The internet has become a wild place. Viruses and worms are common, hackers routinely crack websites, e-mail, and credit card transactions. However, most internet users suffer from a fundamental lack of education on basic computer security. Many common computer-related trouble can be avoided by following simple guidelines when online.
In this article, I will outline a few common mistakes and myths discuss e-mail privacy, attempting to demystify one aspect of computer security. Michael touched on this in his previous post about Mozilla Thunderbird and GPG. Don’t worry, I’ve checked my heavy-duty tech jargon at the door. We will explore the workings of e-mail in minimum detail, and discuss how to secure this ubiquitous mode of communication. Ready for more?
Myth: E-mail is private.
I will qualify my response by mentioning that I’m a privacy advocate. That said, e-mail is not private. The best analogy I have heard likens sending e-mail to writing a postcard. Imagine the contents of your message travelling through the postal system, visible to any and all that come into contact with the postcard. This is how e-mail works.
When you send an e-mail message, a connection is established between your computer and a mail server. The language spoken over this connection is called SMTP. The `Simple’ in SMTP makes sense—a typical session is fully comprehensible to the human eye:
220 carfax ESMTP Exim 4.34 Fri, 04 Feb 2005 22:30:00 -0600 HELO example.com 250 carfax Hello matt at localhost.visi.com [127.0.0.1] MAIL FROM: email@example.com 250 OK RCPT TO: firstname.lastname@example.org 250 Accepted DATA 354 Enter message, ending with "." on a line by itself To: email@example.com Subject: This is a test message. Hello Matt, This is a test message to illustrate the SMTP protocol. Enjoy! -- firstname.lastname@example.org . 250 OK id=1CxHah-0000g6-5W QUIT 221 carfax closing connection
Simple, right? Perhaps not, but notice how clear and easy to read the e-mail is. This “conversation” between computers typically takes place over an unsecured connection, meaning it is entirely possible to eavesdrop on this transmission. Therefore, never place anything confidential in an e-mail message if possible. Unfortunately, e-mail has all but replaced the letter as a form of business communication. What can we do?
The answer: strong encryption.
Here’s where the rabbit-hole begins to deepen. I can discuss the hows and whys of encryption tech, but instead I will focus on one of its purposes: to secure a communication channel.
Encryption works around the idea of a secret. Provided your single secret remains secure, every single message encoded with said secret remains unreadable. Here is how that same transmission would look encrypted:
