Secure your Email with SSL
If you're looking for a way to secure your email with SSL to keep people from sniffing your sensitive information, George Ou, shows you how simple it is to do. There are a few different aspects of securing your email that you need to be aware of. The first is encrypting a Server to Client connection.
Server to Client encryption is a check mark away:
The most likely way to get eavesdropped on is in the last 100 feet whether that’s through a wire (through layer 2 hijacking) or wireless LAN connection. To enable Server to Client encryption, you simply check a simple option to enable SSL and type a different port number for your POP3 (inbound) and SMTP (outbound) Mail Server settings in your email client. My current DSL provider AT&T like most ISPs supports SSL encryption on POP3 and SMTP and it’s as simple as a checkmark and using ports 995 for POP3 and 465 for SMTP instead of the usual ports 110 and 25. The problem is that AT&T doesn’t disable unencrypted mode which means the vast majority of users won’t use the secure transport mode.
The second aspect, is email encryption from end to end using an email certificate. George describes how you can acheive authentication, non-repudiation, and encryption by simply using S/MIME which is enabled in practically any mail client worth a bean.
In fact an email client without S/MIME support is like a web browser that doesn’t support HTTPS SSL mode. All you need to do is obtain a FREE Personal Digital Certificate from a Certificate Authority like Thawte through a web enrollment process. In that enrollment process, you get to generate your own Public and Private Key pair and Thawte will digitally sign your Public Key after and email round trip where you demonstrate control and possession of your email account.
Once you’ve obtained that Certificate, you can digitally sign any email and everyone in the whole world using an email client less than a decade old will be able to read and trust that digital signature to have truly come from the purported “from” email address. The other side doesn’t even need their own Digital Certificates to read your signatures. This is the “authentication” component...
...To enable encryption, both sides must have their own Digital Certificate which also means both sides can digitally sign. Once the Digital Certificates are installed on each end, you simply need to click the “encrypt” button built in to your email client. The beauty of this encryption scheme is that it doesn’t care if the network and server infrastructure in the middle is trusted or not because only the end points can decrypt the messages. This however does not negate the need for Server to Client encryption because we don’t want someone else to be able to take over the email account on either end even if they can’t read the encrypted messages.
George then describes how difficult it is for someone to actually compromise an SMTP server:
Sniffing traffic between two SMTP servers is REALLY difficult to pull off unless you have access to the ISP’s (Internet Service Provider) infrastructure, or you’ve hacked in to a server on one end, or you’ve hacked a router or firewall between the company and the ISP.
Originally posted on Tue Aug 7, 2007