Sending Secure E-Mail?
-
@Pete-S said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
It ends up doing nothing more than TLS already does, but with a lot more manual work.
Completely wrong as well. TLS is just transport encryption. When it's not in transport, it's not encrypted.
Yes, I understand that point. I was thinking that they could not send the encryption key first, leaving it as open. But, if the requirement allows the recipient to do all the work to set up their own GPG, then this could work.
I wrongly just assumed that if they could do this that they could do any number of things so having the recipient set up GPG / PGP wasn't an option. But that was an assumption and not actually stated.
-
@scottalanmiller said in Sending Secure E-Mail?:
@Pete-S said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
The system admin can always get the key out of your email and open whatever has been sent.
Completely incorrect as well. The public key can only be used for encryption, not decryption.
Oh, right, okay, having a "duh" moment. So you can send your public key via email, and ANYONE can send you an encrypted email, but ONLY to you. Because you have the private decryption key.
You are right, I follow now. That could work.
No problem. I'm not a crypto guy but we used PGP encrypted email for many years so I know the basic principles.
-
@Pete-S said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
@Pete-S said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
The system admin can always get the key out of your email and open whatever has been sent.
Completely incorrect as well. The public key can only be used for encryption, not decryption.
Oh, right, okay, having a "duh" moment. So you can send your public key via email, and ANYONE can send you an encrypted email, but ONLY to you. Because you have the private decryption key.
You are right, I follow now. That could work.
No problem. I'm not a crypto guy but we used PGP encrypted email for many years so I know the basic principles.
I've used it, but I was adding in the incorrect assumption that everything had to be done only on the sender's end. Which if you did that, encrypting with PGP and sending the key with it, anyone who intercepted would be able to read. But if the recipient can send the key too, then yeah, obviously that works great.
-
@scottalanmiller said in Sending Secure E-Mail?:
@Pete-S said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
@Pete-S said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
The system admin can always get the key out of your email and open whatever has been sent.
Completely incorrect as well. The public key can only be used for encryption, not decryption.
Oh, right, okay, having a "duh" moment. So you can send your public key via email, and ANYONE can send you an encrypted email, but ONLY to you. Because you have the private decryption key.
You are right, I follow now. That could work.
No problem. I'm not a crypto guy but we used PGP encrypted email for many years so I know the basic principles.
I've used it, but I was adding in the incorrect assumption that everything had to be done only on the sender's end. Which if you did that, encrypting with PGP and sending the key with it, anyone who intercepted would be able to read. But if the recipient can send the key too, then yeah, obviously that works great.
It's pretty easy to install and use nowadays, especially if you are just a couple of persons. You just install the add-on needed depending on your email client. Then you have to tell it what you want your passphrase to be and it will create your public and private key for you.
All you have to do then is email your public key to whomever you want to be able to receive secure emails from. And they'll do the same.
When you receive a secure email you have to enter your passphrase to read it.
-
@Pete-S said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
@Pete-S said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
@Pete-S said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
The system admin can always get the key out of your email and open whatever has been sent.
Completely incorrect as well. The public key can only be used for encryption, not decryption.
Oh, right, okay, having a "duh" moment. So you can send your public key via email, and ANYONE can send you an encrypted email, but ONLY to you. Because you have the private decryption key.
You are right, I follow now. That could work.
No problem. I'm not a crypto guy but we used PGP encrypted email for many years so I know the basic principles.
I've used it, but I was adding in the incorrect assumption that everything had to be done only on the sender's end. Which if you did that, encrypting with PGP and sending the key with it, anyone who intercepted would be able to read. But if the recipient can send the key too, then yeah, obviously that works great.
It's pretty easy to install and use nowadays, especially if you are just a couple of persons. You just install the add-on needed depending on your email client. Then you have to tell it what you want your passphrase to be and it will create your public and private key for you.
All you have to do then is email your public key to whomever you want to be able to receive secure emails from. And they'll do the same.
When you receive a secure email you have to enter your passphrase to read it.
Writing this I think the best way to use this for ordinary business use is to only send encrypted email when you are sending something sensitive, like passwords or stuff like that.
Problem with encrypted email (and also it's strength) is that you can't read it if you don't have your private key and passphrase. But it makes it complicated reading email on different devices and software unless you copy your private key everywhere and enter your passphrase on a number of insecure devices. Which defeats the security aspect of it.
So it works best on desktop clients and if you only encrypt when really needed, you are not much affected by the drawbacks. If you try to read an encrypted email on a devices that doesn't support it you'll just see an attachment that is just gibberish as my earlier post shows.
-
@JasGot
Is this all inter-company email you're talking about or is it your customer sending e-mail to outside parties?I was under the assumption you were talking about your customer wanting to send secure email to 3rd parties.
If that's the case, it's not as simple as having the 3rd party set up PKI solution and giving everyone in your customer's company a public key so they can encrypt emails to send them (unless they already have that set up).
If the sole goal of all of this is to keep the email systems administrators and computer client admins from obtaining and reading any email, then the ONLY options are either to encrypt the emails themselves as in GPG/PGP pki on the receivers end, or a third party that uses some other means to verify identity before allowing the recipient to view the email similar to how your bank may send secure communications to you.
