If you have read my column, Explained: How ‘TLS’ Keeps Your Email Secure, you may now be a quivering mass of worry over who or what may be reading your private messages.
Fortunately, the companies and organizations that provide your email also want to keep you safe. Over the past decade, most have stepped up how they secure your account and the data sent over it.
Step 1: Encrypting your log-in
Using complicated math to scramble the username and password sent from your computer or mobile device to the email server you’re using is a basic defense against bad guys stealing your log-in credentials. But it wasn’t always used. As recently as 2007, I saw one major Internet provider not using basic “SSL” encryption. That meant that anybody running a malicious (or compromised) WiFi hotspot could grab your log-in data without having to decrypt anything.
Bonus feature No. 1: “EV-SSL.” Ever see your browser highlight a site’s domain name in green? That means the site purchased an “Extended Validation” Certificate, a rough equivalent of having a notary public verify your identity.
Bonus feature No. 2: “forward secrecy.” Modern encryption doesn’t rely on a single key that, if exposed, gives up the game; instead, the math changes each time. In forward secrecy (often called “perfect forward secrecy,” though I’m wary of repeating that kind of a claim), cracking one of these one-time keys doesn’t reveal any equation you could use to attack another.
Step 2: Encrypting your session
Once you log in, you want your online session to stay secured. But if it’s not, it’s too easy for bad guys to hijack or snoop on the connection by looking for the tiny “cookie” files that websites save to free you from having to log in anew all the time. (See the “Firesheep” demonstration of 2010.) Once a cookie is hijacked, it can be used to log in to an account later, without its owner knowing it.
Over the past few years, full-time encryption — going by names like “sitewide SSL,” “always-on SSL,” and “full-time HTTPS” — has become standard at most webmail services and social networks such as Facebook and Twitter.
Step 3: Encrypting email in transit
The most welcome upgrade in email in the past few months has been the widespread move to deploy “TLS” encryption to secure email as it travels across the Internet. Both mail services have to support this, which they can confirm through a quick “handshake” check before transferring a message. The great thing here is that neither the sending nor the receiving human has to do anything extra. (The bad thing is that, currently, neither party can easily tell if the message is actually encrypted.)
Step 4: End-to-end encryption
But what happens once the message arrives at your correspondent’s servers, after which point even TLS can’t protect it?
With end-to-end encryption, not even those mail server computers can read it; only the person running a decryption program and in possession of the right digital key can decode it. This is both tremendously secure and, for most people, a huge pain to use on a daily basis.
Google’s project to build a simpler end-to-end encryption system that you could install from its Chrome Web Store is an important, promising step. But let’s see if it gets the interface right — and make sure that outside security experts inspect its code to verify that its cryptography can’t be broken by an attacker.
Don’t forget that in any of these situations, somebody peeking over your shoulder — or using a “keylogger” program to record your keystrokes — can get around encryption and read your words as you write them. While there is no such thing as perfect email security, for many people, there is definitely better security,