5 Tips How To Secure Your Email?
We begin a series of articles on protection and email hacking. There will be three sections.
- The first article, we’ll look at advanced algorithms, tools, and techniques for secure e-mail.
- The second will examine methods of hacking the e-mail, and
- The third article, we will tell you about the new email protection — CyberSafe Mail Encryption that is currently is still under development.
Email security tools
Next will be considered by the various means of protecting e-mail and lists the advantages and disadvantages of each.
Let’s start with the classics of the genre. I think everyone is familiar with PGP — even if it is not used, knows of its existence. If someone familiar with PGP, then we recommend the excellent article “Introduction to public-key cryptography and PGP. It describes the basics of public-key cryptography and explains what PGP is.
Better look at the pros and cons of PGP, and if to be extremely accurate, PGP Desktop program from Symantec. If we discard all other features of the program PGP Desktop and stay only for e-mail protection, advantages (compared to other solutions) is not so much — core server keyserver.pgp.com, which users can use for the major exchange. It is no longer necessary to publish their public keys on the site or transmit them personally to each recipient.
A feature of the program is its e-mail protection method, namely intercepting traffic driver-level mail client. The program detects and encrypts email client traffic sent messages and automatically decrypts the incoming messages. Seemingly, this method of protection is very convenient. After all, you do not need to configure the e-mail client separately, and interception method works with any mail client. You don’t need to know how to set up each client if you want to, for example, switch from Outlook to The Bat!
Configure the clients you do not need to, but you need to configure PGP Desktop for each mailbox that you use to specify the e-mail addresses, SMTP/POP/IMAP servers, etc. Of course, you also need to configure and encryption keys. All this is not very easy for the novice user.
But hence and the main drawback of the program is already decrypted letters are left unprotected on the client. That is, running the email client that no protected, you can read the correspondence. If the attacker catch traffic, then read your messages, he can not, but if he gets hold of your hard drive, everything will be open. It is clear that the program also supports the creation of virtual containers and encrypting physical disks. You can keep the base mail client messages in a virtual container or on an encrypted drive; then the attacker will fail. But it is now purely about email protection without any tools.
There is another, not less important shortcoming. If the application of PGP Desktop has not been started client has already received the message, then they will remain unencrypted. And then decipher them. It is unclear how Symantec could not do not provide and have developed a particular plugin for Outlook mail client, called Outlook Addin. That’s only two points: the “bugs” this plugin did not say is that lazy and what those users who have Outlook instead of, say, Thunderbird!
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for encrypting and signing e-mail by using the public key. The principle of following e-mail protection. The user generates a key pair (public/private key pair), configures your mail client and provides the public key. They encrypt it with the public key letters that can only be decrypted with the private key. In other words, through S/MIME, you can implement standard asymmetric scheme with all its advantages and disadvantages.
The advantages of this method include the following:
- S/MIME supports most e-mail clients, including mobile clients (for example, MailDroid);
- Messages in your mail client are encrypted until you full. To decrypt, you need to enter the password that is specified when you create a key pair.
- No problems with decoding messages when using PGP Desktop. Because the decryption occurs using a mail client instead of a third-party program, the letter can be deciphered at any convenient time.
Of course, there are some disadvantages:
- The biggest problem S/MIME is what program to generate the certificate?
- Each recipient will need to provide your public key. Of course, this can be a bit smooth for keys; we’ll talk about that a little later;
- Difficulty settings. S/MIME requires separate settings for each mail client. For example, if you use Outlook in the Office, at home, The Bat!and on your mobile phone — MailDroid, then you should know how to configure all these clients. It requires above average user skills;
- Difficulty in changing the key, especially if users have little understanding of what they are doing.
If you use special programs to create and manage certificates for a user, such as CyberSafe Top Secret, the first two disadvantages are irrelevant — you’ll be able to set up and publish your key on the keyserver. The program also allows you to search for keys, published by other users.
