This is the first of series of articles that will explain how email encryption works and what steps one must take to successfully apply it to their daily email communication.
The articles will talk about a few facts worth noting. We will describe what is already encrypted and what is not in your daily communication. We will then go on delivering a very non-scientific description of what public-key cryptography is and what that means to you as an email user. We’ll present a few configuration options that you can use to enable encryption of your email. Finally, we’ll present the conditions necessary for encryption to function and a basic scenario leading to sending and receiving an encrypted email.
Encrypted channels of communication
For most of us the daily interaction with the Internet is defined by visiting websites. These may be news portals, blogs, email, video libraries, galleries, shops, …. the list goes on and on. But one common denominator is that the majority of these interactions go about the same scenario – your web browser sends a request to a web server to show a site and in response the server creates a page that is then sent back and presented on your screen.
One specific type of a page that we are going to look at is an email client. An email client is effectively a graphical interface that allows you to read and send your daily dose of email messages. This leads to the first statement worth a note. When you log in to a site like gmail, you are NOT connected to your email server. What you are logged into is an email client in a form of a web site. The actual emails do no reside at the same place. Logging in to Google mail is in its logic the same process as starting Outlook or Apple Mail on your computer.
Let’s look closer at the process of logging in. Typically you type your user name or email address which shows on screen and then the password that shows on screen as a series of dots or asterisks. Finally you hit the sign in button and you’re in (two-factor authentication falls beyond the scope of these articles).
Until this point nothing was encrypted. Presenting your password as a series of asterisks only protected your password against a random bystander who might be looking at your screen. So, was there any true protection of this sensitive data in all this?
Yes, you’ve just gone through an encrypted channel. When you look at the address bar of your browser before typing in your user name or email address you see the address shown as:
In some browsers, like Firefox there will be a green padlock picture to the left of this address line. The padlock and the first part of the address tells you that the communication between your browser and the google mail service is in fact encrypted and authenticated. But mind you, your email address and password are not! They were send as clear text, much like the page you are seeing, but the communication channel through which all this is sent is globally hidden, through encryption, from eavesdropping.
Google mail waits at the other end of the channel, so when they receive the data, it’s no longer encrypted. There are a few steps taken later that lead to protecting the passwords from theft (like hashing),but we as users have no control over them, or effectively are not informed what they exactly are.
For large majority of home computer users the list of encrypted channels in daily usage ends here. But there are a few more that either operate for us behind the scenes or are used by people to perform specific tasks. Again, this and the following articles focus on email so we’re not going to talk about services like SSH or LDAPS.
What happens behind the scenes.
When you click on Send on you email page two things happen:
- the service running the page you’re looking at communicates with the actual email server sending it the content of your email with a request to send it to your peer, this server is the source
- the email server connects with the target server, that holds the email account of the addressee and sends it the content of the email
In many cases (certainly not all) point 1 happens through an unencrypted channel, which often is not a big deal since the web server and the email server are managed by one entity and it’s an internal process. One reason justifying clear communication at this stage is speed. Encryption requires computations and when numbers of processed emails reach millions, limiting required power to process makes sense.
Point 1 is pretty much always encrypted when the email client you use is not a website but a standalone program like Outlook or Thunderbird. Modern email providers offer only encrypted connections for these. We will talk about details pertinent to configuration of these programs in another chapter, as we will need them build your email encryption.
Until not very long ago point 2 happened also on a clear channel. That is our emails were flying through the Internet clear, therefore easily eavesdropped on. Fortunately while an eavesdropping entity could read the content of the email they had no access to the credentials used when logging in to an email service, as those had been processed earlier and they’re not sent with a message.
This has changed. All big players encrypt their sending and receiving end now using the same technology that secures the communication between your browser and the email service.
So at this point it seems like everything we do with our email messages is protected by encryption. No, it’s not! When using a public email service like Google mail one has to be aware that Google can read all your messages. The reason for that is that much like your user name (or email address) and password, the content of your email arrives in clear form – being at the receiving end of an encrypted channel means that, when received, the information is decrypted back to its original form for further processing (analysis, flagging, making adverts a real pain in the back, etc.). That easily triggers lack of trust, which in fact is (should be) inherent to most of the things we do on the Internet. Knowing this what we want to achieve is complete discretion. Google is our courier and we do not want our courier to see what’s in the package.
This is where we enter the world of email encryption. From this moment on we will be looking into making sure that only I can read emails sent to me and only my addressee can read an email sent to them.
End of Chapter I