Securing Your Email With SSL

The easiest way to help make your email more secure is to use secure email provider that allows you to use the "Secure Socket Layer"(SSL) when connecting to their WebMail, POP, IMAP, and SMTP servers. Note: There are other options such as S/MIME and PGP which are also supported by PSMail. However they are more complex to setup and manage at the sender's computer and recipient's computer.

SSL is a key based encryption mechanisms. If you connect to a server using SSL, the following things happen

1. The server uses its private key to prove to you that it is in fact the server that you are trying to connect to. This allows you to trust that you are connecting to the right server and not some "middleman" trying to intercept your communications.
2. You send the server your public key (random).
3. The server generates a "secret key" and sends it to you encrypted using your public key.
4. You and the server then communicate using symmetric key encryption using this shared secret key.

The benefits of SSL are twofold: 1. you can be sure that you are connecting to the right server, and 2.you and the server communicating through a secure channel.

If you get any warning messages when connecting to a SSL based server using SSL, you should not ignore them. These warnings can also indicate that your communications are being intercepted. (see a sample image here) These warnings usually indicate one of the following:

1. The server's SSL "certificate" (i.e. signed by a ertified authority) has expired.
2. Some of the information in the certificate doesn't match the information you expect -- i.e. the certificate was issued for a different server name than the one you are trying to connect to. (You could be inadvertently connecting to the wrong server.)
3. The certificate was issued by an untrusted agency.

SSL certificates are (generally) issued by third party agencies such as RapidSSL or Thawte.com or Verisign. These 3rd party companies do a background check on the company requesting the certificate and only issue it if they have a right to the certificate. The certificate includes the name of the company, the name of the issuing company, and the name of the server to which it is issued. When you connect to an SSL server you can verify this embedded information and the fact that it was issued by a third party company that you trust. If all this checks out, then you can have confidence that the server you are connecting to is in fact the intended server.

Using SSL for WebMail, POP, IMAP, and SMTP ensures that all of your communications between your personal computer and your email service provider's computers will be encrypted. Your message contents (attachments, headers, message body) , username, and password will be hidden from eavesdroppers -- but only hidden from eavesdroppers between you and your service provider! Using these SSL services does not protect your messages at all once they leave your SMTP Server and head to their destinations, more information below. So, it doesn't really protect your message contents too much, but it does protect your message in the local context - say you are using a wireless or some open connection from an untrusted ISP. This is very important as it helps mitigate identity theft, the sending of false messages, eavesdropping by ISP or by unknown parties etc.

Additionally, using SSL is easy. It usually only involves a simple change in the configuration of your email client. It is transparent to your recipients - you can use SSL for these services even if your recipients do not. These measures protect you and your password. Because it is so easy and because the security you receive is much better than no security, we strongly encourage the use of SSL for email communications whenever possible.

Now for some examples

[Your computer]         [Untrusted ISP / Internet Region]         (Trusted Server / Safe Region)         (Remote Server / Safe Region)         Intended message recipient

If you have secure email, then your email transmission is encrypted BETWEEN your computer and the Trusted Server (links indicated by         ). The email is not secure on your computer nor is it secure when it leaves the Trusted Server. The transmission from Trusted Server to Remote Server may be encrypted, (indicated by         ) but is most likely not (some of the remote systems such as myrealbox.com swishmail.com will have this part also encrypted) . Finally the transmission from Remote Server to Intended Recipient , again, might be encrypted, but is most likely not. So, only the transmission from your computer to Trusted Server is guaranteed to be secured. This can be useful asyour media for transimission to Trusted Server is not trusted (Untrusted ISP - a good example of this is a wireless connection in airport. Anybody can "eavesdrop" in the Untrusted ISP zone and get information sucha s your username, password and your full email content. The greatest benefits are if Trusted Server is beyond the reach of prying eyes. If a Untrusted ISP (or some who hacked this ISP) is monitoring email traffic, this setup can keep them from easily monitoring your email. What they will see is that your computer is sending and receiving email over an encrypted channel and that encrypted stream is nor readible. All the contents of the email header, message and attachments are encrypted while in transit this way. This applies to both sending and receiving emails from [Your Computer]