Thursday, April 1, 2010

Protecting Your Email

As I blogged last week, email in the corporate setting is extremely vulnerable to being read by others. Although a typical company Email Usage Policy allows for employee email accounts to be read, perhaps for Data Leakage Prevention (DLP) purposes, you envisage this being in exceptional circumstances on the orders of the CEO rather than on an ad hoc basis by the IT department over their morning coffee and packet of Monster Munch. In addition, once your message leaves the corporate network, chances are that it is then transmitted in clear text over the public internet.

Looking at the external email problem first, most mail gateways can support Transport Level Security (TLS) which provides encryption and authentication. Unfortunately, TLS is often not configured and is not supported by some public mail systems such as Gmail. TLS can also be configured between the client and mail server depending on the individual setup of the mail system which reduces network sniffing attacks but does nothing to defeat abuse from rouge system administrators.

End to end encryption addresses all of the above issues and has been around for some time now. The leading solutions are Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/MIME.) Both solutions use public/private key technology for encryption and certificates for authentication and integrity. The difference between them comes with the approach to the implementation of how certificates are trusted. S/MIME uses x509 certificates which have an hierarchical approach relying on a trusted certificate authority whereas PGP uses a web of trust.

Wide spread adoption of both technologies has been hindered by issues around certificate management and distribution as before you can send someone an encrypted message you need to get hold of their public key. Although automatic key retrieval is possible by a variety of techniques including LDAP queries of public directories, the management overhead has often been off putting for many people. It’s also necessary to have your key store on each system for which you wish to read and send encrypted mails. This is particularly annoying if you use a web client as although Outlook Web Access supports S/MIME and there are Firefox addons for both PGP and S/MIME that work with Gmail, both require local certificate stores.

Mobile devices don’t help much either. The iPhone has no support for either technology and although Blackberry devices do, they exist only as paid for extras.

One solution I found to the certificate locality problem with a web client was to use a portable version of Firefox with an S/MIME extension for Gmail. I could then read and send encrypted emails from any PC. The same is possible in theory with PGP. It is unlikely this would be feasible for Outlook Web Access given that there isn’t a portable version of IE and many of the enhanced features don’t work with Firefox.

An ideal solution would be to allow mail programs to access certificate stores located on something like a USB key and also to introduce a “miny” USB interface for mobile devices adopted by all the manufactures so that each user could use a single store from multiple devices. A single online public directory where everyone published their public key would also be useful. Why not something like Facebook or Linkedin?

1 comment:

  1. An interesting side point is that Google seemed to be experimenting with building PGP signature verification directly into Gmail but don’t seem to have done so yet. See http://googlesystem.blogspot.com/2009/02/gmail-tests-pgp-signature-verification.html

    ReplyDelete