We all know that e-mail is insecure, right? Not to be trusted for anything important, right? Yes, that’s the common opinion about e-mail security. But is it correct? Is e-mail really as bad as we think? Let’s dig a bit deeper.
E-mail is one of the old-school services that we still use today. It was created during an era when the whole Internet was a trusted and secure environment, and cyber crime was science fiction. And as we can expect, the basic mail exchange protocols lack security almost completely. So our common mindset about insecure e-mail was definitively based on solid facts.
But times are changing. Snowden showed us that intelligence agencies really are taking full benefit of anything they can find on the net. And this has led to one of the most rapid change processes in Internet’s history, deployment of encryption. The core e-mail transfers still have glaring security flaws, but we are using protection at other layers. So the question about e-mail’s security is not that simple anymore.
But first we must define what security means. People tend to instinctively think confidentiality when we talk mail security. It means that sent and received messages shall remain confidential and not leak to outsiders. This is no doubt a central issue, but not the only one. And we must remember that confidentiality is more than just securing the message content. Metadata, information about whom we communicate with and when, may be as important and sensitive as the actual content.
The other central issue is integrity. Can I trust that a message I receive is correct and unaltered? And especially important for mail, can I trust that the sender really is the claimed one? Sender authentication, or lack thereof, is actually e-mail’s biggest integrity issue.
So how secure is e-mail today? First the simple part, integrity. No improvement on this front. It is still trivial to forge the sender field of a message. You can easily make it look like it came from any address, and direct replies to any e-mail you like. This is widely utilized by scammers and there’s no cure in sight. We just have to learn how to live with this and be suspicious about mails we receive.
But confidentiality? Here we have some quite significant progress. The actual mail transfer protocols, like POP, IMAP and SMTP, are still fundamentally insecure. But Internet traffic is to an increasing extent being sent inside encrypted “tunnels”. Protocols like SSL and TLS enable devices on the net to set up encrypted connections and exchange data securely. The e-mails you are sending and receiving are to an increasing extent transferred inside such virtual tunnels. Almost all connections between your own device and your e-mail server are already protected. And a large portion of the traffic between mail servers is also secured.
So what does this mean in practice? That depends a lot on who you are and what security needs you have. Let’s condense it into some simple pieces of advice.
So we can conclude that the insecure e-mail is a myth to some extent. It’s definitively not a service for classified information. But private persons do in practice not have much to fear when using e-mail, at least not on the confidentiality front. Your mails may get in the wrong hands, but you can usually blame yourself if that happens. The leaks will likely be caused by a malware infection on your device, a weak password or you falling for a phishing scam. Not by weak security in e-mail itself.
You can easily make educated decisions about your private mail traffic. But it’s harder when you deal with organizations that are stuck in the e-mail security myth. My bank has a convenient function that sends me a mail notification when an electronic invoice is received. But the notification just states that I have a new invoice. It omits the important information, from whom and for what amount. So I’m still forced to log in to the bank and check it. I can’t even turn on detailed notifications as an option. And all this just “to protect me”. Fail! It’s OK to have the detailed notifications off by default. But preventing customers from turning them on is just stupid and bad customer service.
Same thing with our school’s system for communication with parents. The system supports mail notifications, but they are turned off for certain events that are considered sensitive. But these events are important and parents should react to them promptly. So the school is trying to solve a mostly imaginary problem, but don’t realize that they are creating a new risk at the same time. That parents miss important notifications. And that can be a far more severe threat to the children’s development than a leaked mail notification.
It’s always good that people are aware of security issues and takes them into account when planning systems. But this is an excellent example that there can be too much security. Never aim for total security, learn to know the threats and implement a suitable security level.
Image by Tony Webster
This is a guest post from an F-Secure fellow. Hi, my name is Matti Aksela…
May 22, 2017
Last week’s WannaCry outbreak caused havoc in many parts of the world before subsiding thanks…
May 18, 2017