back to article The importance of 'whole journey' email encryption

It is very rare for an organisation to mandate less security in its IT systems. In fact, the relentless march of new threats places pressure on us all to increase our levels of security, to ensure we can match new and emerging attacks. Email is one of the most potent business tools that we have, but also one of the most …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Very good BUT...

    1) With end to end encryption you are relying on the capabilities of desktop security software to protect your company and users. Which is the bigger threat? Somebody capturing the email on the network OR somebody with end-end encryption abusing it with NSFW or confidential information?

    2) The key advantage of end to end as you describe it here is to protect against internal attackers. Sorry but if somebody is on your network to that extent then you are pretty much stuffed anyway... It doesn't matter how good your end-end encryption is, it won't help against a keystroke logger.

  2. Pete Smith

    Goodbye Media Defender

    Encryption is all well and good, until you involve humans in the process. See Media Defender's (big) mistake for a perfect example:


  3. Anonymous Coward
    Anonymous Coward


    I use client-side (PGP and GnuPG) encryption all the time. Some of our partners are pretty tinfoil.

    I keep all email from them encrypted on my client, to be decrypted when read. This is the standard EnigMail setting (I'm not sure if you can have it the way PGP does it, which is to decrypt on the way to your client, which stores them decrypted).

    You ever tried searching through hundreds of PGP-encrypted emails?

  4. amanfromMars Silver badge

    The Irish Peace Dividend ........ In the Beginning, was their Chaos.

    "Asking users to manually encrypt emails each time they are sent is a surefire recipe for wasted investment in security technology."

    XXXXPecting Email Service Providers to Apply Appropriate Security Measures for Hosted Traffic would enable Network and InterNetworking Users to Share Information Freely with the Onus being put on the System to Server and Protect.

    That would necessarily mean that the System is responsible for providing Intelligence, rather than twiddling their thumbs, gathering IT.

    Have they never tried Creative ProAction ..... NeuReal Content for Media Players to Feast upon with Relish rather than avoid like the Plague?

    Only for those Shock and Awe War World Weary Players MetaMorphing into Havok Modus Operandi/Vivendi. Ca Ira UniVersal Forces 2 ...... Home is where the Heart is.

  5. Paul

    don't let the email leave your site if possible

    only permit tls smtp from client to mail server

    only allow secure imap type of service so mails don't reside on the client, and ensure that saving the password in the mail client is disabled

    and thus do your best to ensure the emails themselves don't leave the server. the only snag is that many mail clients save attachments to temporary storage and don't delete them afterwards, so whilst the email is safe the confidential document attached does leak.

  6. Steve

    Just don't use SMTP

    It was never designed to be secure. Try X.500 instead.

  7. Charlie Clark Silver badge

    How can you have "end to end encryption" with "checking for keywords"?

    Please El Reg stop carrying crap from Bloor Research. If they are paying you to do so, tell me which adds to click and I'll happily click a hundred!

    Complete encryption is possible and can be made mandatory using public & private key pairs. However, the encryption must happen as the e-mail is written so you can't "snoop" the contents on the way otherwise it wouldn't be encrypted! And, of course, any partners need to have the public key of the person sending it in order to be able to read it. Distributing and installing the keys would be more of a challenge but not insurmountable: the number of business contacts anyone has probably doesn't change that much. But this is much more about teaching people about security than technology. And that is where the whole project fails.

  8. Steven Hewittt

    Anyone used Exchange?!

    Um, sorry security expert who advised on this, but the worlds most popular email platform (Exchange) by default encrypts ALL internal traffic, regardless of connectivity method - other than SMTP/POP3/IMAP. Mobile devices, webmail, desktop etc - all encrypted out of the box.

    No use for external email mind, but the first page is all about internal traffic and out of the box Exchange not only supports it, but enables it.

  9. Marko Alat

    What a bunch of crap...

    ...talking about internal intruders snooping on plaintext email discussing promotions, pay raises, redundancies and whatnot.

    To do this without leaving a trace would require that the intruder compromise the network's email, so they can read the juicy traffic, and activity logging systems, so they can cover their tracks. If someone's got that far, chances are the admin credentials they've compromised also grant access to the PKI infrastructure, meaning they'll also be able to get around and encryption that's been put into place.

    The scenario the article describes requires that the target organisation, essentially, employs a blackhat and gives them God-level access to the network... if that's the case, the organisation doesn't have a problem with its IT infrastructure, but its HR department.

    I second what Charlie Clark has already said... the name Bloor Research should come with a set of quotes or a question mark. They publish half-thought-out, squealing-fanboi hyperbole and generalisations. Frankly, they come across as never having sat at a workstation running any security application more elaborate than home-user AV.

  10. Sabahattin Gucukoglu

    The Standards Are Here

    ... so use them. X.509 certificates, TLS (extensions defined/used for all protocols: HTTP/SMTP/POP/IMAP), S/MIME or PGP (your choice; OE has always supported S/MIME). Simple configuration changes, group policies, etc etc. should make it possible to ensure all communications are required to be not only encrypted by sent/received by trusted hosts. Then there's PGP, of course - PGP can take lots of money from you in exchange for their serverside integrated stuff for sending between hosts, assuming intercorporate X509 relationships don't exist for use of SMTP TLS extension over the net between intercorporate hosts. Whatever, it's all there. Just think carefully and put someone who understands in charge. Oh, and do try not to leave anything too sensitive on a Windows box if you expect it to be raided and taken to bits, as the game is over for you then.



This topic is closed for new posts.