Is Your Email Private? - Part 3 of 3
By Michael Ameye
Posted Thursday, November 25, 2004
Online Secure Email providers, how they work and how they compair to PGP.
In Part 1 of Is Your Email Private; We covered the basics of most current email systems, including how they work and why they are not secure. We then started into the topic of encryption and provided a link to PGP (Pretty Good Privacy), considered by many to be the default standard for email encryption on the Internet.
In Part 2 of the series, we covered in more detail what PGP is and how to use it with your email client. Now we'll move on to online email services.
Over the past couple of years a new kind of secure, online email tool has become available. Companies like HushMail.com, MuteMail.com, S-mail.com, CeritfiedMail.com, and StrongPost.net. offer products and services that combine strong encryption with easy to use web-based interfaces that allow anyone to send and receive secure email and attachments.
With these services, the encryption process in hidden from users so working with public / private key management is a snap. And since they are web based, they can be accessed from any computer, anywhere in the world that has an Internet connection and a browser.
So, how does it work? A user, when they first register for the secure service, are walked through a process that creates their key. Then after logging into the secure site, they compose secure emails just like any other email message. The content of the message is then encrypted with their key and transferred over the Internet via a secure connection. Just like the connections used on ecommerce sites. Here's the twist... a message is secure as long as it is sent to another user of the system. This is how these companies can provide "end to end" security for your email. If you send a message to someone outside the system, it is sent in plain ASCII text and can be compromised as if you didn't use a secure service at all.
However, this is just the flip side of PGP. With PGP you can send an encrypted email to a non-PGP user and the message is scrambled from "end to end" however, it will probably be trashed by the recipient since most users have no clue what to do with an encrypted message. At least with the online systems the recipient of your secure email can also sign up for the service and secure their communications without the learning curve of PGP.
One question you may be asking yourself is, "How secure is my key and my email if someone else controls the key creation process?" In other words, will the online service provider turn my email over to anyone in it's unencrypted form? For most services, the key creation process relies on random data that you generate during the registration process. It is actually under you control and not the service provider.
As for turning over your email... Read the user agreements for each service provider. I personally like the way HushMail.com states their policy:
"What if my message is subpoenaed? Hush, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even Hush can access the encryption keys of individual users, in the case of a subpoena Hush would only be able to provide the encrypted (coded) version of the transmitted email."
In other words, yes they would have to turn over your email if required by law but it would be worthless since it would be in encrypted form. And since they don't know your key, they can't decrypt your messages.
PGP - vs. - Online Secure Email
PGP Pros - Local key control. Key size control. End to end encryption of email and attachments without going through 3rd party.
Cons - Steep learning curve. Email recipients confused with encrypted messages. Encryption not available from every computer.
Online Secure Email
Pros - Easy to use. Available from any computer with Internet connection, End to end encryption within the system. Secure file storage. (most providers offer this service.)
Cons - No key size control. No encrypted messages outside the system. (however, some providers do provide PGP integration - still need to learn PGP)
With the proliferation of the Internet, online bill paying, and the transfer of personal or financial data across the web, it just makes sense to do everything in your power to protect your privacy. Considering how easy to use and effective PGP or online encryption can be, these services just may be the answer you're looking for to keep people out of your business - personal or otherwise.
All in all, for ease of use and easy access, I would suggest using one of the online secure email providers. Most offer basic service for free. Upgraded services and increased storage space can be had for a small monthly fee.
For more information on privacy issues and stopping SPAM, visit the Author's website
About the Author
Michael Ameye has been developing web sites since 1995. He started writing about online privacy issues to answer questions from family friends and co-workers. Visit (http://www.canyourspam.com) to see his latest work or sign up for PSS Online - a privacy, safety, and security ezine.