The internet has become a wild place. Viruses and worms are common, hackers routinely crack websites, e-mail, and credit card transactions. However, most internet users suffer from a fundamental lack of education on basic computer security. Many common computer-related trouble can be avoided by following simple guidelines when online.

In this article, I will outline a few common mistakes and myths discuss e-mail privacy, attempting to demystify one aspect of computer security. Michael touched on this in his previous post about Mozilla Thunderbird and GPG. Don’t worry, I’ve checked my heavy-duty tech jargon at the door. We will explore the workings of e-mail in minimum detail, and discuss how to secure this ubiquitous mode of communication. Ready for more?

HTML Aside

If you are using a modern browser, note that the acronym ‘SMTP’ is underlined. Move your mouse over ‘SMTP’ and wait a few moments—you should see the acronym spelled out in a tooltip.

Tooltips like these can be used throughout websites to provide more information on a certain bit of text, or even a link. This is a useful feature to keep in mind when drafting copy for the web.

Myth: E-mail is private.

I will qualify my response by mentioning that I’m a privacy advocate. That said, e-mail is not private. The best analogy I have heard likens sending e-mail to writing a postcard. Imagine the contents of your message travelling through the postal system, visible to any and all that come into contact with the postcard. This is how e-mail works.

When you send an e-mail message, a connection is established between your computer and a mail server. The language spoken over this connection is called SMTP. The `Simple’ in SMTP makes sense—a typical session is fully comprehensible to the human eye:

220 carfax ESMTP Exim 4.34 Fri, 04 Feb 2005 22:30:00 -0600
HELO example.com
250 carfax Hello matt at localhost.visi.com [127.0.0.1]
MAIL FROM: test@example.com
250 OK
RCPT TO: matt@clockwork.net
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
To: matt@clockwork.net
Subject: This is a test message.

Hello Matt,

This is a test message to illustrate the SMTP protocol.
Enjoy!

--
test@example.com
.
250 OK id=1CxHah-0000g6-5W
QUIT
221 carfax closing connection

Simple, right? Perhaps not, but notice how clear and easy to read the e-mail is. This “conversation” between computers typically takes place over an unsecured connection, meaning it is entirely possible to eavesdrop on this transmission. Therefore, never place anything confidential in an e-mail message if possible. Unfortunately, e-mail has all but replaced the letter as a form of business communication. What can we do?

The answer: strong encryption.

Here’s where the rabbit-hole begins to deepen. I can discuss the hows and whys of encryption tech, but instead I will focus on one of its purposes: to secure a communication channel.

Encryption works around the idea of a secret. Provided your single secret remains secure, every single message encoded with said secret remains unreadable. Here is how that same transmission would look encrypted:

220 carfax ESMTP Exim 4.34 Fri, 04 Feb 2005 22:30:00 -0600
HELO example.com
250 carfax Hello matt at localhost.visi.com [127.0.0.1]
MAIL FROM: test@example.com
250 OK
RCPT TO: matt@clockwork.net
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
To: matt@clockwork.net
Subject: This is a test message.

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.5 (GNU/Linux)

