mailing list archives
RE: Securing Email
From: krymson () gmail com
Date: 26 Dec 2007 15:06:38 -0000
Oh, such a gloriously big and incomplete topic! First, I have to soapbox just a moment...
SMTP is old and insecure and needs to die. Our 'solutions' to email security are always messy band-aids. This protocol
should really be dead already in favor of IM-based or SMS types of communications... That or email should never be
used for anything confidential/sensitive, at all.
Ok, that's out of the way. I feel there are three types of email security topics:
I) Email at rest (i.e. in your Exchange server stores or client app stores)
II) Email checking from a client app <-> server app
III) Message encryption
I'm going to assume you are talking about III: Message encryption. This means if someone intercepts the email, they
can't read it. In fact, any mail servers in between the source and destination won't even be able to read anything
beyond the headers. Good stuff! And the stuff of good fluffy dreams for us IT geeks.... *sigh*
There are two types of solutions to this problem.
1) User encryption/decryption of the message
2) Server/appliance that does this for you
1) User encryption/decryption is typically done with gnupg/pgp encyrption. Hopefully I'm sure we're all aware of the
challenges with this method, namely key management, user training, and overhead on the client app side, both your own
users and those of your recipients. If this email is all internal to your company, this might be manageable. If this is
communcitions outside your company, this can be a nightmare unless your recipients also use and are familiar with this
subject. Any IT admin who has had to deal with corporate mail encryption knows the frustrations of getting users to
understand how this works and dealing with key management...ick.
2) Server/appliance email encryption solutions are misleading. They like to tote that your message is never decrypted
until the recipient reads it, which is true. What they don't like to say is that the recipient needs to create an
account/password and log into the server's web portal to get the email. They can't retrieve it user their own mail
server or client. This is annoying and terrible...but that's what we get with SMTP band-aids. My company uses a Zix
service  for email encryption. While this likely works great if your target company also uses Zix (they can talk to
each other, I believe), when you're trying to send encrypted mail to some other user, say JohnDoe () blahblahblah com,
John Doe will get a note saying he has a message waiting for him on the Zix service. He then has to go to the Zix web
site, log in, and retrieve the message. Annoying, yes, but it does allow you to hit the checkmark for encryption of
confidential email when needed...just put "ENCRYPT" in the
subject line and it heads into Zix...
<- snip ->
By secure I mean the message itself being encrypted. However, I don't think we'll be able to do anything as
straightforward as a desktop-to-desktop solution because of email archival on Exchange that needs to happen before the
message gets encrypted.
On 12/21/07, JD Brown <jd.brown (at) smallenoughtocare (dot) com [email concealed]> wrote:
Hi list, I would like to get some suggestions regarding products out
there to secure email. Preferably, I'd like to see an appliance that
could make the process as transparent as possible to the user. Any
input would be greatly appreciated.
- <Possible follow-ups>
- RE: Securing Email krymson (Dec 26)