How secure are emails?

Status
Not open for further replies.
Syzygys

Syzygys

As a mother, I am telling you
Valued Senior Member
Here I am not talking about getting a virus from an attachment but the ability to read my email by others? Is it possible but hard to do so or something that generally we shouldn't be concerned about?

Also, if it is possible, what does it depend on? Like speed of delivery or the length of route or what?
 
Anyone at your servers main site can access your Email account and view it at anytime. So , I hope that answers your question. Also they store all of your Emails for up to a year or more.
 
I wasn't worrying about the server side, but more like hackers catching it on the way...
 
If they are on the same network as you, it is possible to put their NIC into 'promiscuous mode' and sniff out the conversation you are having with your mail server. They have to be on the same subnet though, iirc.

POP3 emails are sent plain text, but you can encrypt IMAP etc.
 
phlogistician said:
If they are on the same network as you, it is possible to put their NIC into 'promiscuous mode' and sniff out the conversation you are having with your mail server. They have to be on the same subnet though, iirc.

POP3 emails are sent plain text, but you can encrypt IMAP etc.
Click to expand...

But wouldn't encrypting anything automatically draw attention to it more so that a plain Email?
 
unless you are running encryption of some sort, be that a secure mail server, SSL enabled or the like... or you are using strong encryption on your email... i used to use 2048 bit keys on PGP and that was secure... this was before PGP started giving out 'unlock' keys to companies and governments...

you can think of an email like text on a postcard sent through the mail... anyone can read it... this 'postcard' analogy is absolutely accurate and has been used by computer scientists for decades...

if this concerns you, there is a pretty cool webmail site called 'Hushmail' that offers free encrypted email... it's a pretty slick service...

Link to Hushmail...

or there are encryption programs you and a recipient can use... lots of free and shareware software of this type is available at tucows.com or download.com and the like...
 
Just a point about Encryption. It's dependent on if you are using already created algorithms or one you've tailor-made. If you've made it yourself you are likely to draw attention if the powers that be find any investigation impeded by your cryptology prowess. (I know that some countries might ask for your key to decrypting, while others are actually allowed to install spyware on your computer to take the key from you without necessarily informing you.)

Obviously as people have mentioned if you have secure data you want to keep that way then your best encrypting it through PGP. (I'd suggest that any company sending internal Memos/Emails uses this method to lessen Industrial Espionage, usually such emails also have a added disclaimer in the template to suggest that it should not be sent unencrypted or received unencrypted.)

As for reading Emails, well we can use the old Alice & Bob analogy.

Alice sends Bob an Email. The email is sent directly from Alices Computer to the Mailserver that the Domain Record for Bob's domain points to. On delivery it sits waiting for Bob to either download via POP3, Access via a Website or connect to via the IMAP protocol. The only time this email is truly secure is when Bob has received it and removed it from the server.

This means that for their to be any faults in the chain in regards to securing this transaction, then their is a chance for exploitation.

For instance if Alice or Bob were to receive a virus from Marvin who's previously setup his own Server as a Proxy, then it's possible for him to point Bob or Alice's software into believing that it needs to use the Proxy to connect to the internet. If this is the case then Marvin can manipulate all outbound connections perhaps he could make it disappear into his own server, perhaps he'd just transparently packet scan the information passing through. (The reason Marvin would pick Alice and Bob is because it's likely that Alice/Bob are Casual Computer users that are likely not to pick up on exploits or know how to tighten their security settings. They are a Soft target in comparison to the Email server, which will have communication logs and require a whole lot of work setting up Long tracible routes. [This means it takes a long time to trace])

This is of course where Cryptology comes into play, because then even if Marvin manages to intercept the Email he's still got the task of dealing with it in an encrypted format.
 
The reason I worried because I sent CC info to a friend. Now instead of encryption, let's say I cut up the email into 2 parts, sending 2 emails) so not the whole info exist in one email, would that help a lot??

Stryder said:
The only time this email is truly secure is when Bob has received it and removed it from the server.
Click to expand...

