Home page logo

basics logo Security Basics mailing list archives

RE: Securing Email
From: krymson () gmail com
Date: 26 Dec 2007 15:06:38 -0000

Oh, such a gloriously big and incomplete topic! First, I have to soapbox just a moment...

SMTP is old and insecure and needs to die. Our 'solutions' to email security are always messy band-aids. This protocol 
should really be dead already in favor of IM-based or SMS types of communications...  That or email should never be 
used for anything confidential/sensitive, at all.

Ok, that's out of the way. I feel there are three types of email security topics:
I) Email at rest (i.e. in your Exchange server stores or client app stores)
II) Email checking from a client app <-> server app
III) Message encryption

I'm going to assume you are talking about III: Message encryption. This means if someone intercepts the email, they 
can't read it. In fact, any mail servers in between the source and destination won't even be able to read anything 
beyond the headers. Good stuff! And the stuff of good fluffy dreams for us IT geeks.... *sigh*

There are two types of solutions to this problem.
1) User encryption/decryption of the message
2) Server/appliance that does this for you

1) User encryption/decryption is typically done with gnupg/pgp encyrption. Hopefully I'm sure we're all aware of the 
challenges with this method, namely key management, user training, and overhead on the client app side, both your own 
users and those of your recipients. If this email is all internal to your company, this might be manageable. If this is 
communcitions outside your company, this can be a nightmare unless your recipients also use and are familiar with this 
subject. Any IT admin who has had to deal with corporate mail encryption knows the frustrations of getting users to 
understand how this works and dealing with key management...ick.

2) Server/appliance email encryption solutions are misleading. They like to tote that your message is never decrypted 
until the recipient reads it, which is true. What they don't like to say is that the recipient needs to create an 
account/password and log into the server's web portal to get the email. They can't retrieve it user their own mail 
server or client. This is annoying and terrible...but that's what we get with SMTP band-aids. My company uses a Zix 
service [1] for email encryption. While this likely works great if your target company also uses Zix (they can talk to 
each other, I believe), when you're trying to send encrypted mail to some other user, say JohnDoe () blahblahblah com, 
John Doe will get a note saying he has a message waiting for him on the Zix service. He then has to go to the Zix web 
site, log in, and retrieve the message. Annoying, yes, but it does allow you to hit the checkmark for encryption of 
confidential email when needed...just put "ENCRYPT" in the
  subject line and it heads into Zix...

[1] http://www.zixcorp.com/

<- snip ->

By secure I mean the message itself being encrypted. However, I don't think we'll be able to do anything as 
straightforward as a desktop-to-desktop solution because of email archival on Exchange that needs to happen before the 
message gets encrypted.

On 12/21/07, JD Brown <jd.brown (at) smallenoughtocare (dot) com [email concealed]> wrote:

Hi list, I would like to get some suggestions regarding products out

there to secure email. Preferably, I'd like to see an appliance that

could make the process as transparent as possible to the user. Any

input would be greatly appreciated.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]