hQQOA7gWjBHDw3d7EBAAsT1WuuIbVaUupKC36Qhs5TVkILQWl7v9ZvZL6DCOv3dv
cb8Qvd0JsMlthooBpiU0xk4sVIi+hfmVInKkiZyRsQEO228+WDrpPgIZqZdYszF7
R1X23+5HCbFzHNFWtbAykFAoI90sRCSKTgXdtnVn2tT0+9F5geSA9g4fN92dLpl+
Y65KIjL7B9WSPfJCSscqlfMShz3s5ywcK3Q6EcpNQIXtK2ZvHlgfCqEdboYTqEY5
VRmigGd8rPlVHoe0+R+M50NW9u9310EcWMfvOd+Tl2J6my6kKZ7o3FGvc0tjAB1q
E+C2sJx7y7gy6aeelqXkTbspmu+8jDHMCYqWM1UPis9Cxw40cIGeyAjBxe2rN9nu
6T+7SV24NZj8fj0YEqTE6dXfHhqWdlMcRw/7imQl/fMSuVCfmDJ5g0DJ2lxeJGu6
4LsLdOQk6d7GPevfLo3ybQsqT8B+mOqtD9O17Rbo5EjTahzT7oMBr0abz/o6upOe
BpM2cxxKwIel58Ed2mPhzo5vgnWca7p1C3pgpGsu0bsfVd/vpHIHM4glZ6LCQk2F
Hx9SShaiif2s9T2P2sJrwKRK6k8sA0tLemVjkdrYlhDFM2Bj2T1AwVYJM57GqIqG
G/NYAA0K47LyzVTmMCpSI2oWP93IEkDxjuyO5azgtJdix2RNrX9GWPIugcHRxkQQ
AMALBpKf1Dw6cEPeKE71A0u/mLISEbbDo2rAV5G5eknZrYqWE0iOrxoz189zNy0X
7HKrubH1/6q9cL7x2v72TdA4iOhztYC+BplXxrsc54llmGFiXf9YwfHh9bVCL60h
JfXmbBS9+Ea3HmljitZNWXj1N3/kWX+nXevXzCLF1a4qcHPqoBwGacNUg5mqc2al
PO8ETisWx/yDdImKXDo++5PppdaOa07OTvzpVsjLMyDqJAaIQZSf30/TotH6wqBi
EBPekqKu86h5PrDbz7LI+ntUw7MMerutLRCas9qVCHDxj+thvSDLETIEW8b5mVo8
i0+I7X1Sl8KDRIqBBosV/bPbuYa7MreFBDatX20JzBF2I7mTne7loGtaH9O5Ipn/
GrMUsh86Ftc0S233LnAlNzUevt7YwWtonkn3Fza3MticL5TvwEqXKgKdzHahHThe
IqCY8gTKY5JS0TpZJkDtILD4tEBkdiXSbk4QcK+riMatnP27EvpTI0dj1IvN0X2B
hgPh8bpZwD4wFzKgnFhe1bakVcQX/NXiywgXOKguK/k+Rlrzxeg4DNkskijVePov
jPZwF0Yi7zl1BDb63OGP2psA26Z15wzh5p1QP7s0wY5DTFiPeGUUKMcfeh+GpshD
nt7RqBqbGYLBS8n9kZ8yGnfwNjMHBA5qNvryXHf1WfIP0pcBCraAlbf35VQ3Z4lx
mwdnD5s/RxTdHEDgvOE6E78s/iM6Weo5Nxv80jMUQxXe2pOsicFP21cjrxRou9vW
RArKxQottRKweqYml8flZUCsOXHgS05wMRmjJKKcPzT6JQNVMQyiMXvkQ9VroL2k
O7iP20nIZ1Cwr7v3D6wINc1tW+k6An99i7Q3GAbbL3fLxHf9xsO/4rmc
=xBV1
.
250 OK id=1CxHah-0000g6-5W
QUIT
221 carfax closing connection
-----END PGP MESSAGE-----

Pretty daunting, eh? Encryption’s “magic” lies in the ability to recover the original message—provided you know the secret. Encryption can thus serve the purpose of a traditional envelope, blocking your message’s content from casual spies. However, encryption is much, much better than an envelope. Freely available encryption software will give large governments reasonable amounts of trouble, let alone a nosy cracker.

Early Adoption

Unfortunately, there is a major catch: both the sender and receiver must install and properly configure encryption software. No major e-mail program includes decent encryption by default. This is currently a problem, but it is getting better. Plug-ins have been developed to add strong encryption capability to most mailers, and some standards (such as S/MIME) are in place. Most importantly, people must realize e-mail privacy can only be achieved through encryption.

Once the ball gets rolling, users will adopt encryption as an everyday privacy tool. The trick is getting the software installed and learning how to use it. I will explore freely available encryption software in a follow-up article. For now, I will merely re-iterate: don’t put anything sensitive in a plain e-mail!

More to come…

I will end my entry here and continue another day. The content above can be difficult to digest, and I will happily answer any questions—just post a comment.