On AOL you can retrieve recently deleted emails, that indicates to me that they probably keep a copy for a short, limited time like 1-3 days...
 
Breaking up data over multiple emails provides a tiny amount of additional security - the person will need both emails to do anything nefarious.

However, if they have access to one email, gaining access tot he rest is trivial - the hard part will be searching for the useful information.

Overall, is your email safe enough to be sending CC info over? No.

Is it safer than handing your credit card to the waiter last night at that restaurant? Only slightly.
 
Syzygys said:
On AOL you can retrieve recently deleted emails, that indicates to me that they probably keep a copy for a short, limited time like 1-3 days...
Click to expand...

That wouldn't surprise me at all. It's totally down to the Operating system in use and of course the server software. It's probably been configured for those people that either like to rethink what they deleted or to aid in stopping rogue deletions when people gain access to peoples accounts. In either sense there should be a way to fully delete, if there isn't then you should be able to complain about it if needed.
 
Dr Mabuse said:
unless you are running encryption of some sort, be that a secure mail server, SSL enabled or the like... or you are using strong encryption on your email... i used to use 2048 bit keys on PGP and that was secure... this was before PGP started giving out 'unlock' keys to companies and governments...
Click to expand...

I have googled a bit on this but couldn't find anything.... also the wikipedia article doesn't mention anything on this...... so where did you get this from?

Also at Hushmail you have to pay for IMAP, and a 250 mb storage space..... while you get IMAP for free at gmail, and also 6 gb of storage space.

I wonder how secure POP3 + SSL is compared to IMAP.
 
Last edited:
s0meguy said:
I have googled a bit on this but couldn't find anything.... also the wikipedia article doesn't mention anything on this...... so where did you get this from?

Also at Hushmail you have to pay for IMAP, and a 250 mb storage space..... while you get IMAP for free at gmail, and also 6 gb of storage space.

I wonder how secure POP3 + SSL is compared to IMAP.
Click to expand...

Back around 2001 a number of laws came in to deal with Encryption (Basically the Paranoia because of 9/11 had people concerned that Encrypted messages could contain terrorist instructions, so some governments wanted to lessen peoples liberties further by creating laws in regards to Encryption)

From what I remember the US were basically allowed to place keylogger's on peoples computers to get Encryption keys, while the UK would "ask" for the key (and if you didn't want to give it up, well they'd confiscate your equipment).

One of the other points was that laws were made in regards to what established Encryption protocols were used and one of those protocols was that such systems like PGP would have to share an unlock key with governments should they require it.

In honesty though this shouldn't affect people unless of course they are Terrorists or Criminals and are hiding evidence in Encrypted formats.
 
I recently studied email security for my degree.

Here are the main concerns with basic email (SMTP):
  • Authentication: the sender's email address can be set to any value. This gives two problems. Non repudiation - someone can send an email and then deny having sent it. Spoofing - someone can pretend to be you.
  • Encryption: SMTP is plain text, so it can be intercepted by people with access to the email storage / mx, people with access to internet routers (i.e. ISPs and 'the feds') and anyone on the local network depending on switching policies etc.
For authentication, there are two sides. Firstly, the initial SMTP server can authenticate users when they try to connect to it and send mail. This is not necessarily very effective as anyone can make their own SMTP server or simply log into an unsecured on (most ISPs' SMTPs will let you spoof your email address, although they may log IP addresses). Secondly, the receiving MX server can attempt to verify the senders address. This can be done by reverse DNS checking to ensure the SMTP server comes from the same domain as the '@domain.com' part of the email address (e.g. the very poor Sender Policy Framework) or by including digital signatures (verifying either the whole email address, e.g. PGP, or more commonly just the domain, e.g. Hotmail using SenderID).

Encryption is usually done end-to-end by the users. Read Phil Zimmerman's shortish PDF file 'Introduction to Cryptography' to see how that can work.

For maximum security, I recommend learning about onion routing (see TOR network). TOR covers most things, including IP invisibility etc. It's used by intelligence agencies and terrorists alike (even if your connection is encrypted, Sayeed Al Kebab will still know you're a spy if he can see where the encrypted traffic is going to / coming from.)
 
