title graphics
product barDeutsch
IT SecurityOpen SourceCompanyBlog/Publ./MiscContact


Encrypted E-Mail Communication



We prefer encrypted communication via e-mail. You should, too. Here are some reasons.
  If you're a customer of us and you even gave us an NDA to sign it might be important for you to not to get e.g. our results of a pen test or of a not-yet-released appliance passed via an electronic postcard. But actually this is what an e-mail is. Every hop from its source to its destination can read this postcard on the fly/wire in cleartext.
   This picture lacks however some important pieces: Normally postcards are not routed through not trusted paths, to name the worst examples: competitors network and countries known having a large hunger for high technology information. Also, for postcards it's much harder to automatically process the content and see whether this might be interesting as opposed to digital information. Furthermore, postcards normally are unique and won't get copied: At the destination your provider is able to access your e-mail. He is given more of a chance to read it, if you don't pull your e-mail soon after receiving it. He might even have the e-mail in his backup, maybe for eternity. Another point: Your snail-mailbox is hopefully somehow locked by a key, but in the case of an e-mail you implicitly trust the security of your provider: There were lots of cases in which big ISPs suffered from severe security problems: e.g. Hotmail, Yahoo, German T-System/Telekom (so called T-Hack) and also T-mobile. Unless the real postcard the sender could have sent a (B)Cc to his ISP address or have an fcc e.g. on his unencrypted laptop partion which could get stolen. I am assuming you retrieve your e-mail not without encrypted protocols (i.e. pops/imaps), so that your password cannot be sniffed?

I am stopping here, you got the point I guess. E-mail encryption solves those problems. It's not for hackers only, there are easy to use GUIs available. There are two standards for secure e-mail communication: S/MIME and OpenPGP. I prefer the latter one. A complete set of binaries for Windows is Gpg4win. If you are using Mozilla's Thunderbird (good) install the extension enigmail additionally. Follow the download links, start the installation and send me the public part of your key. Keep the private key at a safe place and secure it with a passphrase. This way I can sent you an e-mail which only you can decipher. If you want to send me an encrypted e-mail, import my key in your so-called keyring.
  MAC user? I am not one, but here's a good HOWTO. Linux/BSD/Solaris user? Well, you probably already knew what I was talking about. If you don't: There are a variety of HOWTOS available. Just follow them and in the end pass the public key to me. It basically means: install the program which does the low level key handling (normally GnuPG), generate your keypair, set up your preferred Mail User Agent (MUA) like Thunderbird+Enigmail, KMail, mutt, ... and maybe install a GUI management application like kpgp, Seahorse or the like.