Notices

Encrypted Email

Old 03-14-2009, 02:37 PM
  #1  
Senior MemberCaptains Club MemberPLEDGER
Thread Starter
 
Join Date: Dec 2004
Location: Not in Texas
Posts: 10,213
Likes: 0
Received 6 Likes on 4 Posts
Default Encrypted Email

I'm thinking about taking internet security to the next level -- I know there are a couple IT folks here, maybe we can get some info and suggestions on encrypting email. I've been looking into it, nothing about appears clear except that it is supposed to be easy to do.

Anyone here using encryption for their personal email?

Any suggestions for freeware email encryption applications?

Anyone has experience with thawte?

http://www.thawte.com/secure-email/p...dTo-SecureMail



On a side note, I'm becoming less and less enchanted with anything/everything Google. Recently started using ixquick for my search engine, so far no complaints except the change over from what I was used to with Google.

http://www.ixquick.com

I really need to get away from Gmail -- I noticed it automatically downloads an email attachment BEFORE the email is ever sent. So if you attach the wrong document and remove it before sending, TOO LATE, Google already copied it in their vast and growing database of all information about all people.
Old 03-14-2009, 05:00 PM
  #2  
gf
Senior MemberCaptains Club MemberPLEDGER
 
Join Date: Feb 2001
Location: North of Boston
Posts: 13,515
Received 489 Likes on 328 Posts
Default

I could tell you a lot, but then I would have to kill you. Just kidding!

Or, I could tell you a lot, but I usually get $150 an hour.

Sending encrypted email is not a 1 way trip, you can only send encrypted email to people who are prepared to receive encrypted email from you.

Microsoft Outlook offers encryption out of the box but like any truly encrypted email, it requires you and the recipient to send each other a digitally signed message, which enables you to add the other person's certificate to your Contacts. Once both parties have shared certificates, sending and viewing encrypted e-mail messages between them is the same as with any other e-mail messages.

There are several companies that offer email encryption solutions. You may want to read this document to learn more:

http://download.entrust.com/resource...ecurity_wp.pdf

This is another good article related to Outlook:
http://www.robkerr.com/post/2008/04/...for-free!.aspx
Old 03-14-2009, 05:15 PM
  #3  
Joe
Senior MemberCaptains Club Member
 
Join Date: Mar 2001
Location: Libertalia
Posts: 17,423
Received 1,407 Likes on 795 Posts
Default

For true security, you either need a PKI key, or to leave the email on a trusted/secured server and have the respondent read that email on an encrypted connection on the server you secured.

Sending it is inherently insecure; you can't secure it.
Old 03-14-2009, 05:52 PM
  #4  
Senior MemberCaptains Club MemberPLEDGER
Thread Starter
 
Join Date: Dec 2004
Location: Not in Texas
Posts: 10,213
Likes: 0
Received 6 Likes on 4 Posts
Default

Thanks for the replies, gf and Joe. From I have read, a PKI is necessary for sending and receiving encrypted emails, similar to how wi-fi encryption works, if I understand it correctly.

What is not clear, maybe you guys know ... Does the sending party and the receiving party have to use the same encrytion software? Or can they use different email encryption applications as long as the appropriate "key" is used when sending -- like diff computers using diff wi-fi applications using the same key to connect to the same wi-fi point?

Fwiw, Outlook is not even a consideration, not going there, won't even allow it to be installed on a computer I own. Neither is Google's Gmail encryption a consideration.
Old 03-14-2009, 06:09 PM
  #5  
Joe
Senior MemberCaptains Club Member
 
Join Date: Mar 2001
Location: Libertalia
Posts: 17,423
Received 1,407 Likes on 795 Posts
Default

I imagine there is a PKI that is usable for different email packages, although that seems like a lot of work to go through, ie matching keys, sending keys, verification of sent keys, etc.

Again...sending the email is inherently insecure. You have no control over routers, swicthes, ie the routes etc that it goes through to get to your recipient.

You need to keep it local to truly have control over it. Allowing the recipient to view the email on an encrypted link, on your server, is the best way to go. You're just sending a link to them in an email, that only they can open (from only one IP address) so they can view the email.

