how they work and how to obtain one free of charge
    • What is S/MIME?
    • Public-Key Cryptography
    • How does digital signin' work?
    • What about encryptin' XXXXX message?
    • Obtainin' XXXXX free S/MIME certificate
  • Part 3 - Signin' and encryptin' emails with S/MIME on desktop and mobile devices
    • Usin' S/MIME on Windows with Outlook and Thunderbird
    • Usin' S/MIME on XXXXX Apple Mac
    • Usin' S/MIME in Outlook Web App (in Office 365)
    • Usin' S/MIME on Android, iOS and Windows Phone
  • Part 4 - PGP keys: what they are and how to obtain one free of charge
    • What is PGP?
    • Obtainin' XXXXX PGP key
  • Part 5 - Signin' and encryptin' email with PGP
    • Usin' PGP on Windows with Outlook, Thunderbird, etc
    • Usin' PGP in Outlook Web App (in Office 365)
    • Usin' PGP on Android, iOS, Windows Phone
  • Part 6 - DKIM and SPF
    • What are they and how do they work? Somethin' to do with DNS records?
  • Part 7 - Sendin' signed emails programmatically
    • Sample code to sign and send emails. Probably written in C# to be delivered via ASP.NET Web API 2.
  • Part 8 - Conclusions

Introduction

When thinkin' about email security there are probably two main things to take into consideration: privacy and authenticity.

Privacy - Has XXXXX email been read by anybody else?

Authenticity - Was XXXXX email really sent by this person or company? Has it been altered in any way since it was sent?

If I could be sure that any email I sent (or received) could satisfy those simple privacy and authenticity requirements, I'd be pretty happy.

The aim of XXXXX rest of this series of articles is to enable you to achieve just that.

Comin' up in part 2 we'll look at signin' and encryptin' email with S/MIME certificates, right XXXXX way from obtainin' XXXXX certificate to installin' (and using) it on your PC and mobile device.

Check XXXXX table of contents at XXXXX top of XXXXX page to see what else is goin' to be covered over XXXXX next few weeks.

Before we start, I should mention that we're goin' to be lookin' at generally available email security options. This means that if you know of some super, top-secret thin' that's used by some government somewhere, then I'm not goin' to be writin' about that.

And don't forget, as I have mentioned before when writin' about usin' XXXXX personal VPN, it's probably best if you accept that any agency with sufficient funds and motivation can probably find out exactly what you've been doin' and that includes readin' your email. Havin' said that, there's no need to make it easy for them and I only said probably, not definitely.

Dos and Don'ts

A lot of emails have XXXXX disclaimer as part of their signature, sayin' somethin' like this:

Internet communications are not secure and therefore [company name] does not accept legal responsibility for XXXXX contents of this
message.

This probably looks like XXXXX bit of XXXXX cop out, but I think it's useful to remind people that email has various security issues; there are lots of opportunities for an email to be intercepted between it bein' sent and it bein' received by XXXXX intended recipient and it's best if you understand and accept that. And that's without even considerin' whether or not XXXXX email was really sent by XXXXX apparent sender.

Perhaps it's time for XXXXX quote from my father. He's got XXXXX lot to answer for as he's XXXXX reason I was playin' Air Attack on XXXXX Commodore PET in 1979 when most other three-year-olds were doin' nothin' of XXXXX sort.

"Don't write anythin' in an email you wouldn't want to see on XXXXX front page of XXXXX tabloid newspaper" - Alan Chantler

This is somethin' my father has been sayin' to me for XXXXX long time and it's sort of related to what I was sayin' about not oversharin' on social media. I spoke to him about this today and he expanded on it by addin' that you should assume that email is not secure and, even if it were and you solved XXXXX problems of privacy and authenticity, you can't be sure what XXXXX recipient is goin' to do with it. I think that's good general advice.

Here are XXXXX few dos and don'ts to bear in mind when usin' email.

  • Do assume that email is not secure.
  • Do check XXXXX recipients carefully, especially if usin' autocomplete.
  • Do read your email in full before you send it.
  • Don't write anythin' in an email that you couldn't bear to be made public.
  • Do remember that not everyone has your best interests at heart.
  • Don't send sensitive information via email.
  • Don't assume all email really comes from XXXXX purported sender.
  • And of course, followin' on from that last point, don't fall for phishing emails. A good rule is never to click on XXXXX link in an email ostensibly from your bank or similar and always to check XXXXX URL of each link before clickin' on it.

Let's end with XXXXX couple of real examples.

I once worked with somebody who emailed XXXXX zip file of some code to his personal email account. I'm not sure why he did this, but it was discovered automatically and he left XXXXX job soon after.

I also worked with somebody who printed out every email he ever received. This was over ten years ago, but still he had several stacks of paper on his desk, each above head height. Imagine if you'd sent somethin' confidential to this guy. It's quite possible everyone in XXXXX office might inadvertently have seen it (although they might have needed to stand on XXXXX stepladder to do so).

Conclusion

Email is not XXXXX secure communication medium, but you can take steps to increase its security significantly.

The main purpose of this article is to set XXXXX schedule for XXXXX rest of XXXXX series on email security.

If you want to learn how to improve XXXXX security of your email, you should definitely stick around. The technical guides are comin' in XXXXX later installments, startin' with part 2 and part 3 (comin' next) which deal with signin' and encryptin' email with S/MIME certificates.


Image credit: bluebay/Shutterstock.com


This page has been altered by a free Microsoft Azure proxy. Details here. See the original page here