Protecting yourself from e-mail snoops

Matt Leung Assistant Managing Editor

The security problems inherent in e-mail communication are much greater than those involved with telephone or fax communications. If someone wants to eavesdrop on your telephone line, they might have to climb a telephone pole and risk electrocution while trying not to catch too much attention from people on the street. On the other hand, if someone wants to eavesdrop on your e-mail, they need only be connected to the Internet.

As an e-mail message travels from its starting point to its destination, many computer servers handle it. Normally, as your message travels from one computer to another, the message, in plaintext form, is traveling on the Internet and is open to anyone who wishes to intercept and alter it. The problem is manifold.

First, if you are using a web browser such as Internet Explorer or Firefox to check your e-mail, when you check your message, your browser must connect to a webmail server. This connection is usually unprotected. Thus, as you read your e-mail messages, the traffic between your local computer and the webmail server is open for others to see. This is because your browser uses an unprotected protocol to communicate with the webmail server, HTTP (Hypertext Transfer Protocol). If you are using an e-mail client such as Microsoft Outlook or Eudora to check your e-mail, the same issue applies, as e-mail clients use the SMTP (Simple Mail Transfer Protocol), which is also unprotected. In some cases, even your username and password are sent through these protocols unprotected, for others to see.

Since under normal circumstances e-mail messages are unprotected, identity and authenticity are also issues. E-mails can be altered by an interceptor as they travel on the Internet, and you cannot tell if the e-mail messages you get are really in the original words of the sender (think about that next time you get a love note from someone over e-mail). E-mails can also be forged so that an e-mail you think you received from one person is actually forged by another person (think of that love note again!).

A myriad of technical issues add to this problem. For example, as your message travels half-way across the world, some of the third-party servers along the way, which you know nothing about, might save backup copies of your message to their own servers. These backups might exist for years after you send the message.

Additionally, when you send an e-mail with the SMTP protocol, it may be possible for the recipient of your e-mail to identify your local computer’s IP (Internet Protocol) address. This information can be used to identify your physical location, and can be used to hack into your local computer.

There’s still hope. First, when you check e-mail with a web browser, make sure that your provider uses SSL (Secure Sockets Layer) beneath the HTTP protocol, forming HTTPS (HTTP ver SSL), instead of just the regular HTTP protocol. This encrypts your communication with the webmail server. You can look for this in the address bar (for example, https://webmail.vassar.edu). Although Vassar provides this protocol to encrypt your username and password, it still uses the HTTP protocol to send messages from its webmail server to your local computer, thus leaving you vulnerable (at any rate, most providers don’t offer HTTPS throughout).

If you check your e-mail with an e-mail client, SSL can also be used to encrypt communication between your local computer and the SMTP server. Additionally, using an anonymous SMTP server prevents the recipient of your e-mail from knowing your IP address. Check with your provider for this feature.

To encrypt the e-mail messages, you can use either the PGP (Pretty Good Privacy) or the S/MIME (Secure Multipurpose Internet Mail Extensions) standards. The PGP technology can be purchased from PGP.com. S/MIME is provided with Microsoft Outlook.

The PGP and S/MIME standards, which are also called asymmetric key encryption, also allow for the authentication of e-mail messages. With them, you can digitally sign your e-mails, so that the recipient will know that the message really came from you and not an imposter. With PGP and S/MIME, your messages will be meaningless to any interceptors. Even if third-party servers back up your messages, they will not be decipherable in the future should someone look through the back-up.

Overall, since the PGP and S/MIME standards encrypt the message itself, your message can travel openly on the Internet, and no eavesdropper would be able to decipher it. The secure protocol SSL only encrypts communication among computers, and does not encrypt the message itself.

While it might be physically possible to climb up a telephone pole to intercept phone calls, encryption for e-mail makes it quantum mechanically impractical for an eavesdropper to try to randomly pick a right key that would make the gibberish intelligible out of all the possible keys in the universe.

Thus, while e-mail at its present state is much more dangerous than other types of communication, with such practices as encryption it could be the safest type around.