Online Security


Secure Email – What You Need to Know 2023

Secure Email – What You Need to Know 2023

So, you finally figured you should look into securing your email and other communications? Good.  There is no encryption scheme that is going to prevent unauthorized access or eavesdropping on your communications…but, there is a lot that you can do to protect yourself from many bad actors.

What IS Secure Email Exactly?

Secure email refers to an email communication method that uses encryption to protect the confidentiality and integrity of the email content and attachments. The encryption process converts the email content into a code that can only be deciphered by authorized recipients who have the encryption key. This ensures that only the intended recipients can read the email message and that the content of the message cannot be intercepted or modified by unauthorized third parties.

Secure email can also offer additional features such as two-factor authentication, digital signatures, and end-to-end encryption to further enhance email security. Secure email is often used by individuals, businesses, and organizations that require secure communication channels to protect sensitive and confidential information.

Additional Security

End-to-End Encryption – E2EE

End-to-end encryption (E2EE) is a security measure that ensures that the content of an email message can only be read by the sender and the intended recipient(s) of the message. With E2EE, the email message is encrypted on the sender’s device and can only be decrypted by the recipient’s device.

In E2EE email communication, the message content is encrypted with a unique key that is generated by the sender’s device. This key is then shared with the recipient’s device, which uses it to decrypt the message content. The key is never transmitted or stored on any third-party servers, ensuring that only the intended recipients can access the message content.

E2EE offers a high level of security for email communication, as it prevents unauthorized access to the message content by hackers, cybercriminals, or government agencies. It is often used by individuals and organizations that handle sensitive and confidential information, such as financial institutions, law firms, and government agencies.

Digital Signatures

Digital signatures are a security mechanism used to verify the authenticity and integrity of an email message. A digital signature is a unique code that is generated by the sender’s digital certificate and is added to the email message header. The digital signature contains a hash value of the message content, which is generated using a cryptographic algorithm.

When the recipient receives the email message, their email client software verifies the digital signature to ensure that the message has not been tampered with during transmission and that it originates from the sender it claims to come from. The email client software checks the digital signature against the sender’s public key, which is contained in the sender’s digital certificate.

Digital signatures provide a way to verify the authenticity of an email message and prevent tampering of the message content during transmission. They are often used in email communication where the content of the message is sensitive or confidential, such as in business or legal communication. Digital signatures also provide a way for the sender to prove that they sent the message and cannot later deny having sent it.

Two-Factor Authentication – 2FA

Two-factor authentication (2FA) is a security process that requires two forms of identification from the user to access their account. The two factors of authentication can be:

  1. Something the user knows (such as a password or PIN).
  2. Something the user has (such as a mobile device or security key).

To implement 2FA for email accounts, the user typically needs to enable the feature in their email account settings. The user may be required to enter a verification code sent to their mobile device or to use a security key to access their account in addition to entering their password.

2FA for email accounts provides an additional layer of security, making it harder for unauthorized users to gain access to the account. It is recommended to use 2FA for email accounts, especially for accounts that handle sensitive or confidential information.

Email Encryption Protocols

There are several types of encryption used to secure email, some newer than others. In the early days of email encryption, things were not at all user friendly. Today, sending secure, encrypted email is very simple.  Let’s take a look at the main protocols used to secure email today…

Transport Layer Security (TLS)

This is a widely used encryption protocol that is used to encrypt the communication between email servers during transmission. TLS ensures that the email content is encrypted while it is in transit between the sender and recipient email servers.

Pros:

    • TLS is widely used and well-supported by email providers and clients.
    • TLS is automatic and requires no user intervention.
    • TLS is effective at protecting email during transit.

Cons:

    • TLS only protects email during transit and does not provide end-to-end encryption.
    • TLS can be vulnerable to man-in-the-middle attacks if not implemented correctly.
    • TLS does not protect email once it has been delivered to the recipient’s email server.

Example: In 2013, researchers discovered a vulnerability in the implementation of TLS in Apple’s iOS and OS X, which allowed attackers to intercept and decrypt email traffic.

S/MIME

Secure/Multipurpose Internet Mail Extensions (S/MIME) is an email encryption standard that uses digital certificates to encrypt and digitally sign email messages. S/MIME is often used in corporate environments where security and confidentiality are critical.

Pros:

    • S/MIME provides end-to-end encryption and digital signature authentication.
    • S/MIME is widely supported by email clients and servers.
    • S/MIME is suitable for use in corporate environments where security and confidentiality are critical.

Cons:

    • S/MIME requires the user to obtain and manage digital certificates, which can be complex and time-consuming.
    • S/MIME is vulnerable to attacks if the user’s private key is compromised.
    • S/MIME does not provide protection against metadata leakage, which can reveal information about the sender and recipient.

Example: In 2018, researchers discovered a vulnerability in the implementation of S/MIME in Apple Mail, which allowed attackers to intercept and read encrypted email messages.

PGP/GPG

Pretty Good Privacy (PGP) and its open-source version GNU Privacy Guard (GPG) are popular email encryption tools that use public-key cryptography to encrypt email messages. PGP/GPG is often used by individuals who need to send and receive secure email messages.

Pros:

    • PGP/GPG provides end-to-end encryption and digital signature authentication.
    • PGP/GPG is widely used and supported by open-source software.
    • PGP/GPG allows for secure communication between individuals without relying on third-party service providers.

