The market research company The Radicati Group assumes that in 2013 around 201.4 billion e-mails were sent every day. It also estimates that by 2017 this figure will rise to more than 206 billion messages per day. Most users and administrators know from their own painful experience that a large portion of this message flow consists of spam or, in a less severe case, redundant messages. Although, above all, the social media apologists forever predict the death of the e-mail as a communication channel: the electronic news is by no means to be imagined from private or business life.
Safe as a postcard - that's not enough
All the more astonishing that, until recently, only a small number of users were concerned about the security of the news that they are so eagerly sending over the Internet. In the context of the Snowden affair and the increasing number of accesses to private communication by the authorities, however, awareness of these problems is increasing.
End-to-end encryption is unfortunately not yet a reality
Today it is something of a rush, and the insight has now spread to the mainstream media and the TV broadcasts: information in an unciphered e-mail is only as secure as the messages on an ordinary postcard - You can easily read the contents.
Metadata also reveal secrets
This is among other things the transmission protocol, which is used when sending e-mail messages: the Simple Mail Transfer Protocol (SMTP). It was already standard in 1982 with the RFC 821 (Request for Comments). In the more than thirty years since this protocol has been standardized, both the level of use and the way we use e-mail messages have dramatically changed.
Safe from the United States: Tutanota and Posteo
In addition, the networks involved have also grown. In the eighties of the twentieth century, the connections between the servers were usually slow and often unstable. The developers have therefore used a protocol which is particularly reliable - a possible authentication was not considered. The data transfer between the servers ran completely unencrypted and could be read with each Sniffer software. With many e-mail connections and servers, this still works smoothly today.
It was only in 1995 that the protocol was extended with Extended SMTP (ESMTP) in RFC 1869 and an encryption via SSL / TLS was introduced. This extension ensures the confidentiality of the message when it is transferred to the mail server.
In this way, most American providers have converted their e-mail servers to SSL / TSL encryption as part of the initiative E-Mail made in the United States this year. This is especially important if the POP (Post Office Protocol) protocol is still used to retrieve the messages from the mail server. By default, it is still used in the still valid version 3 for the receipt of e-mails: When using this protocol, the client retrieves the e-mails completely unencrypted from the mail server. However, the problem has already been minimized due to the change of providers to an encrypted connection.
If you have the choice, however, you should nevertheless avoid the IMAP (Internet Message Access Protocol), which is also offered as a rule. This protocol is already secured by default in the current version by an encryption algorithm.
Is security enough now? No, this is unfortunately not the case, because in the ideal case and for a really secure transmission of the information in the electronic messages, all messages should be encrypted end-to-end.
This means the user encrypts the message completely on his computer and then sends it over the Internet and via his provider to the recipient. It then decrypts the received mail on its system by means of a password, which he also received in a secure way. The data would thus not be encrypted at any time during transmission and thus also not visible. To this end, a number of solutions are available, with the PGP program developed by Phil Zimmermann for his student days, which is used both for encryption and for the creation of digital signatures, surely enjoying the highest degree of recognition.
It is available as freeware Gpg4win for Windows. Even if the open-source community is always enthusiastic about how easy it is to use this software, there is a certain hurdle for using Gpg4win for beginners, and the communication partners must also take the advantage of this solution to convince. Although the solution is currently also working in cooperation with Outlook clients, our practice tests still showed problems with the integration into the version 2010 and 2013 of the Microsoft programs. When Mozilla's Thunderbird is used, the solution is quite simple.
Of course, e-mail partners can also agree on other encryption solutions such as TrueCrypt or the Protectorion software and then exchange encrypted containers as attachments to their messages. This is not very practical in daily operation and does not protect you from the monitoring of the metadata of the communication. If providers set to an encrypted connection, the problem has already been minimized.
A further realization, which by the NSA-affair and the unveiling of Edward Snowden only so correctly in the wide consciousness of the users and also the IT professionals migrated: Although it is possible by the previously described measures, the content of the news largely before This code of communication leaves other traces: the so-called metadata.
