Fortunately, the organizations and companies that provide you with an e-mail are also interested in keeping you safe. Over the past couple of years, most have improved their account security and the data sent over it.
Step 1:
Encrypting your log-in
Using hard math to scramble the password and user-name sent from your mobile device or computer to the e-mail server you are using is a fundamental defense against those stealing your log-in credentials. But it was not always used. As recently as 2007, I saw one major Internet provider not using basic “SSL” encryption. That meant that anybody running a malicious (or compromised) Wi-Fi hotspot could grab your log-in data without having to decrypt anything.
Bonus feature No. 1:
“EV-SSL.” Ever see your browser highlight a site’s domain name in green? That
means the site purchased an “Extended
Validation” Certificate, a rough equivalent of having a notary public verify your
identity.
Bonus feature No. 2: “forward secrecy.” Modern encryption doesn’t rely on a single key that, if exposed, gives
up the game; instead, the math changes each time. In forward secrecy (often
called “perfect forward secrecy,” though I’m wary of repeating that kind of a
claim), cracking one of these one-time keys doesn’t reveal any equation you
could use to attack another.
Step 2:
Encrypting your session
Once you log in, you want your online session to stay secured. But if it’s not, it’s too easy for bad guys to hijack or snoop on the connection by looking for the tiny “cookie” files that websites save to free you from having to log in anew all the time. Once a cookie is hijacked, it can be used to log in to an account later, without its owner knowing it.
Over the past few
years, full-time encryption — going by names like “sitewide SSL,” “always-on
SSL,” and “full-time HTTPS” — has become standard at most webmail services and
social networks such as Facebook and Twitter.
Step 3: Encrypting
email in transit
The most welcome upgrade in email in the past few months has been the widespread move to deploy “TLS” encryption to secure email as it travels across the Internet. Both mail services have to support this, which they can confirm through a quick “handshake” check before transferring a message. The great thing here is that neither the sending nor the receiving human has to do anything extra. (The bad thing is that, currently, neither party can easily tell if the message is actually encrypted.)
Step 4: End-to-end encryption
But what happens once the message arrives at your correspondent’s servers, after which point even TLS can’t protect it?
With end-to-end
encryption, not even those mail server computers can read it; only the person
running a decryption program and in possession of the right digital key can
decode it. This is both tremendously secure and, for most people, a huge pain
to use on a daily basis.
Google’s project to
build a simpler end-to-end encryption system that
you could install from its Chrome Web Store is
an important, promising step. But let’s see if it gets the interface right —
and make sure that outside security experts inspect its code to verify that its
cryptography can’t be broken by an attacker.
Don’t forget that in
any of these situations, somebody peeking over your shoulder — or using a
“keylogger” program to record your keystrokes — can get around encryption and read your words as you write them.
While there is no such thing as perfect email security, for many people, there
is definitely better security.
Комментариев нет:
Отправить комментарий