And even at that..once they open the link...the email is no longer secure if you can not verify their network.

Analogy: Think of leaving the email on your FTP server that you have sent the recipient a one time use only username and password to what you want them to retrieve.

Last edited by Joe; 03-14-2009 at 06:13 PM.
Old 03-14-2009, 06:28 PM
  #6  
Senior MemberCaptains Club MemberPLEDGER
Thread Starter
 
Join Date: Dec 2004
Location: Not in Texas
Posts: 10,213
Likes: 0
Received 6 Likes on 4 Posts
Default

I like that idea but it seems like a lot of work. I understand what you mean about sending email being the weak link. I'm thinking it is only a problem if someone is targeting me, looking specifically for my email for a nefarious reason. Also not worried about the gvot, thinking they have the resources to decrypt anything they ever want to. As one website article put it, it'll be a lot of work and resources to get a chocolate chip cookie recipe.

I'm just concerned with keeping personal stuff personal, making it not desirable for casual 3rd party review. There is a reason why medical professionals do not send confidential patient info via encrypted email -- even encrypted email is not secure. I guess that is part of the new fed budget, money being allocated to figure out how to confidentially exchange medical data.
Old 03-14-2009, 06:45 PM
  #7  
Joe
Senior MemberCaptains Club Member
 
Join Date: Mar 2001
Location: Libertalia
Posts: 17,423
Received 1,407 Likes on 795 Posts
Default

What I described is how medical emails with PHI are sent .

Sending PHI over encrypted links is a whole other thing.
Old 03-14-2009, 06:55 PM
  #8  
Senior MemberCaptains Club MemberPLEDGER
 
Join Date: Oct 2004
Location: North Myrtle Beach SC
Posts: 8,045
Likes: 0
Received 2 Likes on 2 Posts
Default

We obviously use digitally singed and encrypted e-mail, but for you. it may be easier to send a document and encrypt that with a password. We have a chip in our card that identifies use called a CAC, and it also holds our certs. It gets complicated.
Old 03-14-2009, 07:23 PM
  #9  
Senior MemberCaptains Club MemberPLEDGER
Thread Starter
 
Join Date: Dec 2004
Location: Not in Texas
Posts: 10,213
Likes: 0
Received 6 Likes on 4 Posts
Default

Joe - what is PHI?

Kingair - 'brains' uses same kind if fancy encryption where she works, uses certifactes that change every few minutes -- not cheap, not simple, not something I am interested in. I just want to keep Google from selling ads targeting me. But whatever scheme needs to be simple, easy to use.

As far as sending encypted documents, I know about that but there is nothing going on in my life that requires that level of security. The chocolate chip cookie recipe isn't that 'sensitive'.

Instead of sending an encrypted document, you would be better off sending a directory that is encoded with cascading encryption algorithms and plausible deniable built in that contains the sensitive document. No way to tell if there is even a document in the directory, no way to tell where a document starts or finished, no way to know its size, no way to know if there is plausible deniability (decoy), no way to know if you are looking into or past the deniability -- could spend years chasing a dead end. And we haven't even talked about the computing power necessary to crack a single layer of encryption, and no way to know when you cracked it because when it is cracked all you get is scrambled data, the next layer of encryption. Me thinks someone in the govt will say "screw this! Go get Eyeball and toss his ass into Gitmo. We'll get it out of him."
Old 03-14-2009, 07:41 PM
  #10  
Senior MemberCaptains Club MemberPLEDGER
 
Join Date: Oct 2004
Location: North Myrtle Beach SC
Posts: 8,045
Likes: 0
Received 2 Likes on 2 Posts
Default

Originally Posted by Eyeball View Post
Joe - what is PHI?

Kingair - 'brains' uses same kind if fancy encryption where she works, uses certifactes that change every few minutes -- not cheap, not simple, not something I am interested in. I just want to keep Google from selling ads targeting me. But whatever scheme needs to be simple, easy to use.

As far as sending encypted documents, I know about that but there is nothing going on in my life that requires that level of security. The chocolate chip cookie recipe isn't that 'sensitive'.