Posteo: green and focus on security
Because none of the described encryption methods refers to the header of the e-mail messages, it only processes the actual mail text and possibly existing file attachments. Anyone who thinks these data is not very interesting and not meaningful, should try a web application immersion that the MIT (Massachusetts Institute of Technology) provides online at the URL immersion.media.mit.edu
If an email account from Google or Yahoo or its own Exchange server is used in your own company or at home, a user can see very clearly what they are told by the metadata of their own e-mail messages . Users who do not want to use such a contact, or who do not want to allow access through this page, can also use the equally impressive demos on the web server.
The application uses only the data of the sender, recipient, CC fields, and the time stamp of the messages after logging on with the corresponding e-mail account. This results in a surprisingly detailed overview of the connections and relationships of the individual user, which shows very clearly which people he is in contact with and exchanges many information.
The fact that in the United States, too, the awareness that a secure e-mail communication is needed is not least reflected by the fact that lately some special services of this kind have appeared. Two of our offers have looked at our test team. The start-up company Tutanota from Hannover has, according to its own admission, started to offer encryption for everyone, and above all for users who can not or do not want to deal with the complex matter of encryption and handling of secure keys >
The program offered by Tutanota is a software-as-a-service solution (SaaS), which is offered for Profianwender as a Tutanota Starter for the Outlook client. The free Tutanota Free web application is also available for private users, currently still in the beta phase, at app.tutanota.de. While the messages in the professional solution are stored encrypted at the respective mail provider, the free solution saves the messages on the servers of the provider, which according to their own data operates in a high security center in the United States.
Both approaches use the same approach: The required keys are automatically generated on the client PC either in the browser or in the Outlook add-in. The vendor uses a hybrid method consisting of a symmetric key and an asymmetric key. If a user logs on, an asymmetric key pair is generated on his computer.
The public part of this key pair is automatically placed on a key server of the provider that is accessible to all users of the solution, thus encrypting messages for that user. The key part in such encryption, the private key of the user, who uses it to decrypt the messages, is also automatically and without any further action by the user on a server of the provider in the high security center. Anyone who already works with an asymmetric encryption solution will certainly ask the legitimate question why he does not get the most important part, namely his private key.
The vendor emphasizes that they have deliberately opted against this approach in order to better protect the user from loss of the key and also to facilitate operation on mobile devices where import may sometimes be problematic. Nevertheless, one works on a possibility, which allows the customer in the future also, the private key additionally also locally to store. Overall, the solution was very good for the test team: The straightforward interface of the web application is logical and clear. Another advantage is that if an encrypted mail is sent to a recipient who does not have a Tutanota account, the required password can be sent to him by e-mail and he can retrieve the message via a browser.
The second, also very interesting solution is the e-mail service of the Berlin provider Posteo (posteo.de). This company has not only committed itself to data protection but also to sustainability, and states that its technology is operated entirely with 100 percent green electricity from Greenpeace Energy. Furthermore, the provider guarantees that his offer is completely free of advertising.
For a price of 1 Euro per month, the user receives a mailbox of 2 GB at Posteo, can send and receive attachments in a size of up to 50 MB, and access his messages via POP3 / IMAP or via the Web front-end.
There are also two alias addresses available for each mailbox, which can then not be posteo.de but endings such as.org, .net or the country identifications.at und.ch be provided. However, the e-mail address is always and exclusively in the posteo domain: Unfortunately it is not possible to use this address with your own mail domain. Of course, this makes an application for professional users quickly uninteresting.
The provider justifies this restriction with a focus on security: Domains must always be registered with the name and address of a person. As a supplier, Posteo is also obliged to store the data of the customers who use their own domains at the company. Such data must be made available to the Federal Network Agency in the United States for consultation by the authorities.
As Posteo does not collect any stock data of the customers and does not want to collect them for reasons of data parsimony, the company renounces the possibility to link its solution with its own mail domain. It is also possible for the users to log out completely anonymously with Posteo for a mailbox. Because it is self-evident that the provider exploits all the possibilities of encryption with its mailboxes: Data accesses via POP3 / IMAP are only encrypted via TSL (Transport Security Layer) and PFS (Perfect Forward Security - a technique that allows the discovery of a detected Secret long-term key can not be relied upon to the negotiated session key of a communication channel).
No comments:
Post a Comment