Image from EFF

Is e-mail OK for secret stuff?

Image by EFF

Image by EFF

Short answer: No. Slightly longer answer: Maybe, but not without additional protection.

E-mail is one of the oldest and most widely used services on Internet. It was developed during an era when we were comfortably unaware of viruses, worms, spam, e-crime and the NSA. And that is clearly visible in the architecture and blatant lack of security features. Without going deep into technical details, one can conclude that the security of plain e-mail is next to non-existing. The mail standards do by themselves not provide any kind of encryption or verification of the communicating parties’ identity. All this can be done with additional protection arrangements. But are you doing it and do you know how to?

Here’s some points to keep in mind.

  • Hackers or intelligence agencies may tap into the traffic between you and the mail server. This is very serious as it could reveal even your user ID and password, enabling others to log in to the server and read your stored mails. The threat can be mitigated by ensuring that the network traffic is encrypted. Most mail client programs offer an option to use SSL- or TLS-encryption for sent and received mail. See the documentation for your mail program or service provider. If you use webmail in your browser, you should make sure the connection is encrypted. See this article for more details. If it turns out that you can’t use encryption with your current service provider, then start looking for another one promptly.
  • Your mails are stored at the mail server. There are three main points that affect how secure they are there. Your own password and how secret you keep it, the service provider’s security policies and the legislation in the country where the service provider operates. Most ordinary service providers offer decent protection against hackers and other low-resource parties, but less protection against authorities in their home country.
  • Learn how to recognize phishing attacks as that is one of the most common reasons for mail accounts to be compromised.
  • There are some mail service providers that focus purely on secrecy and use some kind of encryption to keep messages secret. Hushmail (Canada) and Mega’s (New Zealand) planned service are good examples. Lavabit and Silent Mail used to provide this kind of service too, but they have been closed down under pressure from officials. This recent development shows that services run in the US can’t be safe. US authorities can walk in at any time and request your data or force them to implement backdoors, no matter what security measures the service provider is implementing. And it’s foolish to believe that this is used only against terrorists. It’s enough that a friend of a friend of a friend is targeted for some reason or that there is some business interest that competes with American interests.
  • The safest way to deal with most of the threats is to use end-to-end encryption. For this you need some additional software like Pretty Good Privacy, aka. PGP. It’s a bit of a hassle as both parties need to have compatible encryption programs and exchange encryption keys. But when it’s done you have protection for both stored messages and messages in transit. PGP also provides strong authentication of the message sender in addition to secrecy. This is the way to go if you deal with hot stuff frequently.
  • An easier way to transfer secret stuff is to attach encrypted files. You can for example use WinZip or 7-Zip to create encrypted packages. Select the AES encryption algorithm (if you have a choice) and make sure you use a hard to guess password that is long enough and contains upper and lowercase letters, numbers and special characters. Needless to say, do not send the password to the other party by mail. Agreeing on the password is often the weakest link and you should pay attention to it. Even phone and SMS may be unsafe if an intelligence agency is interested in you.
  • Remember that traffic metadata may reveal a lot even if you have encrypted the content. That is info about who you have communicated with and at what time. The only protection against this is really to use anonymous mail accounts that can’t be linked to you. This article touches on the topic.
  • Remember that there always are at least two parties in communication. And no chain is stronger than its weakest link. It doesn’t matter how well you secure your mail if you send a message to someone with sloppy security.
  • Mails are typically stored in plaintext on your own computer if you use a mail client program. Webmail may also leave mail messages in the browser cache. This means that you need to care about the computer’s security if you deal with sensitive information. Laptops and mobile devices are especially easy to lose or steal, which can lead to data leaks. Data can also leak through malware that has infected your computer.
  • If you work for a company and use mail services provided by them, then the company should have implemented suitable protection. Most large companies run their own internal mail services and route traffic between sites over encrypted connections. You do not have to care yourself in this case, but it may be a good idea to check it. Just ask the IT guy at the coffee table if NSA can read your mails and see how he reacts.

Finally. Sit down and think about what kind of mail secrecy you need. Imagine that all messages you have sent and received were made public. What harm would that cause? Would it be embarrassing to you or your friends? Would it hurt your career or employer? Would it mean legal problems for you or your associates? (No, you do not need to be criminal for this to happen. Signing a NDA may be enough.) Would it damage the security of your country?  Would it risk the life of you or others? And harder to estimate, can any of this stuff cause you harm if it’s stored ten or twenty years and then released in a world that is quite different from today?

At this point you can go back to the list above and decide if you need to do something to improve your mail security.

Safe surfing,
Micke

More posts from this topic

Freedome

#AskFreedomeVPN: Why pay for a VPN when you can use a free one?