Instead of sending an encrypted document, you would be better off sending a directory that is encoded with cascading encryption algorithms and plausible deniable built in that contains the sensitive document. No way to tell if there is even a document in the directory, no way to tell where a document starts or finished, no way to know its size, no way to know if there is plausible deniability (decoy), no way to know if you are looking into or past the deniability -- could spend years chasing a dead end. And we haven't even talked about the computing power necessary to crack a single layer of encryption, and no way to know when you cracked it because when it is cracked all you get is scrambled data, the next layer of encryption. Me thinks someone in the govt will say "screw this! Go get Eyeball and toss his ass into Gitmo. We'll get it out of him."


I get about 20 "junk e-mails a day, and I am sure they are from THT. I don't go anywhere else
Old 03-14-2009, 08:13 PM
  #11  
Joe
Senior MemberCaptains Club Member
 
Join Date: Mar 2001
Location: Libertalia
Posts: 17,423
Received 1,407 Likes on 795 Posts
Default

Originally Posted by Eyeball View Post
Joe - what is PHI?

Kingair - 'brains' uses same kind if fancy encryption where she works, uses certifactes that change every few minutes -- not cheap, not simple, not something I am interested in. I just want to keep Google from selling ads targeting me. But whatever scheme needs to be simple, easy to use.

As far as sending encypted documents, I know about that but there is nothing going on in my life that requires that level of security. The chocolate chip cookie recipe isn't that 'sensitive'.

Instead of sending an encrypted document, you would be better off sending a directory that is encoded with cascading encryption algorithms and plausible deniable built in that contains the sensitive document. No way to tell if there is even a document in the directory, no way to tell where a document starts or finished, no way to know its size, no way to know if there is plausible deniability (decoy), no way to know if you are looking into or past the deniability -- could spend years chasing a dead end. And we haven't even talked about the computing power necessary to crack a single layer of encryption, and no way to know when you cracked it because when it is cracked all you get is scrambled data, the next layer of encryption. Me thinks someone in the govt will say "screw this! Go get Eyeball and toss his ass into Gitmo. We'll get it out of him."
PHI=Protected Health Information

I'm telling you...if you want to encrypt, keep it local.
Old 03-14-2009, 10:09 PM
  #12  
Senior MemberCaptains Club MemberPLEDGER
Thread Starter
 
Join Date: Dec 2004
Location: Not in Texas
Posts: 10,213
Likes: 0
Received 6 Likes on 4 Posts
Default

Originally Posted by Joe View Post
PHI=Protected Health Information

I'm telling you...if you want to encrypt, keep it local.
I like the idea but keeping it on my own server has its own security problems, creates a bigger target for nefarious people to hit on. And it costs money.

I wanted something that would be immediately unreadable to any casual review by someone not intended to receive the email. The idea of getting everyone involved in PKIs is going to be challenging enough.

Thanks for you inputs. I really appreciate them.
Old 03-15-2009, 05:17 AM
  #13  
Senior MemberCaptains Club Member
 
Garett's Avatar
 
Join Date: Feb 2003
Posts: 24,905
Likes: 0
Received 1,165 Likes on 661 Posts
Default

Sorry guys, but I just have to.

Originally Posted by kingair View Post


I get about 20 "junk e-mails a day, and I am sure they are from THT. I don't go anywhere else
Steve that's because you visit Midget Porn sites.
Old 03-15-2009, 02:43 PM
  #14  
Senior MemberCaptains Club MemberPLEDGER
Thread Starter
 
Join Date: Dec 2004
Location: Not in Texas
Posts: 10,213
Likes: 0
Received 6 Likes on 4 Posts
Default

Been reading more about the PKI scheme for secure email -- it works the same as SSL when using a credit card to order online. Once you have the public and private 'keys' anyone can use and application to send/receive secure email.

For anyone using Mozilla's Thunderbird email application, there is an addon to use PKIs with email. For folks using Outlook (you really shouldn't) the ability to use PKIs is already embedded. For folks using Apple's, you're on your own to figure out how to get something done -- but as an Apple owner you already knew that.

One benefit of secure email I had not considered also addresses my greatest emailing fear -- realizing I selected the wrong email address from the address book AFTER hitting the [send] button. Oops.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information -

Copyright © 2021 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.