By Eric Geier
November 20, 2008
Learn how to protect your e-mail communications by securing the connection between e-mail servers and e-mail software, such as Microsoft Outlook or Thunderbird.
- Networking 101: Understanding the Internet
- How to: Go ‘Green’ With Your SMB (Part 3)
- Ask the Wi-Fi Guru, Episode IX
- WPA Vulnerability Discovered
E-mail has become so commonplace as a method of communicating that many of us–including small business owners and their employees–routinely send sensitive messages without regard for security. In this tutorial, we’ll look at securing the connection between e-mail servers and e-mail software (such as Microsoft Outlook or Thunderbird) and protecting the content and attachments of the messages we send and receive.
Understanding e-mail security concerns
When you use e-mail software, such as Microsoft Outlook or Thunderbird, without proper protection, the account credentials that log you into the incoming and outgoing e-mail servers are sent in clear-text from your computer, over the local network and Internet, to your servers.
Any e-mail messages you send or receive are in clear-text, as well. This means if you are surfing the ‘Net on an unsecured or unencrypted network, such as using a Wi-Fi hotspot or public Internet port, anyone with the right tools can capture the network packets and read your account credentials and messages.
To better understand what an eavesdropper can see on an unprotected network, we sent an e-mail (see Figure 1) and captured its raw data packets as it was being received from the recipient’s e-mail server.
As Figure 2 shows, you can see the server login credentials. We opened Outlook and hit the Send/Receive button, which logged onto our e-mail (POP3) server and downloaded the e-mail awaiting pickup and displayed it in our inbox. Figure 3 shows the body of the message we had downloaded to Outlook, formed by the reorganized view that the raw data-capturing tool created.
If you are using a Web-based-only e-mail service, such as Gmail, Yahoo Mail, or AOL Mail, you also have a client-server security concern. As we’ll discuss later, if you don’t follow one important guideline when using Web-based e-mail services, your messages and login info can also be compromised when traveling to and from your computer and their Web/e-mail servers.
Moreover, if you use an e-mail application in conjunction with your Web-based e-mail service, you must make sure to secure both the Web access and the client application access.
You also need to be concerned about compromising the security of the e-mail messages you send, and any attachments they may be carrying, after they leave your e-mail server. This concern applies whether using computer-based e-mail software application or Web-based e-mail.
Even when you use encrypted connections to your e-mail servers, messages you send can still be in clear-text when they reside on your e-mail server and when they leave your server. For example, your messages may pass through other servers on the World Wide Web, during their travel to the recipient’s server, which might be unsecured and monitored by hackers.
Additionally, the recipient may not use encrypted connections to his or her servers. Therefore, Joe Hacker could intercept the message you sent containing your sensitive information when the recipient downloads your message from his or her incoming e-mail server.
Now that we know the two main e-mail security concerns, we can address them, and encrypting the information is the solution. Even though Joe Hacker can pull network traffic from a wired network and intercept packets from Wi-Fi connections, everything is safe if the account credentials and e-mail messages are encrypted—Joe will see only a bunch of gibberish.Using encrypted connections to your e-mail servers
If you only access your e-mail through a Web browser, all you need to do is make sure the connection is secured with Secure Sockets Layer (SSL) encryption, in order to combat the client-server issue. The Web address should begin with https rather than http,and you should see a padlock icon displayed next to the address bar or on the status bar at the bottom of the browser.
If you use a software application, such as Outlook or Thunderbird, for e-mailing, make sure you configure the server connection settings with SSL enabled (see Figure 4).
Instead of using the typical e-mail ports (110 for POP3 or 143 for IMAP4 and port 25 for SMTP), you should use port 995 for POP3 or 993 for IMAP4 on your incoming server and port 465 for your SMTP outgoing server. Your e-mail provider should be able to provide documentation on exactly how to configure client applications.
However, using encrypted connections depends on whether your e-mail provider supports them. If you find your provider doesn’t support SSL connections for e-mail, you may want to find one that does. Many companies out there provide strictly e-mail service, which do support secure connections.
If you have your own Web site, make sure you sign up for a service that provides branded e-mail addresses, for example firstname.lastname@example.org. Some services provide e-mail addresses from only the domain of the host company, such as yourname@4Secure-mail.com.
Here are a few secure e-mail providers you may want to check out:
Encrypting your e-mail messages
As we’ll discuss further, we can use encryption utilities that follow the OpenPGP standard, and digital certificates to encrypt sensitive e-mail we send and decrypt encrypted messages we receive. It is important to remember that both the sending and receiving parties must use e-mail software or a Web-based service that supports encrypted e-mails.
To use e-mail encryption, you create a public and private key, using a utility or service. You give the public key out to people that want to send you encrypted e-mails, which they load onto their e-mail client. Since the public key can only encrypt messages, you can even publish it on your Web site.
In fact, there are PGP directories out there where you can list your public key, so other people might find it easier. The private key is what you and only you keep, which has the decrypting power. You load it on your e-mail client so you can read messages that come encrypted with your matching private key. If you want to send someone encrypted e-mails, they have to send you their public key.
Here are a few companies that offer free e-mail encryption keys: Thawte, Comodo and Ascertia.
Remember, e-mail security cannot be 100 percent guaranteed. Though your message may be safe during its journey over networks and the Internet, you don’t know what will happen to the e-mail as it sits on the recipients’ computer.
What happens if someone gets on their computer, or steals it, and looks through their old mail? Well, that is a whole other story. Securing our digital conversations and data takes a team effort. Do what you can do to help, starting by using secure e-mail connections and, when needed, use e-mail encryption.
- For more by Eric Geier, read “WPA-Enterprise for Small Businesses (Part I),” “Roaming to the Wrong AP,” and “Review: ZyXEL NWA-3160.”
- For more tutorials on security methods, read “WPA Security Tips,” “Hotspot Safety for Business Users,” and “Privacy Notes: If You Want to Be Safe, Encrypt It Yourself.”
Eric Geier is an author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007). Article courtesy of SmallBusinessComputing.com.