TechRepublic: Basic e-mail security tips

[turetzsr]

...Full article: http://blogs.techrepublic.com.com/security/?p=411.

...Excerpts:

1. Never allow an e-mail client to fully render HTML or XHTML e-mails without careful thought. <snip> When rendering HTML, you run the risk of identifying yourself as a valid recipient of spam or getting successfully phished by some malicious security cracker or identity thief. <snip>

2. If the privacy of your data is important to you, use a local POP3 or IMAP client to retrieve e-mail. This means avoiding the use of Web-based e-mail services such as Gmail, Hotmail, and Yahoo! Mail <snip>

3. It’s always a good idea to ensure that your e-mail authentication process is encrypted, even if the e-mail itself is not. The reason for this is simple: You do not want some malicious security cracker “listening in” on your authentication session with the mail server. <snip>

5. If, for some reason, you absolutely positively must access an e-mail account that does not authorize over an encrypted connection, never access that account from a public or otherwise unsecured network. Ever. Under any circumstances.

<snip>

Your e-mail security does not just affect you; it affects others, as well....

[Geek]

3. It’s always a good idea to ensure that your e-mail authentication process is encrypted, even if the e-mail itself is not. The reason for this is simple: You do not want some malicious security cracker “listening in†on your authentication session with the mail server. <snip>

5. If, for some reason, you absolutely positively must access an e-mail account that does not authorize over an encrypted connection, never access that account from a public or otherwise unsecured network. Ever. Under any circumstances.

Fat chance of that happening with the ISP's around here.... they have NO SSL authentication period! Even logging in to pay my phone bill is forced over a clear connection :angry:

[turetzsr]

Fat chance of that happening with the ISP's around here.... they have NO SSL authentication period! Even logging in to pay my phone bill is forced over a clear connection :angry:

...Well, you can't blame your ISP for that -- that's the phone company's issue!

...Does you bank offer a service to allow you to pay bills online? If so, is that secure?

[Miss Betsy]

OK, technically non-fluent me, who IME knows a whole lot more than most of my acquaintances, understands #1 and gets everything in plain text, though I use HTML to send email - mostly because my MS Word program is so old that emails with attachments are sent to the bit bucket apparently.

On #2, I guess that I POP my email because I use WindowsLive for most of my email. However, occasionally I use webmail - even for the email accounts I generally download. It is convenient. That's the whole point of webmail. And I always log out when I am done. Does that count?

On #3, I have no idea how to make sure anything is encrypted. Or is that the little padlock symbol?

On #5 since I don't know how to make sure that something is encrypted, I am completely lost about using a public connection. Not that I often do.

And #4 is about digitally signing - which I think I remember seeing in the preferences but was afraid to use because I don't know how it works and afraid that some people would not get my emails because they don't know how to receive them.

IOW, I depend on the email service I use to do all those things for me (except possibly for the plain text which should be capable of being switched on and off sometimes). I do try to do what I can to be responsible, but #1 is the only one I understand. As I pointed out in the beginning, I am lot more computer savvy than many of my acquaintances so good luck on alerting people to 'safe' emailing!

Miss Betsy

[agsteele]

An interesting article in TechRepublic although the guy that wrote it seemed more paranoid about security that one of my colleagues who is definitely paranoid about security.

But then I chilled over a wee dram of malt and realised that my Emails to my daughter about the time of her train home or a note to my wife asking her to remember to bring some milk home from the supermarket aren't what he's talking about.

Do I need to consider these things when dealing with work stuff? Probably. Do I need to consider these things when I'm travelling for work in Africa, Asia and Latin America? Definitely!

Will digitally signing every one of my Emails with the PGP I have installed make any difference? Definitely NOT. Few of my contacts have the software necessary to decrypt the signature.

Should I only read Email in plain text? Well, I already do because I choose an Email program that refuses to open HTML until I tell it to do so.

Andrew

[rconner]

Like the guy told me once, you can never have too much security. Not all of these items here, however, are things that the average e-mail user can do, or is even able to do.

On #2, I guess that I POP my email because I use WindowsLive for most of my email. However, occasionally I use webmail - even for the email accounts I generally download. It is convenient. That's the whole point of webmail. And I always log out when I am done. Does that count?

