How Secure is Email – Privacy Issues
There is a common analogy used in security discussions about how secure email is. It’s generally considered that using standard email is about as secure and private as taking a postcard, writing down your secret thoughts, then handing it to a passing stranger and asking them to post it for you. If you take in to account how emails are sent and the technology involved it’s not far from the mark. Mind you I can’t remember the last time I got a postcard so maybe this particular analogy will be out of date soon.
You can go to extraordinary lengths to secure your email though, there are many secure software solutions that will encrypt your emails and patch up the various privacy holes in email in general. However for many of us, who simply strive for a reasonable level of privacy this can be a daunting and expensive task. In some senses, it’s perhaps best to stay clear of email if you want real, gold standard levels of privacy and security and look for another method of transferring information. The most serious privacy concern with email, that everything you send is sent in clear text. Anyone on the distribution route of your email can simply eavesdrop on the content and read it without any fuss – no hacking or cracking of passwords is required.
Take a look at this packet capture, taken from the sending of an email using Thunderbird.
The entire email – the sender, the recipient, time stamps and the message is in clear text – all of it readable without any effort.
So let’s add a level of privacy to this transmission, I’m going to use Identity Cloaker to secure my email. We fire up the application, select a secure server in another country (I’ve chosen a Swiss server here) and then tell Identity Cloaker what to encrypt using the application screen.
In this example I’ve told it to encrypt Thunderbird, which is the email client I use on this particular PC. I’ll then resend the email and see what you can pick up from the wire using a packet capture program (Wireshark available for free here!).
As you can see, or perhaps I should say ‘can’t see’ now all the data regarding the email is encrypted and is inaccessible to anyone reading it on it’s journey. Using this technology, adds a huge level of email privacy and can be used with all applications which don’t properly encrypt your data including messaging clients, browsers and a host of others. However it is important to remember that the email is only encrypted during it’s journey, when it hits your client or mailbox then the message will be in clear text again unless some additional encryption solution is used to protect here. Having said that at least all your messages are protected in transit and aren’t left sitting unprotected in logs on routers and servers all across the net!