The importance of email and server encryption security

Clinton’s Email Controversy

Image courtesy of Mike Mozart at Flickr.com

Recently, former United States Secretary of State Hillary Clinton addressed her use of a personal email address and private email server while in office. A Salt Lake City computer security firm, determined that access to the server she used, was not encrypted or authenticated with a digital certificate, and in this conditions, someone could easily intercept communications because they are not being encrypted. Even worst, long term is a possibility if hackers obtained Clinton’s compromised credentials and used them to continue accessing her email archive. During that three month window during which Clinton’s email server lacked encryption, she visited countries and places such as Japan, Indonesia, South Korea, China, Egypt, Israel, the Palestinian Authority, Belgium, Switzerland, Turkey and Mexico. Some of this countries are known to operate and monitor network communications. “It’s highly unlikely that a person of that importance isn’t being targeted by people who want to gain access to the computational devices in her possession,” said John Kindervag, an analyst at Forrester Research. This is why it is important to have digital certificates in official communications. Clinton's use of a personal email account, tied to the private server at her family's New York home, has become one of the most potent scandals dogging her presidential campaign. It prompted questions about whether she was trying to skirt transparency laws, whether her actions had contributed to breaches of national security, and whether she and her aides understood the technical risks of the arrangement. The private server also allowed people to remotely access and configure it, a feature that poses a serious security threat if improperly configured.

The server that Hillary Clinton used to conduct official business as secretary of state lacked one of the most basic and important security features. The server setup, which consisted of two computers running antivirus programs, lacked a digital certificate to authenticate and encrypt its email communications. Website operators install digital certificates on their servers to authenticate their sites. The certificates pair with cryptographic keys and allow Web browsers to start secure browsing sessions, which scramble transmitted data in a way that makes it more difficult for third parties to intercept. Don Burns informs that you can recognize a website whose owner has installed a security certificate, by seeing a lock icon near your browser's address bar, and the Web address contains the "https" prefix. The Hillary Clinton email controversy has thrust email security into the spotlight. However, is protecting the servers enough, or is it necessary to start encrypting emails too?

Man in the Middle

Securing mail servers with Digital Certificates is important, because without one there is no way to identify that the mail server you are connecting to is actually the correct mail server and emails sent between your browser or email client and the server are not encrypted and could be intercepted. Without a certificate, you are open to a man-in-the-middle (MITM) attack. But it is important to know that a server certificate will protect your emails in transit to and from your server, and nothing to protect your emails as they pass through other servers, or protect emails a rest in the email systems.

Email Encryption

Image courtesy of Intel Free Press at Flickr.com

Encryption can be difficult for users, which is why there are automatic processes for employees and executives by using encryption appliances and services, routing emails through a gateway appliance that has been configured to ensure compliance with regulatory and security policies.

Email encryption protects the content from being read by other entities than the intended recipients. Most emails are currently transmitted without being encrypted. There are some available tools, which allows persons other than the designated recipients, to read the email contents. This encryption can rely on public-key cryptography, in which users can each publish a public key that others can use to encrypt messages to them, while keeping secret a private key they can use to decrypt such messages or to digitally encrypt and sign messages they send.

Most full featured email clients (like Apple Mail, Microsoft Outlook and Mozilla Thunderbird) provide native support for S/MIME secure email (digital signing and message encryption using certificates). Other encryption options include PGP and GNU Privacy Guard.

In addition to encryption, you can add digital signatures to your emails, to ensure authentication and data integrity. This means not only can you protect your emails from falling into the wrong hands, prove that your email actually came from you. The digital signature is applied with your private key and verified with your public key, which are unique to you. In plain words, the purpose of email authentication is to validate the identities of the participants. The results of such validation can then be used in email filtering, and can clue recipients in about what kind of reaction or reply a message deserves.