We recently invited  our active Twitter community to ask us anything that came into their minds about privacy, VPNs and all manner of related topics. The Twittersphere didn’t pull any punches, and among the great questions was one asking us to make our case for own existence: What are the reasons to pay for Freedome and not use some free privacy solution? Well, here’s a few we think you'll be interested in. 1. Connection speed / bandwidth Everyone wants security and privacy, but NOBODY wants it at the expense of a sluggish connection. Running a VPN takes a surprising amount of servers and bandwidth, and these resources have to come from somewhere. So if you don’t want your internet connection bottlenecked by a VPN server coughing out modem-speed traffic like an asthmatic robot, you might want to consider a paid option. Next to connection speed, bandwidth size is the biggest prequisite people tend to have. Maybe it's the fact that we're based in Finland where the concept of data caps is very uncommon, but putting any sort of bandwidth limit even into the free trial version of Freedome was never truly considered. Unlimited bandwidth for all! 2. Our business model is giving you privacy, not taking it away When any online service claims to be free to its users, there is often a catch. There are exceptions (like Troy Hunt’s awesome Haveibeenpwned to see if your passwords have leaked), but most will ultimately take payment…. in one form or another. This can come in the form of tracking you for advertising purposes, or even selling your bandwidth to hackers.  Be careful of free services and make sure you understand what you're giving in return. For instance, our iOS developers created the free F-Secure AdBlocker, and we were quite open about the fact that we were using the app to raise awareness of Freedome. Sometimes the trade-off is worth it for the customer, sometimes it is not. 3. Publicly listed company One of the threats facing consumers looking for a VPN are shady companies that operate in the privacy market. Freedome was conceived by a startup team within F-Secure, a company with a 25+ year spotless reputation among consumers. Without even considering ethical implications, making sure we keep the trust of our stakeholders is vital to our continued existence as a company. When you use a service to encrypt your traffic and handle your data, there is no choice but to place trust in that service. We try to be as open about our ways of operating as possible, but ultimately, the choice of where you place your trust is yours and yours alone. 4. Based in a country where the law is on privacy’s side If suspect business practices present one threat to consumers looking for privacy, so do the over intrusive governments in countries where VPN providers are based in. The U.K is working on the Investigatory Powers Bill (more often referred to as the "Snoopers Charter"), the U.S has an extremely spotty history in keeping their hands off people's Internet traffic, and Russia is increasingly tightening their control over what people say online.  Thankfully, Finland is considered a pioneer when it comes to consumer-friendly online privacy laws. It is a great benefit both for us as a company and our customers that we have the law on our side when it comes to putting digital rights of consumers first. 5. It's just a better and prettier app Being part of an established online security company like F-Secure gives us access to a lot of resources. When you pool this together with the startup mentality of the Freedome team, you get a new kind of security app that packs features unavailable in other similar products. Freedome uses F-Secure's own security cloud to access a constantly updated list of online tracking servers and malicious sites to block them from your protection. And finally, what Anni already touched upon in her video answer: It's light, intuitive and very easy on the eyes. Words like "VPN" and "encryption" might bring into mind a clunky & unfriendly interface, but we wanted to challenge that. Everything from setup to turning it on is done with a single button. [youtube https://www.youtube.com/watch?v=rX3FFNAl4hI?list=PLkMjG1Mo4pKL0JFjRTd4vCvK4An5QTp5D]

September 30, 2016
BY 
erka iAmA

Ask Erka Koivunen anything for #CyberSecMonth

European Cyber Security Month (or National Cyber Security Awareness Month as it’s known in the US) is just around the corner. And considering the recent disclosure of Yahoo’s massive data breach, it seems like a good time for companies to give some consideration to their cyber security policies. One person glad to see it arrive is F-Secure Cyber Security Advisor Erka Koivunen. Erka, who’s advised people, companies, and even governments on how to protect themselves from online threats for years, wants to let people know that security is more than relying on the latest technologies or devices for protection. It’s just as much about processes and practices as it is about technology. That’s why Erka is participating in an “Ask me Anything” session on Reddit called “How to Create a Culture of Security.” Erka will answer your questions about what you, your colleagues, and your boss need to know about being hacked. Plus, Erka will be joined by Cosmin Ciobanu from the European Union Agency for Network and Information Security (better known as ENISA, the organized of European Cyber Security Month) to provide some additional insights on how to improve security in workplaces around Europe. This will be Erka’s second AMA, having previously fielded a range of questions about online privacy in an AMA conducted last Data Privacy Day. The AMA session will kick-off at 8 AM EST/3 PM EET on October 4th. We’ll update this blog post with the link as soon as it’s available, so check back here so you don’t miss out.

September 30, 2016
BY 
Connected

Wherever You’re Connected, You Should Be Protected

Protecting yourself on the internet used to be a lot simpler -- mostly because you weren't always on the internet. Now we can be online from when we wake up until when we go to sleep. We seamlessly shift from chatting to shopping to banking -- rarely sticking to one device or platform for too long. Most of us aren't just a Mac or PC or an Android anymore -- we're all of the above. “I, and I think most people, have a cross-platform household – I use several different devices with different operating systems on a daily basis," F-Secure security advisor Sean Sullivan explains. The old paradigm of just protecting your PC or your phone can leave your devices exposed to threats. And even the best security software in the world won't protect your public Wi-Fi connection from being snooped on, possibly exposing your most private details, including passwords. That's why we've launched F-Secure total security and privacy, which combines F-Secure SAFE and F-Secure Freedome. F-Secure SAFE is a multi-device internet security suite that protects all your devices. Freedome is a VPN offers a simple way to encrypt your communications over public Wi-Fi and change your virtual location to access geo-blocked sites and services while blocking malicious websites and online tracking. You can still purchase F-Secure SAFE and Freedome separately. And there have been recent improvements to both, including: Silent upgrades that ensure SAFE is automatically updated Parental controls now available on all supported SAFE platforms Ability to create Freedome Wi-Fi hotspots with Android devices while VPN is turned on "Buying separate products to protect iOS, Windows, Macs and whatever else isn’t just expensive, but it means you have to get used to different pieces of software designed to do the same thing," Sean explains. F-Secure total security and privacy is now available for a free trial here. If you're a current SAFE customer, you can't upgrade to total security and privacy but you should receive a discount offer for Freedome. "Bundling protective measures into packages to run on different devices is more economical and more user friendly, both of which are good for security.” Cheers, Sandra [Image by Hans Kylberg | Flickr]  

September 27, 2016