Posted by Josh | Posted in Information Security Made Easy | Posted on 07-01-2009
So just how safe is this?
Everyone loves the convenience of e-mail. In minutes you can instantly send pictures of your kids, travel itineraries, love notes, or any other form of written or visual (picture or video) communication to far away relatives. It’s practically instant gratification, with communicators sending notes back and forth on a whim.
Degree of Difficulty: 3(Power User) for installation, 2(Normal User) for subsequent usage
Note: All tips published will have a difficulty rating of 1 (Grandma could do it), 2 (Normal User), 3 (Power User), and 4 (Geeks only).
But what lots of people fail to realize is that e-mail is inherently a highly insecure method of communication. For instance, did you know that:
- By default, your message is broadcast across the internet in clear text, meaning it is not scrambled or encrypted in any way.
- During its voyage, it may spend time on computers that are a) not owned or in any way related to the sender or recipient, and b) quite possibly not running the latest and most secure version of software, and are vulnerable to being hacked.
- In the case of (a) above, as well as on your ISP’s mail server, your e-mail can be read at any time by someone who has administrative (think super duper all-powerful) rights on that server. Imagine some poor, lonely, nerdy guy sitting at a computer terminal, busily reading your passionate love letter to your husband or wife. OK, that’s a bit of an extreme case, but you get the point.
- E-mail is inherently “spoofable”. That is, it is extremely easy to fake the sending address of an e-mail, making a spammer’s message asking for personal information appear as though it came from your good friend or spouse.
So what are we to do? Abandon all use of the medium, and resort to folded notes, sealed with wax and delivered by pigeons?
Well, no, that’s not really necessary, but we do need to take steps to ensure that either we a) accept the insecure nature of e-mail, and make sure we don’t talk about anything we wouldn’t want our neighbors knowing over it, or b) take steps to make our e-mail readable only to those the message is meant for.
The Lock-Box Methaphor of Key-Based Encryption
We all know that to “encrypt” something means to somehow scramble its contents to the point where without knowledge of how to decode the message, it appears as nothing more than garbage.
One of the more common encryption methods is known as “Public Key Encryption”. Here’s how it works.
Imagine for a moment that you are in possesion of the following items:
- An unlimited number of boxes with nearly impenetrable locking mechanisms. These boxes can hold letters, pictures, video tape, etc, and can be sent through the mail.
- An unlimited number of keys that can lock these boxes; however once closed and locked, this key cannot be used to open the box and view what is inside.
- A single, master key, which can be used to open any of the boxes.
Let’s say you have a significant other who lives across town (or across the country, for that matter), and they have something private they want to send you: their bank account number, a steamy love letter, perhaps some rather, err, “personal” pictures? Use your imagination.
Now if you’re friend were to simply send these through the mail, your friendly-yet-nosy postal service worker could easily open the package and view its contents. So, being a saavy and security conscious person, you instead give your SO a bunch of these boxes, as well as one of your “lock-only” keys. Now, they simply need to put the incriminating item in one of your boxes, lock it up, and send it on its merry way. You can both be confident that only the two of you will know what contents lie within.
As an added bonus, imagine that your friend has sealed the box with one of those old-fashioned wax stamps, using their finger as the source of the impression (ouch! that’s hot). Now imagine that you have some fool-proof way to verify that the seal was in fact made by your friend, and not some impostor. This is called “cryptographic signing” and is yet another benefit to using public key encryption. But we’ll get into more detail in later parts.
Do I have your attention?
For now, all you need to know is that by the end of the series, you’ll be able to securely send and receive e-mail with your friends and family, without spending so much as a penny. You can do this on just about any computer, with any e-mail client from AOL to GMail (though as we’ll see, some are easier than others). For the difficulty of this task, I will give a hybrid 3 (Power User) / 2 (Normal User) rating, as the installation process is a bit tricky. If you’re not comfortable with the instructions I give, you may want to have someone computer friendly and trustworth carry them out for you (note: do not let some anonymous Geek Squad employee do this for you, as you will essentially give them the keys to your e-mail).
Tune in next week for Part II of our series, when we’ll be talking about the first steps in installing the software necessary to undertake our operation.