With privacy and confidential electronic information being a hot topic, we decided to post an article which will be both useful and interesting to those who have a little inclination towards data security.
Why should you encrypt emails?
Your emails contain very important records of your life and may also contain traces or indications of various events. Email is so commonly used but so commonly misunderstood as well, that we thought it necessary to focus on the security aspect of it. Even though you may have "nothing to hide", there is no reason why you should want a total stranger to have any information about you. Although you may feel that your email content is innocent or innocuous, it maybe of great value to someone wishing you ill-will or with malicious intentions. Even if you are not the target of a terrorist group, you may become easy prey for a script kiddie who just wants to be a nuisance.
Is my regular email hosting encrypted?
The short answer is No. You must remember that all email is stored in an unencrypted plain text format which can be easily read or intercepted by someone tapping the medium through which it flows. This means that when you reset a password and your password is automatically sent to you by some website, the email is received and stored in plain text. Any person with access to the hard disk where the email resides, can simply open the email file and read the contents. This is true for almost all email services online. Unless you have specifically encrypted emails using a key pair, your emails are not encrypted and can be easily tapped into.
But I'm using an https:// URL in the address bar. Doesn't that help?
Not really. The https:// URL only encrypts or obfuscates the login name and password to access your email account. It only secures the login session of your account, so that from your computer to your sending server, the connection is secure. This could be useful in preventing other people on a public Wi-Fi connection from seeing what password you used to login to your mail server.
Once your mail is sent from your machine to the mail server, unless specifically encrypted, the mail server sends the mail to the recipient server in plain text. Similarly, when the mail is passed from server to server, it is usually sent in plain text only. Any leak in the middle could lead to your data being compromised.
Encryption
To encrypt the message, the sender needs to use a Public/Private Key Pair, which will act like a lock and key. The sender must first generate this key pair, using a software like PGP or GPG. The key pairs a unique key set which allows the public key to match with only one private key. The public key can be given to any one and is like a one way key which only does the work of "locking" or encrypting the email. The private key is a secret key which should be kept confidential and can only be used one way i.e. to "unlock" or decrypt the email message.
Sending encrypted email
If you want to send someone an encrypted email, you need to have their public key. If you want someone to send you an encrypted email, you need to send them your public key. The sending of keys must also be done in a confidential or predecided manner so that you know that you are receiving the correct person's key.
Once the email is encrypted with the public key, no one can intercept it. Even if they do get a hold of your email, they will only see garbled text, since it is encrypted. To read the mail, the recipient must "unlock" or decrypt the mail using the private key corresponding to the public key that was used to lock the mail.
Most email clients provide support for encrypting email. Once you encrypt your emails from your email client, no one in between can retrieve the contents of the email, without the Private Key.
If you believe that your private key has been stolen or leaked, you can revoke your current set of keys and create a new pair, which must be shared with the sender.
No comments:
Post a Comment