Stryder said:
Back around 2001 a number of laws came in to deal with Encryption (Basically the Paranoia because of 9/11 had people concerned that Encrypted messages could contain terrorist instructions, so some governments wanted to lessen peoples liberties further by creating laws in regards to Encryption)

From what I remember the US were basically allowed to place keylogger's on peoples computers to get Encryption keys, while the UK would "ask" for the key (and if you didn't want to give it up, well they'd confiscate your equipment).

One of the other points was that laws were made in regards to what established Encryption protocols were used and one of those protocols was that such systems like PGP would have to share an unlock key with governments should they require it.

In honesty though this shouldn't affect people unless of course they are Terrorists or Criminals and are hiding evidence in Encrypted formats.
Click to expand...

A fixed backdoor into the encryption doesn't affect people?

So did they actually comply? I wonder which other encryption algorithms have this, what about Blowfish? the one that I use regularly.
 
s0meguy said:
A fixed backdoor into the encryption doesn't affect people?
Click to expand...

Technically it's not a fixed backdoor, it's merely recorded key. It's not like a Skeleton key, so thats why I considered people shouldn't be concerned as it's not like they can open every closet ;)

So did they actually comply? I wonder which other encryption algorithms have this, what about Blowfish? the one that I use regularly.
Click to expand...

To my knowledge this was more related to online Encryption services using large keys as apposed to internal systems on peoples servers. Those sorts of encryption types can be Cracked (Bruteforced) with enough machines and time.
 
Stryder said:
Technically it's not a fixed backdoor, it's merely recorded key. It's not like a Skeleton key, so thats why I considered people shouldn't be concerned as it's not like they can open every closet ;)



To my knowledge this was more related to online Encryption services using large keys as apposed to internal systems on peoples servers. Those sorts of encryption types can be Cracked (Bruteforced) with enough machines and time.
Click to expand...

A recorded key, generated by the server that generates the traffic itself? How does that work? Wouldn't that be exploited? Also it sounds like it is really easy to work around it then...

By the way, your last comment is not really right, with the right password, containing 10-15 normal characters, numbers and capital characters, there are trillions of trillions of trillions (etc) of possible answers..... so that would take too long to brute-force. If you're paranoid like me, you keep an encrypted file on a military grade secure usb stick that destroys itself after 10 bad password attempts, containing master encryption keys of 50 random characters, they can forget about ever decrypting that. I read an article a while ago, they were trying to decrypt some pedophile's encrypted files. It was in Europe.... they didn't succeed to bruteforce it, they sent it to the FBI who ran brute-forcing software on it for a month without results.
 
Last edited:
s0meguy said:
A recorded key, generated by the server that generates the traffic itself? How does that work? Wouldn't that be exploited? Also it sounds like it is really easy to work around it then...

By the way, your last comment is not really right, with the right password, containing 10-15 normal characters, numbers and capital characters, there are trillions of trillions of trillions (etc) of possible answers..... so that would take too long to brute-force. If you're paranoid like me, you keep an encrypted file on a military grade secure usb stick that destroys itself after 10 bad password attempts, containing master encryption keys of 50 random characters, they can forget about ever decrypting that. I read an article a while ago, they were trying to decrypt some pedophile's encrypted files. It was in Europe.... they didn't succeed to bruteforce it, they sent it to the FBI who ran brute-forcing software on it for a month without results.
Click to expand...

Well I remember an Article on bruteforcing 768bit encryption about 5 years back. Basically a guy decided to "borrow" his works networks by creating a parallel processing method to bruteforce. It basically ran when the network wasn't busy, so everytime the office computers idled and a screensaver popped up it would start adding to the bruteforce attempt. Apparently it too about 1 week to crack it, although it was approximate 2000 desktops.

Admittedly this anedote is from my memory so the fish could be bigger or smaller than I stated, I'll have to see if I can find the article.
 
Status
Not open for further replies.
Back
Top