The Need for E-mail Security

E-mail has existed as a communication mechanism for a long time. In fact, the first e-mail message was exchanged in 1971 on the ARPANET, the predecessor of today's Internet. Although much has changed since then, the majority of e-mail messages sent today still share one important trait with those from more than 30 years ago - they're not in any way secured by default.

Some of the key security issues associated with normal, unsecured e-mail communications include:

• Eavesdropping. E-mail messages are sent over the Internet and other networks in plain text format by default. Any user on a network over which the message is traveling can potentially capture the message stream and read its contents. Similarly, any person with administrative privileges on either the sending or receiving mail servers (and desktop computers for that matter) can open and view the entire contents of any user's mailbox folders, and read through his messages. Unfortunately, there is no easy way to tell whether other people are reading messages that you send or receive. If you send any e-mail message without securing it, understand that its contents are never truly confidential.

• Spoofing. Spoofing is a technique whereby messages are sent in a manner that makes them appear to be from a different user. For example, a malicious person could send e-mail messages to other users that appear to be coming from you, using your e-mail address. This technique is commonly used to propagate viruses and spam e-mail messages. Without implementing e-mail security techniques that prove a sender's identity, it is virtually impossible to prove that a message came from the sender listed in its From field.

• Modification. In the same way that one can eavesdrop on unsecured e-mail messages, their contents can also be modified in transit between a sender and recipient. Any user who can gain access to an e-mail message (whether by capturing it or accessing it on a mail server or desktop computer) can modify its contents to display a different message, or even delete it completely. When e-mail security techniques are not implemented, messages can be modified at any point between the sender and recipient, without either party's knowledge.

• Repudiation. Based on the various ways in which unsecured e-mail messages can be forged or manipulated, it is never truly possible to prove who sent a message. This can have serious repercussions in both legal and business matters.

Although using unsecured e-mail to communicate with friends and family may not appear to have any inherent security risks, most people send e-mail messages without giving privacy as much as a second thought. This is especially dangerous in cases where messages contain sensitive information, such as health, business, financial, and personal details.

This isn't to say that you must secure every e-mail message you send. Although that's certainly not a bad idea, properly securing e-mail is sometimes beyond the capabilities of less experienced users. With that in mind, using unsecured e-mail is typically fine if the security and privacy of a particular message is not a concern. However, in cases where sensitive information must be sent (or where verifying the identities of the sender and receiver is important), making use of encryption and sender identification techniques is not only suggested, but highly recommended.