In fact, the only apparent lack of S/MIME is the need to configure each e-mail client manually. In an enterprise, you can customize the Outlook address book and everything would be much simpler (assuming that Outlook is used). If you are an end user and you use encryption for personal purposes, you have to configure certificates in each email client that you use. In another article, you learned how to set up encryption in Outlook.
Safe-mail services. Hushmail
Previously it was thought that “make” on a protected mailbox mail service like GMail.com and such security measures would be sufficient to preserve e-mail. However, in the year 2013, Google stated that no longer guarantees the safety of your data. This statement horrified many users of this service in shock and made to look for either encryption or secure services. The advantage of the latter is obvious — you do not need to configure anything. Just make yourself secure mailbox and use it regularly.
Even shows the matrix of threats to determine what can protect HushMail and what is not. The site said that the Expo would help from intercepting your Internet connection, from any data from unauthorized content analysis, as well as governmental programs observation. Especially I want to dwell on the latest opportunities. However, everyone knows that the company HushMail police handed over some of their decrypted messages users — in the case of drug smuggling. The essence of not even in fact data transfer (naturally, nobody wants to shelter criminals), and in fact to decrypt the data.
Once was famous for having HushMail that he was the only cryptographic service, where all cryptographic operations are performed on the client side in a first Java applet. In the same applet generated key pair stored on the server and only the encrypted message users that prevented access to the user’s private keys. The applet even checked for the existence of bookmarks. They are not found. But the fact of the transfer of encrypted communications and rightly so.
- Next HushMail has turned into a regular postal service with SSL support, albeit with OpenPGP support, however, all cryptographic operations are executed on the server. That is why we do not recommend using these services — you never know what’s going on “on the side.”
By the way, HushMail two options interface is new and “original” (source). In this version of the interface is menu item Hushtools, calling the same window, which provides an essential management tool. In the “new” version of the interface, it is not clear at all how to manage keys and encryption. It is similar to regular HushMail email service like Gmail.com.
Plugin browser PGP Mail
Allows the use of asymmetric encryption (i.e. encryption with open/closed switches) on the client side. About the possibilities of this plugin can be read on the official website.
Need to mention just four features:
- Supported browsers: Firefox, Chrome, Opera, Safari;
- We recommend that you use Firefox because encryption functions in Firefox work faster than Chrome or Opera;
- It is recommended that you use TOR;
- Encryption is performed on the client side;
What encryption is done on the customer’s side is the only advantage of this plugin. And here is the recommendation to use TOR can make acquaintance with this plugin for inexperienced users. But for these users, this plugin and created as an increasingly skilled use PGP or S/MIME.
Yes and dependency on the browser the same is not okay. But what if the user uses the Edge? But this browser, despite the popularity of Chrome and Firefox, pretty popular just because of the “Court” of the Microsoft browser.
Browser plugin SecureGmail
Unlike PGP Mail offers plugin SecureGmail symmetric encryption, i.e. every secret message is encrypted with a password, which should know both the sender and the receiver. This encryption system can be used under full trust between all its participants. Besides, with an increase in the number of participants will have to increase and the number of keys. You can, of course, encrypt all messages with one password that will know all three of the addressee. But this is not correct. It is more efficient to create separate keys (passwords) for each of the recipients. When their three specific problems it will not be. But when you need to send an e-mail to hundreds of recipients, how to memorize all the keys? Therefore, this system of encryption is useful when exchanging e-mail with a small group of addressees.
Plugin SecureGmail works in tandem with the Chrome browser, other browsers it doesn’t support.
Plugin browser Encrypted Communication
Plugin Encrypted Communication for its functionality similar to SecureGmail, but it only works in Firefox, and other browsers are not supported.
On the shortcomings of the symmetric encryption systems we have already spoken, therefore, will not be repeated. If you are communicating sensitive information with one or two users, such plugins still justify its existence. Otherwise, it is better to use an asymmetrical system.
