OpenPGP? S/MIME or Some Other Security Solution?

Mail servers hosting corporate emails and user workstations running email clients like Outlook or Thunderbird are frequently targeted by attackers. They can easily do this due to the abundance of publicly-accessible information on how the email system works, email handling is a well-understood technology for decades. Hackers are able to develop attack methods to exploit security weaknesses. How to encrypt email is the question targeted to system administrators and not for the end user to answer. It is not a an easy to answer question as email systems are favorite targets by threat actors because such systems must communicate to some degree with untrusted third parties. The foundation of email is accessibility, while security is an afterthought, the living proof of that is the abundance of spam emails and phishing messages this last decade compared to the previous one.

How to Encrypt Email

Additionally, mail clients have been targeted as an effective means of inserting malware into machines and of propagating this code to other machines. How many times we have seen Microsoft and Mozilla hurriedly release patches in just a quarter? How to encrypt email was a question born from the afterthought that email secure should be a priority.

It is a full time job for vendors on how to encrypt their client's email systems just to maintain their email clients security aware enough to lessen chance of attacks. This is especially true if the email clients are not updated regularly, actions on how to encrypt emails rest on the shoulders of decision-makers in the IT department of each organization. Known exploits are patched by both Microsoft and Mozilla for their respective email clients, and anyone not updating regularly may fall for exploits that were already patched. As a result, email servers, email clients, and the network infrastructure that utilize the platform on how to encrypt must remain in supported status by being faithful to the vendor's regular patching cycle.

Humans are easily distracted and easily follows the norms of society, given the email's nature of human to human communication; it can be used as a social engineering vehicle. Answering the question of how to encrypt is rendered useless if the user already fell to phishing scams, as hackers exploit the organization's users to gather information or get the users to perform actions to extract more user data. Bonus fact for the attackers is the open secret that sensitive information transmitted unencrypted between the mail server, and the client may be intercepted. All popular email communication standards default to sending usernames, passwords, and email messages unencrypted by default, unless the company intervened and implemented policies on how to encrypt. The real question that needs pressing answer is not how to encrypt email, but “when we will encrypt our emails?”

Thunderbird and Outlook standard email setups default to unencrypted user authentication and send email data unencrypted, however buried in their settings page is an option on how to encrypt. Sending data in the clear may allow an attacker to easily compromise a user account and/or intercept and alter unencrypted emails. At a minimum, most organizations should encrypt the user authentication session even if they do not encrypt the email data itself, either using the built-in algorithm on how to encrypt or using a 3rd party solution. Encrypted user authentication is now supported by most standard and proprietary mailbox protocols.

The most widely used standards on how to encrypt emails is through signing messages and encrypting message bodies with either Open Pretty Good Privacy (OpenPGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME). Both are based in part on the concept of public key cryptography, which involves a user having a pair of related keys: a public key that anyone can hold, and a private key that is held exclusively by its owner. It is unfortunate that only a few embraced these technologies, as it involves public key exchange to be done in advance before an email is successfully sent and received. The majority of email users don't want the undergo such hassle, hence a non-signature, unencrypted email system continues to persist.

Ultimately, the choice comes down to which solution meets the requirements of the organization, given the set funding for such an undertaking is justifiable. As a general rule, unencrypted email should be treated similar to a publicly posted message, anyone in the vicinity can read and change it without asking for consent. How to encrypt email is a question that needs to be answered before an organization has implemented a physical office.

How to encrypt? Well securing messages using S/MIME or OpenPGP involves obtaining digital certificates for both the sender and recipient. A digital certificate has several components:

  1. The name and email address of the person to whom the certificate is issued
  2. A public key and its expiration date
  3. Information about the certificate authority, a legal entity that issued the certificate (including a valid and uniquely issued digital signature)
  4. The serial number of the certificate.

When the sender has both the sender and receiver's digital certificates, the sender can digitally sign and encrypt email messages to the recipient. To protect against viruses, worms, and other forms of malware, it is necessary to implement scanning at one or more points within the email delivery process. Malware scanning is beyond answering the question on how to encrypt, it can be implemented on the firewall, mail relay, or mail gateway appliance as the email data enters the organization's network, on the mail server itself, and/or on the end users' hosts.


Start Your 30-Day Free Trial Now

Alternatively, instead of dealing with the complexity of how to encrypt using PGP or S/MIME, system administrators can deal with security head-on with an antimalware/antispam gateway. One such service is from Comodo, a trusted name in security and privacy. Comodo Anti Spam Gateway is an all in one solution that directly deals with the security issue, not just on how to encrypt emails. Try it today!

Related Resources: