Skip to main content
  1. Home
  2. Computing
  3. Features

Here’s why your email is insecure and likely to stay that way

By
can email ever be secure network
Image used with permission by copyright holder

Email is the most ubiquitous method of communication on the Internet – maybe even on the planet. It’s built into almost everything, from phones and tablets to traditional computers to gaming devices – heck, even connected home appliances and cars can do email. More importantly, being “on the Internet” means having an email address (or dozens of them); they’re our IDs, how we sign up for things, how we receive notices, and sometimes even communicate with each other. Email is the original “killer app.”

But email was not designed with any privacy or security in mind. There have been many efforts to make email more secure, but the recent shutdown of highly-touted secure email services like Lavabit (reportedly used by NSA leaker Edward Snowden) and Silent Circle in the wake of government surveillance programs highlight the difficulties. Lack of email security is also having some surprising collateral damage, like the announced shutdown of the respected software and law blog GrokLaw.

Recommended Videos

Is email security hopeless? Are we looking at the end of the Internet’s killer app?

Why isn’t email secure?

Email isn’t secure because it was never meant to be the center of our digital lives. It was developed when the Internet was a much smaller place to standardize simple store-and-forward messaging between people using different kinds of computers. Email was all transferred completely in the open – everything was readable by anyone who could watch network traffic or access accounts (originally not even passwords were encrypted). Amazingly, email sent using those wide-open methods still (mostly) works.

Today, there are four basic places where most people’s email can be compromised:

  • On your device(s)
  • On the networks
  • On the server(s)
  • On your recipient’s device(s)

The first and last places – devices – are easy to understand. If someone can sit at your computer, grab your phone, or swipe through your tablet, odds are that your email is sitting right there for them to read – You do use a lock screen or password on your devices, right? Same thing goes for your recipients’ devices. But even passwords and lock screens sometimes aren’t much help. While a few email programs encrypt the email messages they store on the device, most don’t. That means anyone (or any program) that can access the device’s internal storage can probably also read email and get to file attachments. Sound far-fetched? It doesn’t have to be a person; rifling through email is one of the most common things malware does.

Networks are a little tougher to understand, and covers three basic links:

  • Your connection to your email provider (whether that be your ISP, Google, Outlook, Yahoo, Apple, or someone else)
  • Any network connections between your email provider and your recipient
  • Your recipient’s networking connection to their email provider.

If you’re sending email to someone on the same service you use (say, Outlook.com), you have at least the first and third potential network vulnerabilities: your connection to Outlook.com and your recipient’s connection to Outlook.com. If your recipient’s email is elsewhere (say a company or school) then you have at least one more: the connection between Outlook.com and your recipient’s email provider. The reality of network topography means each of those connections involves a series of routers and switches (perhaps a dozen or more), probably owned and operated by different outfits. If one connection is secure, there’s no guaranteeing any other connection in the sequence is secure. And if you’re concerned about things like the NSA’s PRISM surveillance program, indications so far are that some of it happens at these interim network points.

Email was not designed with any privacy or security in mind.

Servers are the machines at your email provider or ISP that physically store your email. If someone cracks (or guesses, or steals) your email password, they probably don’t need your devices; they can log in to your email provider directly and read any email stored there. That might be only a few messages, but it could be weeks, months, or years worth of email – including at least some messages you’ve deleted. But that’s not the only risk. Most email services store your messages as plain text. So, any attacker who can access those servers (say, via a security flaw or by stealing an admin password) can easily access all the stored email and attachments. Why don’t providers protect stored email? Partly because of the overhead that would create, but storing the email unencrypted lets people search their messages (you like to search your email, right?) and enables services like Gmail to automatically scan mail for keywords to sell advertising (and you like advertising, right?).

Encryption to the rescue!

The best way to protect communications is to encrypt them: basically, scrambling the data with complex mathematical transformations so it’s only intelligible using the correct password or other credentials. A common form of encryption is public key cryptography, where people (or ISPs or companies) give away a public key that anyone can use to scramble data intended for them, but can only be decoded using a private key that the person (or ISP or company) keeps secret.

Public key cryptography is the basis of two primary ways to protect email:

  • Encrypting messages
  • Encrypting network connections

Encrypting messages

The idea behind encrypted messages is straightforward: instead of sending plain text anyone can read, you send scrambled gobbledegook only the intended recipient can read. Common tools for encrypting email include PGP (now a commercial product from Symantec) and numerous mainstream apps and tools that support the open source OpenGPG and S/MIME.

Encrypting messages is a straightforward idea, but the approach has pros and cons. On the positive side, encrypted messages are protected across both networks and servers, even if they’re compromised or store messages as plain text. (The gobbledegook could make Gmail serve up some weird ads, though!) The message is probably also encrypted on your device and your recipient’s devices (until they decode it), which offers some additional protection. That’s all good.

encryption
Image used with permission by copyright holder

Now the downsides. Encrypting individual messages is a pain. You have to have the public key of everyone you want to communicate with securely. For one or two people, that’s not bad, but most people have dozens (or hundreds) of contacts. Getting all of them up and running with public key cryptography won’t be easy.

Further, everyone who wants to send you secure email needs your public key! You can send it to them via email … but that won’t be encrypted so it’s not secure. Same with a blog post or a Facebook page or keyserver services or any other insecure channel. The only really safe way to exchange public keys is face-to-face or some other way you can be truly sure you’re getting the right key from the right person. That can be wildly impractical. Some folks who send you sensitive email – like banks, credit card companies, hospitals, schools, or the local fertility clinic – probably won’t (or won’t know how) to use your public key even if they had it. Bottom line, not many of your email messages are going to be encrypted, so encrypting messages isn’t a general solution for secure email.

But wait! There are more downsides to encrypting messages. Only the message contents (and attachments, if any) are scrambled. The header information (including your address, the recipient’s address, subject, date, and more) are all still plain text anyone can read. That information might just be metadata, but over time it can paint a surprisingly detailed picture of your online activities. (Just ask the NSA!) Want another downside? Try logging into your webmail and searching through encrypted mail for a phone number or address.

Encrypting connections

Hassles with encrypted messages mean much of the focus on securing email has been on encrypting network connections. The basic idea is the same as using a secure Web site like your bank or Amazon.com. When you connect to your email provider, your software uses Transport Layer Security (TLS, still better known as SSL) to encrypt the connection between your device and the service. It even takes care of exchanging keys: most devices today come pre-installed with keys for certificate authorities, where they can download authenticated keys for sites and services without bothering users: no muss, no fuss, no flying to Australia to exchange public keys with someone. The basic technology has worked for ecommerce for almost two decades.

That information might just be metadata, but over time it can paint a surprisingly detailed picture of your online activities.

Encrypting the connection between you and your email provider means no one on the network in between can view email messages you send or receive: it’s all gobbledegook. That protects you from the creep on the local Wi-Fi network and even secret government taps in a data center somewhere along the way.

However, once the message reaches your email provider, all bets are off. Most of the time, your email provider stores the message data as plain text (see above), although there are exceptions like Canada’s Hushmail. And if your recipient is on another email provider or ISP, your message could be (and probably is!) transmitted to them over the Internet as old-school plain text email. A growing number of email services are using TLS to encrypt connections between themselves, but the vast majority of email servers in the world still exchange messages with no encryption – and there’s no way for you to know. Furthermore, there’s no telling whether your recipient will use a protected connection to receive or reply to your email. You might have protected yourself from the creep on the public Wi-Fi network, but did your doctor or accountant? Maybe not.

Is email doomed?

Email won’t go away anytime soon. It’s far too useful, and it’s near-universal status on almost every device and service ensures email will be with us for many years.

 Login-privacy

But secure email? The bottom line is that email as we know it today has never been secure, and the myriad ways we send, receive, store, and use email messages makes fully securing email a very difficult problem. At best.

We can invent new secure message services that could replace email. That’s what Silent Circle has done with its encrypted communications service, and arguably that’s what BlackBerry did with BBM and what Apple may have done with iMessage. Nonetheless, these services are subject to disclosure requests from governments – although Silent Circle takes the interesting step of being able to respond with almost nothing. More importantly, none are likely have the broad ubiquity and almost omnipresent reach of email at any point in the medium or even the long term. Hopefully, the difficulty won’t stop people from trying – and Kim Dotcom’s Mega is already throwing its hat in the ring.

