A Fun Guide to Email Security And Why Emails Are Postcards
A Fun Guide to Email Security And Why Emails Are Postcards
Ever sent a postcard while on vacation? You know, those colorful rectangles with a pretty picture on one side and your hastily scribbled âWish you were here!â on the other? Emails, like postcards, are vulnerable to prying eyes.
Today, Iâd like to take you on a fun journey through the history of email, delve into the mysterious realms of S/MIME and PGP security, and uncover why, despite our technological marvels, email is still as secure as a paper airplane in a hurricane (looking at you, SMTP standard).
The Birth of Email: From Friendly Notes to Digital Postcards
Letâs hop into our time machine and set the dial to the early 1970s. The internetâs grandpa, ARPANET, was in its toddler years, and along came Ray Tomlinson, the man who revolutionized communication by sending the first electronic message. What did it say? Nothing profoundâjust âQWERTYUIOPâ or some gibberish like that. He was not aware that heâd opened Pandoraâs inbox.
Back then, the internet was small, and you knew your partners. Emails in plain text are simply no problem.
But then the internet got bigger. Suddenly, we had a global city with many people lurking around. Emails were still in plain text.
SMTP: The Postal Service That Time Forgot
The Simple Mail Transfer Protocol (SMTP), developed in 1982, is the core of email and has been the mailman on the job for decades. Reliable? Sure. Security-conscious? Not so much.
SMTP was designed without any built-in security features. It doesnât encrypt messages or verify sender identities. That was the problem engineers wanted to solve. So you needed an addon.
PGP and S/MIME
Engineers developed the two standards, PGP and S/MIME. The standards aim to bring confidentiality, integrity, and authenticity to email.
Pretty Good Privacy (PGP)
The well-known Phil Zimmermann introduced PGP in 1991, the âPretty Good Privacyâ standard. PGPâs implementation uses a hybrid approach, with private and public keys to encrypt and decrypt messages.
Setting up PGP can be complicated without good instructions. It involves generating keys, sharing them securely, and managing them carefully. Itâs powerful but user-friendly? Not exactly.
So, PGP uses this cool concept called the âWeb of Trustâ. Trust who you know. Thatâs basically how it works. To make your friend trusted, you will sign his key and acknowledge that he is legit.
You do not need a central authority. It doesnât cost a dime because there are open-source implementations. Itâs not all peer-to-peer, and so is the down-speed-to-peer. Itâs a bit chaotic. Itâs simply âPretty Good Unregulated.â To use it, you need to go to key signing parties. If you donât know many people in the network, itâs harder to establish trust.
The downer? Alice will not read the manual to use it. Itâs not like Microsoft Word; you start it and type your letter. It needs your activity and a âPretty Good Understandingâ of the concepts.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
Around the same time, S/MIME stepped onto the scene. It also uses public key encryption but is built into many popular email clients like Outlook and Apple Mail. S/MIME is the fancy security system installed in your office building, with high-tech and seamless technology (when it works).
Again, we have two types of keys: public and private. They are bundled into a certificate about a person, including his email and much more info. It is also very technical and sets the constraints for secure communication based on the S/MIME certificate.
We learned about the âWeb of Trustâ in PGP. Now, S/MIME takes a different approach. Certificates are issued by a third party. You trust them because the DMV (a trusted authority) issued them. These authorities are the Certificate Authorities (CAs). They hand out certificates for individuals.
When you get an S/MIME certificate, you can ask the CA about its authenticity. So you see, S/MIME is about the certificate and many other background protocols. Itâs more structured than PGPâs Wild West approach. Big companies love it because itâs more manageable at scale.
There is also the option to hide the functionality and put it your communication through gateways that encrypt and decrypt the messages, handle S/MIME certificates, and also Pretty Good Privacy.
The catch of S/MIME? Youâre putting a lot of faith in these CAs. If a CA gets compromised (and it has happened), itâs a bouncer at a club starting to let in anyone with a fake ID. Not good.
PGP and S/MIME come with inconvenience, and humans love convenience more than security. Therefore, it requires a lot of discipline to act against this.
Thanks, SMTP! For Nothing!
Itâs been so many years, email is not fixed.
You canât simply change the building blocks of the email standard. So all todays solutions are additions to the traditional SMTP standard, and thatâs making SMTP much more complex.
SMTP doesnât encrypt messages by default, and it never will. Even if you connect to your email server securely (using protocols like TLS), once your email leaves that server, it travels in plain text unless youâve used end-to-end encryption like PGP or S/MIME.
Why Arenât We All Spies Yet?
So, if encryption is so great, why isnât everyone using it?
Setting up encryption is learning a new language. Most people throw in the towel before theyâve even started. âPublic keys? Private keys? Passphrases? Iâd rather just send the email!â
Encryption is a two-way street. Both sender and receiver need to be on board and set up. I have both S/MIME and PGP key material. So, if you send me emails on my private account, you could use all the fancy features. The big problem is that you need to have a PGP key or an S/MIME certificate in your pocket.
Keeping track of encryption keys takes a lot of work. If you lose the keys, no locksmith can help. Have you misplaced your private key? Say goodbye to accessing your encrypted emails ever again.
Try explaining to your grandma how to decrypt an email using PGP. You basically explain how to disarm a bomb over the phone. Not happening.
Some people think their emails are safe because they have a strong password. But they are on your hard disk. If you are not using additional hardware, your PGP key or S/MIME does the same, and they could easily be compromised.
The Security Theater
If we encrypt, we are not protected against new threats in the Cyberworld.
Our dear email system will continue to live based on the old standards. So, we patch one hole, and another one appears. Itâs exhausting, but itâs the truth of Cybersecurity.
The Final Words Of A Cybersecurity Guy
Even if email is not perfect, itâs here to stay. Of course, a lot of daily communication goes to messaging services, but formal email is still required.
An alternative to email would be the carrier pigeons. And they seem to be compromised by squirrels. đżď¸đŚ
Stay safe out there, and may your emails be as private as your diary under lock and key!