SchoolOfMusic.com recruits music teachers and then provides music lessons in students’ homes, teachers’ home studios, and after school programs. Their bizop is a must see!

Are Secure Email Services Really Secure?

January 19, 2008 by Chuck | 2 Comments

I know business people who work overseas or who send email about confidential business matters using “secure” email.

In fact, I wrote once about a service I’d heard about…

Recently I received an email from an information security person who believes these services really aren’t secure.

Here’s part of what they wrote – and I pass it along for your information:

The https protocol (SSL) is not secure, it can be broken by a man-in-the-middle attack. A company can silently snoop at their firewall, or a government at the local ISP on-ramp to the Net.

One would need to use PGP-secured email from end-to-end for actual security.

So if you’re depending on confidential email transmissions, you may want to check it out more.

Here’s one article I found about SSL Scanning as it’s called.

In Technology

Related Posts

Comments

  • Tim McCormack on January 29th, 2008 at 11:21 pm

    Email is not transmitted over https. That’s only for websites. Of course, if you use a website like KeptPrivate.com and it sends and receives the email for you, then https is indeed relevant.

    SSL/TLS is not subject to MitM attacks. (SSL v2 was, but that’s disabled by default in modern browsers.) A company could only stage a MitM attack by replacing the browser’s root authority files.

    Indeed, after reading a little on how WebWasher works, I found this:

    “Webwasher re-encrypts the traffic using either the customer company’s certificate or a self-signed certificate with the common name of the web server.”

    So use Portable Firefox and you don’t have to worry about SSL scanning. Of course, if you’re worried what other kinds of snoopware your company might have installed on your computer, such as keyloggers, you probably shouldn’t do *anything* confidential on that machine.

  • Rick on February 21st, 2008 at 5:32 pm

    Tim is correct, a secure website will use SSL3 but a secure email server will usually use TLS. So SSL is relevant to webmail but not to POP/IMAP. Either should put MitM attacks out of reach of any but the TLAs. However, most email services do not use these.

    Much more information, including comparisons of various secure email providers can be found at http://www.novo-ordo.com.

Leave a Reply