Thee current email security issues is that there is no security.
- It is trivial to forge an email header (the part which shows who the sender of the email was).
- It is also easy for an email to be read while it is being sent to someone else, so be assured that government agencies are reading email messages.
- It is possible to alter the content of an email after it has been sent, this does need more technical skill but in principle is more than possible
There are methods to follow to stop the above issues from being a problem. You can use electronic signatures to authenticate that emails come from you, as well as encrypt emails such that only the intended recipient can read the email.
Stopping email from being altered once sent
More email security issues are that email can be altered once sent though, commercial email systems, for example Lotus notes, do not suffer from this problem as they check the sender of all messages as does the email software. This software also checks that email has been altered since it was sent. This security can be got with web mail simply by installing a digital certificate on your pc. The digital signature shows the author of the email, and whether it has been changed. It is also possible to use the digital certificate to encrypt the email so that only the recipient can read it. What a digital certificate does is prove you are who you say you are.
Forging of a return address
Email security is compromised by the forging of a return address. This takes a few seconds with the right software and requires zero technical know how. Most email clients will allow you to change the email address of the return sender.
There are two different standards which can be utilized. Either SMIME digital certificates or PGP. A digital certificate is composed off two parts, a public key and a private key. Both these keys work in conjunction to solve the email security issues of a faked reply to address. This done by attaching the digital signature to the email, and the receiver of the email then verifies the certificate. The digital signature is automatically created by the email software and the private key. It works because the certificate can only be generated by using the private key which was created.. Currently the SMIME standard is supported by Mozilla/Thunderbird, and Outlook Express the Eudora package supports both PGP and SMIME. With these keys the message can also be encrypted. thus it cannot be read in transit. Though on thing to consider is that by encrypting your email you are signalling email of interest to third parties who may be monitoring, as the majority of email traffic goes through in an unencrypted form. To encrypt a message to someone you need to get their public key, which is easily possible as you will automatically receive it when someone sends a message to you with their digital signature.
Where do I get a digital certificate?
Digital certificates are give by a security authority (e.g. http://www.cacert.org/ . The certificate is attached to a specific email address and the certificate is only sent to that particular email address, therefore you need to control the address you want to send and receive email for.
Where are the weaknesses of the digital key system
- Someone can steal the private key from your pc. This can either done by physically getting the hard drive off your computer and reading it or by installed spyware on your machine which gets the key. It is ideal to password protect the private key so that even if the key file is taken it cannot be read. Also note the password should not be stored on the computer otherwise the password is pointless.
- It is possible that the certificate provide could give enough information about the certificate to compromise the security of the certificate to certain sources, e.g. the government who may compel them, alternatively there could just be a flaw in the algorithm which produces the certificate which lends it to being cracked. This is why it may be more useful to is Pretty Good Privacy as in this case the certificate is created by oneself.
- By putting on a digital signature onto an email the email now has much more authority and trust. So it will be less likely that people will think it is a forgery. Thus if the certificate is lost then there is a problem, as people who would have otherwise questioned an unusual email from you now will tend to trust it more. So if a certificate is compromised it is best to start with a new one.
- Your public key could be intercepted and changed to another public key that someone else has the private key to. This means that then as long as someone can intercept your emails which are external they can receive emails to you which someone else assumes are encrypted with your public key when it is really someone else’s public key
- This does not solve the problem of sending anonymous emails as the communication itself is still seen even if the message is not. This is less an email security issues and more a privacy issue.