I don't know much about Windows Live mail, but if you use your web browser to get to it then you are using HTTP to transfer your mail , and not POP or IMAP as the author advises. I think the author is saying that you should be using a dedicated mail program like Outlook, Thunderbird, etc. (which will use POP or IMAP) in preference to a web browser when you pick up your mail, as this is supposed to be more secure. I am not sure that this is universally true -- wouldn't a webmail session run via SSL (https://...) be more secure against packet sniffing than a plain old unencrypted POP/IMAP pickup from a traditional mail client program?

On #3, I have no idea how to make sure anything is encrypted. Or is that the little padlock symbol?

If you are using a dedicated mail client program (e.g., Outlook, Thunderbird) then there are settings you can make when you set up your mail hosts -- you can tell the program to use SSL, Kerberos, or other procedures when communicating with the server, or even just when authenticating preparatory to transferring mail in or out. This is usually done in the same dialog or screen where you identify these servers and provide your username/password. The trick is that the server has to support such encrypted authentication, and I suspect not all of them do. Not much that an end-user can do about #3 if his service does not support encrypted authentication (maybe find a webmail service that operates over SSL).

On #5 since I don't know how to make sure that something is encrypted, I am completely lost about using a public connection. Not that I often do.

Probably #5, like most of this article, is more applicable to business users. Suppose I were on travel and wanted to check my work e-mail from the hotel; what this advice says to me is that I need to use VPN or a similar mechanism to make my traffic unintelligible to snoopers on the wire. Otherwise, a person with the right equipment in the right spot (say, next to the hotel's main router) might have a chance to intercept my messages (and my login credentials) and read them. If you are like most of us and you sit at home and pick up your mail from your own ISP's servers, then this should be of less concern to you.

And #4 is about digitally signing - which I think I remember seeing in the preferences but was afraid to use because I don't know how it works and afraid that some people would not get my emails because they don't know how to receive them.

All that the signing does, I think, is to enable the recipient to verify the integrity of the messages (i.e., that they did not get altered enroute). My company uses some sort of MS-style message signing that I understand only vaguely. If I look at these messages from an incompatible client, I don't get the benefit of this check, but I do still get to see the message (altered or not).

Should I only read Email in plain text? Well, I already do because I choose an Email program that refuses to open HTML until I tell it to do so.

The evils of HTML mail are diluted somewhat by mail clients that don't load pictures, etc. by default. MS Outlook now provides this feature, as does Apple Mail (can't speak to any others). Of course, you can put evil stuff elsewhere than in scripts or image links -- you can put web bugs in stylesheet links, for example, and these may not get blocked from loading by the mail programs. I'm not a fan of HTML mail, for reasons aesthetic as well as technical, but the world has passed me by on this.

-- rick

[Miss Betsy]

According to my 'properties' I am using POP3 for my ISP account. but for the hotmail webmail download, it is HTTP. I don't see any options where I could change it. And no, on hotmail, after I log in using the browser, there is no https. Wow!

And, occasionally, I have checked my email on hotel computers! Wow, again!

That really ticks me off that hotmail asks me every so often to do one of those squiggly letter/number things. They wouldn't have to do that if they used minimum security, would they?

No wonder that the 419 scammers can send email so easily from 'free' email services! I have received, in succession, 4 to 5 419 scams per day, first from hotmail, then from gmail, now from yahoo, in my one account that is 'out there' (probably more except the rest are filtered out).

There is no one you can trust online, is there? Except I do trust Wazoo even though I don't know his real name.

Miss Betsy

[Farelf]

...I'm not a fan of HTML mail, for reasons aesthetic as well as technical, but the world has passed me by on this.

The ASCII Ribbon Campaign and other sources suggest you are not entirely isolated on that Rick. And I certainly remember, with horror, the year HTML went rampant. I can't remember the actual year number, but I distinctly remember an annual business trip to the nether regions of the globe when my trusty little Cassiopeia palm-top could suddenly only read no more than maybe 10% of my email - when the year before it could read it all. Mr Bill Gates become my greatest enemy from that time. Unfortunately, he seems not yet to have noticed.