But, for the foreseeable future, Internet users cannot expect email to be secure from prying eyes or interception. Period.

Top image courtesy of Shutterstock/3dreams

Topics
Geoff Duncan
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Best Verizon Fios new customer deals: Get 2GB/s internet in your home
Fios TV Package

Whether you surf the web for work or you subscribe to one of the best live TV streaming services, the experience can be made better with blazing fast internet. Fiber optic internet service is the future, and with Verizon Fios you can get some of the fastest internet service around. This service would pair well with any of the best TVs and home theater setups, but it’s also something to consider if you're into online gamine or do work that requires large file uploads and downloads. We’re currently seeing some of the lowest prices on Fios home internet service we’ve ever seen, with Verizon putting some super impressive deals out there. We’ve rounded up all of the best Verizon Fios deals available right now, and they include low monthly costs, waived setup charges, and a number of freebies like Target gift cards.
2 Gigabit Verizon Fios connection -- $85 per month + free extras
One of the fastest internet speeds you can get, and the fastest speed that Verizon offers, this is the sort of subscription you should grab if all the members of your family are essentially watching 4k content all the time. It's also great for those who want to host their own media server to share with friends or family while not impacting anybody else in the home. You also get a lot of great freebies included here, such as the choice of either a $300 Target gift card or a $350 value Samsung Chromebook Go, which is admittedly an entry-level device, but it's not bad to use for just streaming content. On top of that, you can choose between 2TB of Verizon cloud storage and 12 months of Disney+ with no ads or a MoCA Ethernet Adapter for gaming and a $50 Xbox eGift Card. You could also get both of these if you add an extra $10/month, although it's probably not worth it at that point.

1 Gigabit Verizon Fios connection -- $65 per month + free extras
If the super-fast speeds aren't necessarily needed, especially if you're in a smaller household without too many folks watching content, then the 1 Gigabit version is the way to go. It is $20 cheaper, so it's a lot of money that you're saving over the course of the year, and you still get quite a few extra benefits, even at this level. You get to choose either a $200 Target gift card or the same sort of Samsung Chromebook Go that's worth $350 that's great for streaming content. You also get a similar choice as the 2 Gigabit connection, which includes either 2TB of Verizon cloud storage and six months of Disney+ without ads, or a MoCA Ethernet Adapter for gaming and a $50 Xbox eGift Card.

Read more
Best Buy laptop deals: Cheap laptops starting at $139
Apple M1 MacBook Air open on a desk with plants in the background.

With Best Buy almost always among the best places to buy a laptop online, it’s worth checking out what sort of laptop deals the retail giant currently has taking place. It regularly discounts laptop models by top laptop brands like Dell, HP, Lenovo, and even Apple. We’ve tracked down all of the Best Buy laptop deals worth shopping right now, and you can read more about them below. They include some massive savings on an Acer Chromebook, as well as some discounts on new MacBook Airs. If you’re uncertain what sort of laptop best suit your needs, you can also consult our laptop buying guide.
Acer Chromebook 315 — $139, was $199

The Acer Chromebook 315 is one of the larger Chromebooks you’ll find, as its display comes in at an impressive 15.6 inches. This makes it a great option for people who want some extra screen real estate, but who still like to do their work on the go. The Acer Chromebook 315 has plenty of power for a Chromebook, and is made as much for comfort as functionality. Its slightly larger size will come in handy when doing creative work and an integrated numeric keyboard gives it the feel of working on a desktop. The Acer Chromebook 315 is able to reach up to 10 hours of battery life on a single charge, meaning you can work on the go all day without needing to take a charger with you.

Read more
The latest Windows update is breaking VPN connections
Windows Update running on a laptop.

Microsoft has acknowledged that the Windows security updates for April 2024 (KB5036893 for Windows 11, KB5036892 for Windows 10) are causing disruptions to virtual private network (VPN) connections across various client and server platforms. According to information on the Windows health dashboard, devices running Windows may experience VPN connection failures following the installation of either the April 2024 security update or the April 2024 non-security preview update.

The company has also stated that it is actively investigating user reports regarding these issues and will share more details in the coming days. The impacted Windows versions include Windows 11, Windows 10, and Windows Server 2008 onward.

Read more