In the past I set up a global PKI solution as a requirement that did just this, and also made available a solution that could distribute a certificate to any 3rd party that needed one which would allow a user in the company to then send an encrypted email to that recipient once the recipient sent a copy of the public key. This worked well, as I had set up some good instructions users in my company could use to help get the 3rd party recipient set up.
Also, keep in mind this will only work if the email clients support encryption. Clients like Outlook and Thunderbird do. OWA can if you use IE plus some MS plugin.
-
@Pete-S said in Sending Secure E-Mail?:
Writing this I think the best way to use this for ordinary business use is to only send encrypted email when you are sending something sensitive, like passwords or stuff like that.
For sure, it makes way too many things way too much of a pain.
-
Our customer doesn't want the city's bank account and routing info transported through e-mail. He was willing to do it if we could come up with a way that would guarantee it could not be read in transit.
He understands the sysadmins at each end can read it, and he understands that he has no control over what happens after it arrives at the recipient.
He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.
The problem with this type of system is that a) we don't know if the employee at the state can visit any of these sites. b) we don't know if the employee at the state is willing to put forth the effort.
As for the PGP idea, we don't even know if the state employee is using an actual e-mail client.
So for know the customer really only has two options to alleviate his concerns: 1) continue sending by usps and wait a month or more for action, or 2) send an encrypted file as an attachment and HOPE the receiving mail server allows it, and HOPE the recipient will call and ask for the password.
With the possibility of little or no cooperation at the receiving end, the customer is basically SOL.
-
@JasGot said in Sending Secure E-Mail?:
Our customer doesn't want the city's bank account and routing info transported through e-mail. He was willing to do it if we could come up with a way that would guarantee it could not be read in transit.
I do believe there is another option, now that you have changed the rules to the bolded above. TLS, TLS gives you this. And this is something you can confirm beforehand.
-
@Dashrender said in Sending Secure E-Mail?:
@JasGot said in Sending Secure E-Mail?:
Our customer doesn't want the city's bank account and routing info transported through e-mail. He was willing to do it if we could come up with a way that would guarantee it could not be read in transit.
I do believe there is another option, now that you have changed the rules to the bolded above. TLS, TLS gives you this. And this is something you can confirm beforehand.
If by confirm you mean refuse to send the email if the recipient server rejects the
STARTTLSthen yes. -
@JasGot said in Sending Secure E-Mail?:
Our customer doesn't want the city's bank account and routing info transported through e-mail. He was willing to do it if we could come up with a way that would guarantee it could not be read in transit.
That's totally different than what was asked. Of course normal email cannot be read in transit. So all you have to do is enforce TLS instead of letting it be opportunistic and ta da, problem solved.
-
@JasGot said in Sending Secure E-Mail?:
With the possibility of little or no cooperation at the receiving end, the customer is basically SOL.
No, actually they are in great shape.
Because...
- Any system that isn't using TLS for their email you have way, way bigger concerns and you shouldn't be talking to anyway.
- You simply set to enforcing and everything is guaranteed to meet your needs.
It's a great situation and why most of us have no issues like this, because TLS meets the needs.
-
@JasGot said in Sending Secure E-Mail?:
He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.
I have a need for such a system. Recommendations anyone?
-
@Danp said in Sending Secure E-Mail?:
@JasGot said in Sending Secure E-Mail?:
He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.
I have a need for such a system. Recommendations anyone?
There are tons of these "web instead of email" systems out there. They are quite common and features tend to be quite close.
-
@scottalanmiller said in Sending Secure E-Mail?:
@Danp said in Sending Secure E-Mail?:
@JasGot said in Sending Secure E-Mail?:
He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.
I have a need for such a system. Recommendations anyone?
There are tons of these "web instead of email" systems out there. They are quite common and features tend to be quite close.
And expensive - last time I looked Zix was like $5/user/month one of the big names in this arena.
-
@Dashrender said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
@Danp said in Sending Secure E-Mail?:
@JasGot said in Sending Secure E-Mail?:
He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.
I have a need for such a system. Recommendations anyone?
There are tons of these "web instead of email" systems out there. They are quite common and features tend to be quite close.
And expensive - last time I looked Zix was like $5/user/month one of the big names in this arena.
I think that they lean to the high side.
-
@scottalanmiller said in Sending Secure E-Mail?:
@Dashrender said in Sending Secure E-Mail?:
@scottalanmiller said in Sending Secure E-Mail?:
@Danp said in Sending Secure E-Mail?:
@JasGot said in Sending Secure E-Mail?:
He, like me, has used systems that "appear" to provide a little more protection. ie; when my broker wants me to see a document, I get an e-mail that takes me to a web port. Once I log in, I can view the document.
I have a need for such a system. Recommendations anyone?
There are tons of these "web instead of email" systems out there. They are quite common and features tend to be quite close.
And expensive - last time I looked Zix was like $5/user/month one of the big names in this arena.
I think that they lean to the high side.
sure they do - but $4/user/month is found everywhere... I think I've seen $3/user/month once, but that was a rare one a the time... but I haven't look for years.. there might be more competition today.
-
Zix works as advertised and everyone is happy. Been using it for a while for about 10 users and can't complain. Their support is good if you need it.
-
we use Mimecast for filtering and the web feature is built in. Expensive though.
-
@jt1001001 We use Mimecast here also. No complaints about it.