Cons:

    • PGP/GPG requires the user to obtain and manage public and private keys, which can be complex and time-consuming.
    • PGP/GPG can be vulnerable to attacks if the user’s private key is compromised or if the implementation is flawed.
    • PGP/GPG does not provide protection against metadata leakage.

Example: In 2018, researchers discovered a vulnerability in the implementation of PGP/GPG in popular email clients such as Thunderbird and Apple Mail, which allowed attackers to intercept and read encrypted email messages.

AES

Advanced Encryption Standard (AES) is a symmetric encryption algorithm that is commonly used to encrypt email attachments. AES is used to encrypt files that are attached to email messages before they are transmitted.

Pros:

    • AES provides strong encryption for email attachments.
    • AES is widely used and supported by many software applications.

Cons:

    • AES only protects email attachments and not the email content itself.
    • AES can be vulnerable to attacks if the encryption key is compromised or if the implementation is flawed.

Example: In 2016, researchers discovered a vulnerability in the implementation of AES in the email client Mailpile, which allowed attackers to intercept and decrypt email attachments.

OpenPGP

OpenPGP is an open-source encryption standard that is widely used to secure email messages. OpenPGP combines symmetric and asymmetric encryption methods to encrypt email messages.

Pros:

    • OpenPGP provides end-to-end encryption and digital signature authentication.
    • OpenPGP is widely used and supported by open-source software.
    • OpenPGP allows for secure communication between individuals without relying on third-party service providers.

Cons:

    • OpenPGP requires the user to obtain and manage public and private keys, which can be complex and time-consuming.
    • OpenPGP can be vulnerable to attacks if the user’s private key is compromised or if the implementation is flawed.
    • OpenPGP does not provide protection against metadata leakage.

Example: In 2018, researchers discovered a vulnerability in the implementation of OpenPGP in the email client Enigmail, which allowed attackers to intercept and read encrypted email messages.

Securing Email in Transit vs. End-to-End

Securing email in transit only means that the email content is encrypted while it is being transmitted between the sender’s and recipient’s email servers, but the content of the email is not encrypted while it is stored on the email server or on the recipient’s device. This means that anyone who gains access to the email server or the recipient’s device can potentially read the email content.

On the other hand, securing email end-to-end means that the email content is encrypted throughout the entire communication process, including while it is stored on the email server and on the recipient’s device. End-to-end encryption ensures that only the sender and recipient(s) of the email can read the email content, and no one else, including the email service provider, can access the content.

Securing email in transit only is less secure than end-to-end encryption because it leaves the email content vulnerable to interception and access by unauthorized parties. End-to-end encryption is considered to be more secure because it provides complete protection for the email content throughout the entire communication process.

End-to-end encryption is typically used when the content of the email is sensitive or confidential, such as in business or legal communication, while securing email in transit only is typically used for general email communication.

Each of the five encryption methods I mentioned earlier (TLS, S/MIME, PGP/GPG, AES, and OpenPGP) has its own strengths and weaknesses, and the level of security provided by each method depends on the specific use case and implementation. However, in general, end-to-end encryption methods such as PGP/GPG and OpenPGP are considered to be the most secure, as they provide complete protection for the email content throughout the entire communication process, including while it is stored on email servers and on the recipient’s device.

End-to-end encryption ensures that only the sender and the intended recipients of the email message can read the content of the email, and no one else, including the email service provider, can access the content. This makes it much harder for hackers, cybercriminals, or government agencies to intercept or access the email content.

Does Your Email “Program” Matter?

The specific email client you use to send secure email depends on the type of encryption method you are using. Some email encryption methods are built into specific email clients, while others require the use of third-party encryption tools or plugins.

For example, if you are using S/MIME encryption, you can use email clients such as Microsoft Outlook, Mozilla Thunderbird, or Apple Mail, which have built-in S/MIME encryption capabilities. To use PGP/GPG encryption, you may need to use a third-party encryption tool or plugin, such as Gpg4win or Enigmail.

If you are using a secure email service that provides end-to-end encryption, such as ProtonMail or Tutanota, you will need to use the email client provided by the service to send and receive secure email messages.

It is important to note that both the sender and recipient of the email message need to be using the same encryption method for secure email communication to work effectively. Therefore, it is important to ensure that the recipient of the email message is using the same encryption method and has the necessary encryption keys or tools to decrypt the message.

Hybrid End-to-End

If you use ProtonMail Bridge to integrate your ProtonMail account with Outlook, the email content is encrypted between your device and ProtonMail’s servers. However, it is important to note that the end-to-end encryption provided by ProtonMail only applies to emails sent between ProtonMail accounts.

When you use ProtonMail Bridge to integrate with Outlook, the email content is decrypted on your device, and then re-encrypted and sent to the recipient’s email server using TLS encryption. This means that while the email content is encrypted while it is in transit, it is not end-to-end encrypted because it is decrypted and re-encrypted during the process.

However, ProtonMail Bridge still provides a high level of security for your email communication, as it encrypts the email content while it is being transmitted between your device and ProtonMail’s servers, and also encrypts the email content while it is stored on ProtonMail’s servers. This makes it much harder for hackers or other unauthorized parties to access your email content.

Using ProtonMail Bridge with Outlook does not provide end-to-end encryption for your email communication, it still provides a high level of security for your email content, especially when compared to traditional email services that do not provide any encryption.