tags:

views:

109

answers:

3
+3  Q: 

Understanding Secure Email

Hi,

I've got a question about securing emails with SSL.

If I get an SSL certificate to secure my email, that would mean that the connection between my mail client and my mail server will be encrypted. So anyone listening in couldn't view my emails or username and password. But what happens between the mail server and the destination mail server? And between there and the recipient's mail client? If the reciepient isn't using SSL, will the email and it's contents still be secure?

Also, out of interest, is the danger of people "listening in" just from your internal network (people using packet sniffers) or is there a danger of people out in the cloud listening in?

Thanks,

Michael

+3  A: 

This only secures the connection/communication between your mail client and the mail server.

So people on your internal network can't sniff (at least not in clear text) your mail.

How the transport between the mail server from your server to the server of the recipient happens depends on their configuration.

Basically you can't avoid the risk of some mail server operator reading your mail, or the NSA reading it, and so on...

The only thing to secure your mail against a malicious mail server operator would be to encrypt your mail with some Public-key cryptography system (e.g. PGP).

jitter  2009-06-15 09:36:57
Fun fact. Over 80% of the email servers in the world route their email through the united states for no technical reason whatsoever.You know though, so few people actually encrypt their emails that encrypting your email is basically putting a flag on it saying decrypt this. Email is not secure, you need a document or comms to be secured you need to catch a plane with an encrypted document or file and give it to who you wan to have it.
Spence  2009-06-15 09:44:27
Well the flag which says "decrypt me" doesn't bother me. As decrypting a strongly encrypted mail is still not feasible
jitter  2009-06-15 09:47:15
Thanks for your response Jitter! It's cleared my understanding of secure email up! It's a shame all email's so unsecure! Anyway, thanks again!
Michael Waterfall  2009-07-16 09:25:53
+2  A: 

Only the connection between your client (if correctly configured) and your server will be encrypted (same for the recipients end), once the email leaves your server on its way to your recipients mailserver it will be open for all to see.

Ie. You (using SSL) -> SECURE -> Your Server -> UNSECURE -> Internet -> UNSECURE -> Recipient's Server -> SECURE -> Recipient (using SSL).

To ensure secure delivery the email needs to be encrypted end-to-end (ie. the actual contents of the email - rather than just the delivery to/from the server). This can be done through several differnt mechanism (see Wikipedia for a list) one of the more common ones is using PGP for email (see google for more).

There is a risk of people listening in on both the internal network and in the cloud, the probabilities of eitehr i am not sure on but i would say the internal network would generally be the more liekly location of a 'listener'.

mundeep  2009-06-15 09:38:15
+1  A: 

If I get an SSL certificate to secure my email, that would mean that the connection between my mail client and my mail server will be encrypted.

No. But it would mean that it's possible to establish an encrypted connection to your server.

But what happens between the mail server and the destination mail server? And between there and the recipient's mail client? If the reciepient isn't using SSL, will the email and it's contents still be secure?

No. All you get from SSL-encrypting the connection to your server is the encrypted login dialog so attackers won't be able to look at your username/password.

If you want to protect your mail messages, you will have to encrypt them in the mail client. PGP and S/MIME come to mind.

innaM  2009-06-15 12:32:18

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security