STOP!! Don’t use email! It is not secure!!

Of course I am joking, but it is of course true, email in it’s most basic form is and has always been an insecure method of communication.

First, a bit of background…

There are various techniques used to access email, each with pros and cons…

1. the standard way
2. the big business way
3. the web way
4. the mixed up and mobile way

1. The Standard Way
this is my way of saying – POP3 for getting your email and SMTP for sending your email. This is the way most ‘normal’ people did it until webmail came along and especially the younger generation started using Hotmail, Yahoo etc. The POP and SMTP servers would be located at your ISP, incoming (POP) mail would be held on their server until you connected and sucked it all down as a lump. Outgoing (SMTP) mail would be ‘relayed’ by your ISP’s SMTP server out onto the Internet where it magically found it’s way to the destination.

The security issue here is that the mail data is easy to snatch our of the Internet data stream – governments do it all the time in an automated manner to check for hot words relating to terrorism and crime.

Now this might not seem especially important to you (“who cares if people read my mail – I know it is insecure so I never put sensitive information in it”) – but whoaaa! You have forgotten something – if you are collecting email from an email account outside your ISP – the logon data (username and password, is also being sent in the clear. The only way to secure this is to enforce the use of SSL (or TLS) data connections to your email hosting service – in this way as a minimum the logon data is kept totally secure – even if once mail is passed out onto the Internet on it’s way to it’s destination, this verneer of security is removed and it is sent in the clear once again.

2. The Big Business Way
this is my way of indicating that many (most?) large companies employ their own email servers (e.g. Exchange Server) and therefore the internal emails may never leave the company network, and log-on data is never passed out onto the Internet.

Of course, once emails are flying around the Internet, once again they are going to be in the clear and available for anyone to snoop.

Once area of regular debate is the extent to which companies may snoop on their employees’ emails – ho ho – that is always good for a laugh. Many a high flyer has been brought down to earth as a result of inappropriate emailing activities. I believe the law states that emails created using company property in company time are the property of that company – so it has every right to snoop.

3. The Web Way
Hotmail was probably the first big webmail only service -but now there are many others. My own favourite is Googlemail – more of that in another blog post!

Webmail brings with it many security questions:

- many people in Internet Cafes have found to their horror that their email account has been hijacked (moral: LOG OFF when you have finished!)
- the fact that you CAN log on anywhere opens up the opportunity for username and password snooping.
- as people need to be able to remember their logon details, they tend to use short and easy to attack passwords.

The best webmail services (e.g. Googlemail) allow you to use secure (SSL) connections to both log on and to read and send emails – now this is approaching a gold standard.