Secure email using regular email. Friday, August 24, 2007

Regular email is probably one of the least secure things out there. If you send an email to someone, not only is it plain text and insecure on your own computer (if someone had physical access to it), but it gets sent through the Internet. This means, that not only could someone intercept your email while it's being sent, but that it could get intercepted at MANY points along the way through the Internet, by which it hops between many different mail server computers. Furthermore, many if not all of these points will actually store that email for a limited time much like the post offices around the world need to collect and hold your mail while it gets ready to be sent to the next post office. This means that if a local server administrator or Web hosting company or hacker can get direct or indirect access to these machines they can also read your mail that way.

Most people know not to put information that is too sensitive in email, but they may not realize just how vulnerable your message is. Even once a message reaches your recipient, there could be lingering copies of the email on the servers it passed through, perhaps in a cache or whatever. Perhaps some organization whether a spy or a marketing agency is hording messages for analysis later, who knows. Anyway, I don't generally have any information that's of a life or death sensitive nature, but I do like to protect my clients' interest where possible. Often Web developers and the like deal with communicating about server access in terms of usernames and passwords.

If you still want to exchange user/pass or credit card information with the convenience of email there is a way to strongly encrypt your messages in a way that doesn't matter who intercepts them. If someone obtains your message it will be scrambled.

I'm not going to get into the subject of how Public Key Encryption (PKE) works, but there are some GUI plugins for most operating systems that allow you to manage your ability to encrypt and decrypt messages.

Especially useful is a plugin for Apple's Mail email client that allows you to encrypt a message. You can also send a plain text message that is digitally signed in such a way that shows that you irrefutably sent the message. If anyone changes even one character in the message, the signature will not validate any more. All this in the end, with plain text. This means that though you and your recipients need to have special software installed to allow this to work on your computers, you do not need any special email service from your company or host. Furthermore, this encryption software is free and open source. Learn more about it here:

gpg for os x
gpg for windows / linux