220 carfax ESMTP Exim 4.34 Fri, 04 Feb 2005 22:30:00 -0600 HELO example.com 250 carfax Hello matt at localhost.visi.com [127.0.0.1] MAIL FROM: email@example.com 250 OK RCPT TO: firstname.lastname@example.org 250 Accepted DATA 354 Enter message, ending with "." on a line by itself To: email@example.com Subject: This is a test message. -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.5 (GNU/Linux) hQQOA7gWjBHDw3d7EBAAsT1WuuIbVaUupKC36Qhs5TVkILQWl7v9ZvZL6DCOv3dv cb8Qvd0JsMlthooBpiU0xk4sVIi+hfmVInKkiZyRsQEO228+WDrpPgIZqZdYszF7 R1X23+5HCbFzHNFWtbAykFAoI90sRCSKTgXdtnVn2tT0+9F5geSA9g4fN92dLpl+ Y65KIjL7B9WSPfJCSscqlfMShz3s5ywcK3Q6EcpNQIXtK2ZvHlgfCqEdboYTqEY5 VRmigGd8rPlVHoe0+R+M50NW9u9310EcWMfvOd+Tl2J6my6kKZ7o3FGvc0tjAB1q E+C2sJx7y7gy6aeelqXkTbspmu+8jDHMCYqWM1UPis9Cxw40cIGeyAjBxe2rN9nu 6T+7SV24NZj8fj0YEqTE6dXfHhqWdlMcRw/7imQl/fMSuVCfmDJ5g0DJ2lxeJGu6 4LsLdOQk6d7GPevfLo3ybQsqT8B+mOqtD9O17Rbo5EjTahzT7oMBr0abz/o6upOe BpM2cxxKwIel58Ed2mPhzo5vgnWca7p1C3pgpGsu0bsfVd/vpHIHM4glZ6LCQk2F Hx9SShaiif2s9T2P2sJrwKRK6k8sA0tLemVjkdrYlhDFM2Bj2T1AwVYJM57GqIqG G/NYAA0K47LyzVTmMCpSI2oWP93IEkDxjuyO5azgtJdix2RNrX9GWPIugcHRxkQQ AMALBpKf1Dw6cEPeKE71A0u/mLISEbbDo2rAV5G5eknZrYqWE0iOrxoz189zNy0X 7HKrubH1/6q9cL7x2v72TdA4iOhztYC+BplXxrsc54llmGFiXf9YwfHh9bVCL60h JfXmbBS9+Ea3HmljitZNWXj1N3/kWX+nXevXzCLF1a4qcHPqoBwGacNUg5mqc2al PO8ETisWx/yDdImKXDo++5PppdaOa07OTvzpVsjLMyDqJAaIQZSf30/TotH6wqBi EBPekqKu86h5PrDbz7LI+ntUw7MMerutLRCas9qVCHDxj+thvSDLETIEW8b5mVo8 i0+I7X1Sl8KDRIqBBosV/bPbuYa7MreFBDatX20JzBF2I7mTne7loGtaH9O5Ipn/ GrMUsh86Ftc0S233LnAlNzUevt7YwWtonkn3Fza3MticL5TvwEqXKgKdzHahHThe IqCY8gTKY5JS0TpZJkDtILD4tEBkdiXSbk4QcK+riMatnP27EvpTI0dj1IvN0X2B hgPh8bpZwD4wFzKgnFhe1bakVcQX/NXiywgXOKguK/k+Rlrzxeg4DNkskijVePov jPZwF0Yi7zl1BDb63OGP2psA26Z15wzh5p1QP7s0wY5DTFiPeGUUKMcfeh+GpshD nt7RqBqbGYLBS8n9kZ8yGnfwNjMHBA5qNvryXHf1WfIP0pcBCraAlbf35VQ3Z4lx mwdnD5s/RxTdHEDgvOE6E78s/iM6Weo5Nxv80jMUQxXe2pOsicFP21cjrxRou9vW RArKxQottRKweqYml8flZUCsOXHgS05wMRmjJKKcPzT6JQNVMQyiMXvkQ9VroL2k O7iP20nIZ1Cwr7v3D6wINc1tW+k6An99i7Q3GAbbL3fLxHf9xsO/4rmc =xBV1 . 250 OK id=1CxHah-0000g6-5W QUIT 221 carfax closing connection -----END PGP MESSAGE-----
Pretty daunting, eh? Encryption’s “magic” lies in the ability to recover the original message—provided you know the secret. Encryption can thus serve the purpose of a traditional envelope, blocking your message’s content from casual spies. However, encryption is much, much better than an envelope. Freely available encryption software will give large governments reasonable amounts of trouble, let alone a nosy cracker.
Unfortunately, there is a major catch: both the sender and receiver must install and properly configure encryption software. No major e-mail program includes decent encryption by default. This is currently a problem, but it is getting better. Plug-ins have been developed to add strong encryption capability to most mailers, and some standards (such as S/MIME) are in place. Most importantly, people must realize e-mail privacy can only be achieved through encryption.
Once the ball gets rolling, users will adopt encryption as an everyday privacy tool. The trick is getting the software installed and learning how to use it. I will explore freely available encryption software in a follow-up article. For now, I will merely re-iterate: don’t put anything sensitive in a plain e-mail!
More to come…
I will end my entry here and continue another day. The content above can be difficult to digest, and I will happily answer any questions—just post a comment.