Email

Now that we’ve gone over communications in general, lets look at email. Email is inherrently insecure, in that it is by default transmitted without being encrypted. If you use a web based email provider such as GMail or Hotmail (where you read/write email from within a web browser), there is usually a setting to require that all communications be encrypted with SSL. You can confirm that your session is encrypted if the URL (web address) starts with HTTPS (the S is what denotes the security).

If you use a local internet provider (your email address ends in the domain name of your internet provider), then you probably use the POP or IMAP protocols (consider them like languages) to get your email, and the SMTP protocol to send email. Each of these three protocols have normal unencrypted versions as well as SSL-enabled versions (that again are all dependent on key strength). If you use an email program on your computer (such as Outlook or Thunderbird) and are confident that you can go into the settings and look at the server configuration, then you’ll probably see port numbers near the server names. The unencrypted (not secured) versions of these are usually 110 for POP, 143 for IMAP, and 25 for SMTP. The SSL enabled versions of these are usually 995 for POP-SSL, 993 for IMAP-SSL, and either 465 or 587 for SMTP-SSL. Keep in mind that this is only applicable to the communication between your computer (or device) and the server that stores your email. If the server’s SSL key is compromized (as I discussed earlier), then someone can read all the information (emails) that is transfered between your computer and the server as if there were no SSL.

The transfer of emails between your computer and your mail provider’s mail servers is not the only location that emails can be copied or read. When you send an email to someone who does not use the same email provider (such as from a Gmail address to a Hotmail address), the email has to be transfered between the Gmail server and the Hotmail server. Here there is another communication (using the SMTP protocol) that may or may not be encrypted. There are ways to determine if that connection is secured by looking at the headers of an email that has already been sent (it will mention SSL or TLS on the lines that denote inter-server communications), though in general you should assume that anything you send by email can easily be read by a third party.

With regards to the content of emails, there exists a relatively simple way of securing your information. You can create your own public and private key pair to secure the content of your email, or you can use a product such as PGP (Pretty Good Privacy) or GPG (the free/open version). Using one of these will encrypt the content of your emails, but only if the person you’re exchanging emails with uses the same method. The headers of the email with information regarding the sender and recipient’s names and email addresses, source computer, IP address, and date/time will be known and readable by anyone in between regardless of the use of one of these methods. This information (the headers) is sometimes referred to as meta data – so a surveillor who only sees the meta data knows who sent messages where at what time and from which computer. There was recently a new initiative announced that is looking at potential ways to protect this information, though it’s unlikely that anything significant will be available and implemented anytime soon.

The grand summary of email is that while there are quite a few things you can do to protect the privacy of your emails, you have no control over your email service provider and how emails are transmitted over the internet. Unless you’re using very strong encryption on the content of your messages, your encryption keys are perfectly secure (which is not possible), and your computer is *guaranteed* to be malware free, you should not consider emails to be private.