Email Encryption has the potential to provide protection from spam and malware over email, if implemented correctly. Email encryption can protect your privacy and your security.
Three Failures of Email Encryption
DIFFICULT TO IMPLEMENT
Email encryption is difficult to implement as an end user as it requires a number of confusing and complicated steps. This is only complicated further when you factor in that most users now use 2 or more devices to access their emails.
Many organisations are using cloud services which either don’t provide encryption options or charge extra for the privilege of being able to have encrypted emails. Furthermore it is worth noting that many cloud providers may be using the data from raw emails (not encrypted) for a range of activities from spam protection, customised Ads, market research or other activities. Hence many cloud providers are not economically motivated to provide email encryption.
Many organisations want to track all electronic communications from their employees. This means they want to control how any information is encrypted, hence they prefer to encrypt traffic only exiting their email system. The common method of encrypting traffic between email nodes is called STARTTLS. This method has a number of issues including:
- The message is decrypted at each email relay (node) so there is no protection from nodes
- It is optional encryption so a man-in-the-middle could filter out the optional encryption request
- The message provides no protection from untrusted parties, spam or malware
- The message is decrypted by the email servers and not the end users so the raw message is available to the email service provider. This becomes an issue for those using cloud services for their emails.
END TO END ENCRYPTION
End to end encryption allows email communications to be secured between each party. The challenge is:
- how do they securely exchange keys (including organisational/corporate keys)?
- how do they encrypt and decrypt emails across multiple devices (phone, browser, tablet, desktop)?
The method to exchanging keys can be done in many ways, including a public key repository or DNS (domain name system) records. The concern with a public key repository is it could be compromised allowing every attacker and spammer to know your email. Also it doesn’t take advantage of the fact that by the “public key” not being public, spammers and malware can not be encrypted.
I would recommend using a web of trust mechanism by placing your public key/s at the end of each email. This method means the only people you directly communicate with have access to your public key. Hence any person sending you spam or malware will either need to manually request your key, or will not be encrypted. Any non-encrypted emails can have higher security rules across them including being filtered into spam, removal of attachments and removal of links.
This is not without it’s weaknesses and requires the first message between each contact to be appropriately secured so a man-in-the-middle is not able to modify the public keys within that first message. Securing emails across servers using STARTTLS and/or DANE in combination with end to end security can mitigate this concern. Also it also provides some protection in case of any mistakes in the end to end encryption implementation.
Theoretically this sounds great but practically it is still too hard for many people. The current best practice is PGP or GPG. However they are still clunky. The proposal to smooth the process would be to automate as much of the process as possible. So, with that said, we would require tool/s that can automatically decrypt emails then extract and store other parties’ keys, as well as automatically encrypt each email with the appropriate keys. This would be required to work across all your devices.
So the tools that could be used are:
Web Browser – Mailevlope
- Email App:
- K-9 Mail
- Squeaky Mail
- WEB.DE Mail
- Sony Email
- Key Storage App:
- OpenKeychain: Easy PGP
- Gnu Privacy Guard (GnuPG)
- APG (Android Privacy Guard)
- PGP KeyRing
There is still a manual process of transferring your keys across all the devices, but this process although daunting is manageable by the average user.
Current keys are quite large and cumbersome but with new ECC keys, it wont be long before a small set of numbers at the end of someone’s email might become standard.
So while we wait to see how it evolves, grab yourself one of the above tools and give it a go.
For more information regarding Email Protection contact our team of experts at Vertex Cyber Security.