The advantage of such plugins is easy to use. Don’t need to understand asymmetric encryption (because the concept of a public/private key pair can seem daunting for beginners), need not fooling with keys, their reserve copying. Just need to remember a password, and it is desirable to report it to your friends so that an attacker could not intercept it.
Mail client plugin Enigmail
Similar to browsers, mail clients, there are also plug-ins for encryption. One of them is the Enigmail.
Particular advantages of this solution are not available yet because still have to install and configure additional software-GnuPG program. When everything is configured, you can say that the plugin is easy to use.
- The disadvantage is you still have to delve into the asymmetric encryption system and understand that there is a public and private key to use each of them. However, this lack of all methods using asymmetric cryptography. Here or the security and knowledge or ignorance and symmetric encryption.
What would happen if an attacker discovers your password from the mailbox? Because the server emails are stored in encrypted form, then nothing bad happens — the maximum that he can read is spam (without it) and other unimportant correspondence, which you did not encrypt.
And what will happen if an attacker compromises or monitors the Web server itself? PGP Desktop a tool, where encryption occurs on the client side, protect you from this trouble. Indeed, data from the user’s computer has already sent in encrypted form. Yes, from wiretapping rescues SSL, and “inside” the data is transmitted in plaintext, not yet encryption takes place on the server itself. Therefore, the Web server has full access to the data. It’s answer to the question of how the Administration could provide access to HushMail correspondence in court proceedings.
- When using PGP Desktop after decrypting messages are stored in an unencrypted form. Therefore, if someone gains access to your computer after reading your emails or your hard disk, PGP Desktop you little help. Of course, if PGP Desktop was not running at the time that the message arrived, therefore it was not who can then decrypt the information remains secret. So the opposite of PGP Desktop in Table 2 is worth the value of Yes/No for the latest threats. As for HushMail, then you don’t need to worry about these threats — the message is encrypted on the server.
But both remedies are vulnerable when using keylogger. If an attacker intercepts your passwords (in particular, certificates), then nothing will help you. Isn’t that the tokens instead of passwords.
All other remedies use encryption on the client side, so they are not afraid of neither catching nor access your mailbox — messages will be encrypted. The only thing that provides threat protection for these tools is intercepting keyboard input. An attacker could get access not only to your passwords, but also plain text that you enter in the body of the message before it is encrypted. By the way, you need to make an important observation about S/MIME, namely why the correct use of S/MIME may not help even a “keylogger.” If the key is added to the repository as not exportable (which, by the way, and makes CyberSafe Top Secret), then the attacker, nothing happens. That is why at the moment, S/MIME can be considered the most reliable way to protect your email.
The easiest way to email protection is the use of symmetric encryption. To implement it, you can use browser plug-ins SecureGmail and Encrypted Communication or do without them altogether, and use the programs that allow you to create password-protected archives (for example, WinRAR, 7-Zip). The calculation is simple: you protect the archive file, put in it a message to possible attachments and send to another person. He, knowing the password, opens the file. The easiest to implement, but not very easy to use way. Create an archive for each new message is pretty routinely.
A more reliable system of asymmetric encryption. It is a multitude of very different ways. You can use the S/MIME standard (which allows the use of asymmetric cryptography even on mobile devices), you can use PGP and derivative products (OpenPGP, PGP Mail, GnuPG).
- Ideally, we recommend using the S/MIME standard as the most reliable and versatile.
Its reliability is that the mail client, messages are stored in encrypted form and decrypted when it is accessed (i.e. If someone gets hold of your hard drive, it will not be able to decrypt your messages). When decrypting password that only you know (as opposed to symmetric encryption, where password know how at least two).
Versatility is that once creating your certificate; you can use it in any email clients (S/MIME), as well as any operating systems in which these email clients. For example, you can generate a certificate from a Windows program, install it in Outlook and the mobile mail client MailDroid. No restrictions on the use of documents are not. The main thing when you use S/MIME to choose a useful program to create the certificates themselves. It is desirable to enable it to publish certificates and keys on the server to manage them.