The importance of 'whole journey' email encryption

Goodbye Media Defender

Encryption is all well and good, until you involve humans in the process. See Media Defender's (big) mistake for a perfect example:

ttp://tinyurl.com/35op7u

Searches

I use client-side (PGP and GnuPG) encryption all the time. Some of our partners are pretty tinfoil.

I keep all email from them encrypted on my client, to be decrypted when read. This is the standard EnigMail setting (I'm not sure if you can have it the way PGP does it, which is to decrypt on the way to your client, which stores them decrypted).

You ever tried searching through hundreds of PGP-encrypted emails?

The Irish Peace Dividend ........ In the Beginning, was their Chaos.

"Asking users to manually encrypt emails each time they are sent is a surefire recipe for wasted investment in security technology."

XXXXPecting Email Service Providers to Apply Appropriate Security Measures for Hosted Traffic would enable Network and InterNetworking Users to Share Information Freely with the Onus being put on the System to Server and Protect.

That would necessarily mean that the System is responsible for providing Intelligence, rather than twiddling their thumbs, gathering IT.

Have they never tried Creative ProAction ..... NeuReal Content for Media Players to Feast upon with Relish rather than avoid like the Plague?

Only for those Shock and Awe War World Weary Players MetaMorphing into Havok Modus Operandi/Vivendi. Ca Ira UniVersal Forces 2 ...... Home is where the Heart is.

don't let the email leave your site if possible

only permit tls smtp from client to mail server

only allow secure imap type of service so mails don't reside on the client, and ensure that saving the password in the mail client is disabled

and thus do your best to ensure the emails themselves don't leave the server. the only snag is that many mail clients save attachments to temporary storage and don't delete them afterwards, so whilst the email is safe the confidential document attached does leak.

Just don't use SMTP

It was never designed to be secure. Try X.500 instead.

How can you have "end to end encryption" with "checking for keywords"?

Please El Reg stop carrying crap from Bloor Research. If they are paying you to do so, tell me which adds to click and I'll happily click a hundred!

Complete encryption is possible and can be made mandatory using public & private key pairs. However, the encryption must happen as the e-mail is written so you can't "snoop" the contents on the way otherwise it wouldn't be encrypted! And, of course, any partners need to have the public key of the person sending it in order to be able to read it. Distributing and installing the keys would be more of a challenge but not insurmountable: the number of business contacts anyone has probably doesn't change that much. But this is much more about teaching people about security than technology. And that is where the whole project fails.

Anyone used Exchange?!

Um, sorry security expert who advised on this, but the worlds most popular email platform (Exchange) by default encrypts ALL internal traffic, regardless of connectivity method - other than SMTP/POP3/IMAP. Mobile devices, webmail, desktop etc - all encrypted out of the box.

No use for external email mind, but the first page is all about internal traffic and out of the box Exchange not only supports it, but enables it.

What a bunch of crap...

...talking about internal intruders snooping on plaintext email discussing promotions, pay raises, redundancies and whatnot.

To do this without leaving a trace would require that the intruder compromise the network's email, so they can read the juicy traffic, and activity logging systems, so they can cover their tracks. If someone's got that far, chances are the admin credentials they've compromised also grant access to the PKI infrastructure, meaning they'll also be able to get around and encryption that's been put into place.

The scenario the article describes requires that the target organisation, essentially, employs a blackhat and gives them God-level access to the network... if that's the case, the organisation doesn't have a problem with its IT infrastructure, but its HR department.

I second what Charlie Clark has already said... the name Bloor Research should come with a set of quotes or a question mark. They publish half-thought-out, squealing-fanboi hyperbole and generalisations. Frankly, they come across as never having sat at a workstation running any security application more elaborate than home-user AV.

The Standards Are Here

... so use them. X.509 certificates, TLS (extensions defined/used for all protocols: HTTP/SMTP/POP/IMAP), S/MIME or PGP (your choice; OE has always supported S/MIME). Simple configuration changes, group policies, etc etc. should make it possible to ensure all communications are required to be not only encrypted by sent/received by trusted hosts. Then there's PGP, of course - PGP can take lots of money from you in exchange for their serverside integrated stuff for sending between hosts, assuming intercorporate X509 relationships don't exist for use of SMTP TLS extension over the net between intercorporate hosts. Whatever, it's all there. Just think carefully and put someone who understands in charge. Oh, and do try not to leave anything too sensitive on a Windows box if you expect it to be raided and taken to bits, as the game is over for you then.

Cheers,

Sabahattin