Security Basics mailing list archives
RE: Securing Email
From: krymson () gmail com
Date: 26 Dec 2007 15:06:38 -0000
Oh, such a gloriously big and incomplete topic! First, I have to soapbox just a moment... <soapbox> SMTP is old and insecure and needs to die. Our 'solutions' to email security are always messy band-aids. This protocol should really be dead already in favor of IM-based or SMS types of communications... That or email should never be used for anything confidential/sensitive, at all. </soapbox> Ok, that's out of the way. I feel there are three types of email security topics: I) Email at rest (i.e. in your Exchange server stores or client app stores) II) Email checking from a client app <-> server app III) Message encryption I'm going to assume you are talking about III: Message encryption. This means if someone intercepts the email, they can't read it. In fact, any mail servers in between the source and destination won't even be able to read anything beyond the headers. Good stuff! And the stuff of good fluffy dreams for us IT geeks.... *sigh* There are two types of solutions to this problem. 1) User encryption/decryption of the message 2) Server/appliance that does this for you 1) User encryption/decryption is typically done with gnupg/pgp encyrption. Hopefully I'm sure we're all aware of the challenges with this method, namely key management, user training, and overhead on the client app side, both your own users and those of your recipients. If this email is all internal to your company, this might be manageable. If this is communcitions outside your company, this can be a nightmare unless your recipients also use and are familiar with this subject. Any IT admin who has had to deal with corporate mail encryption knows the frustrations of getting users to understand how this works and dealing with key management...ick. 2) Server/appliance email encryption solutions are misleading. They like to tote that your message is never decrypted until the recipient reads it, which is true. What they don't like to say is that the recipient needs to create an account/password and log into the server's web portal to get the email. They can't retrieve it user their own mail server or client. This is annoying and terrible...but that's what we get with SMTP band-aids. My company uses a Zix service [1] for email encryption. While this likely works great if your target company also uses Zix (they can talk to each other, I believe), when you're trying to send encrypted mail to some other user, say JohnDoe () blahblahblah com, John Doe will get a note saying he has a message waiting for him on the Zix service. He then has to go to the Zix web site, log in, and retrieve the message. Annoying, yes, but it does allow you to hit the checkmark for encryption of confidential email when needed...just put "ENCRYPT" in the subject line and it heads into Zix... [1] http://www.zixcorp.com/ <- snip -> By secure I mean the message itself being encrypted. However, I don't think we'll be able to do anything as straightforward as a desktop-to-desktop solution because of email archival on Exchange that needs to happen before the message gets encrypted. On 12/21/07, JD Brown <jd.brown (at) smallenoughtocare (dot) com [email concealed]> wrote:
Hi list, I would like to get some suggestions regarding products out
there to secure email. Preferably, I'd like to see an appliance that
could make the process as transparent as possible to the user. Any
input would be greatly appreciated.
Thanks,
JDB
Current thread:
- Securing Email JD Brown (Dec 21)
- Re: Securing Email Jonathan Smith (Dec 24)
- Re: Securing Email Deanosaur (Dec 31)
- Re: Securing Email jam (Dec 24)
- Message not available
- RE: Securing Email JD Brown (Dec 24)
- Re: Securing Email Geoffrey Gowey (Dec 24)
- Re: Securing Email Deanosaur (Dec 31)
- RE: Securing Email JD Brown (Dec 24)
- Re: Securing Email Jonathan Smith (Dec 24)
- <Possible follow-ups>
- RE: Securing Email krymson (Dec 26)