Are You Encrypting Your Email?

Category: Email , Privacy

Interest in email encryption has skyrocketed since Ed Snowden revealed the NSA’s widespread surveillance of electronic communications. Here is the low-down on email encryption, and some methods of doing it.

How To Encrypt Your Email Messages

Unencrypted email is a sitting duck for eavesdroppers; your message is sent in plain text that anyone who intercepts it can read. Email bounces from one server to another, often many times, on its way from sender to receiver. Administrators at any of these relay points can read any email they choose (although they’re usually too busy). Search warrants or national security letters can force email service providers to open their stored copies of your email to the government.

Encryption is essential if you want any assurance of privacy. There are three things that need to be encrypted to protect your email fully.

First, the connection between you and your email server should be encrypted. For Webmail users (Gmail, Yahoo, Outlook.com, AOL, etc.) this is done for you automatically. When you're logged in, you’ll see “https” instead of “http” in your browser’s address bar, and a lock icon that indicates you have a secure encrypted connection.
Encrypted Email

Desktop email clients such as Outlook, Thunderbird, and Eudora can secure connections to email servers using SSL/TLS, too, if the server supports it. Consult your Internet Service Provider or your email program's help files for details on how to enable secure connections.

The Next Step

Second, each email message should be encrypted before it is sent to protect its contents against prying eyes while it resides on other people’s servers, including your email service provider. This is important because even though your email travels over a secure, encrypted connection, it's stored in plain (non-encrypted) text once it arrives. If your email service provider (or the recipient's) is served with a court order to give up your mail, it should be able to hand over only a file of encrypted gibberish. The email service provider should not have the key that decrypts your encrypted email.

However, sender and receiver must have digital certificates and they must know each other’s public encryption keys before they can exchange encrypted email. Yes, that sounds kind of geeky. In the past, setting up encryption has been a challenge for most users so it hasn’t gotten done. Now there are services that make using encryption easy.

Virtru provides add-ons and apps that do the heavy lifting of email encryption. It supports Internet Explorer, Firefox, Chrome, and Safari browsers; iOS and Android devices; and Outlook and Mac Mail desktop mail clients. Once installed, Virtu lets you encrypt any email you choose before it is sent. Virtru never sees your email’s contents and your email service provider never gets the key that decrypts your mail. However, recipients do not need the Virtru software or a public key; they just have to verify their identities once by registering with Virtru or using Oauth or OpenID and their Google, Yahoo, or Microsoft account.

Virtru’s basic end-to-end email encryption (including attachments) is free. It comes with a 14-day trial of the Premium features including the ability to revoke/cancel an email after it’s sent, control of forwarding, setting of email expiration dates, and more. If you want these features they cost $2/month after the trial ends.

Protonmail goes beyond Virtru to provide email service as well as encryption of email. Like Virtru, Protonmail cannot decrypt any of its users email. Better still, Protonmail provides email servers that are beyond the reach of the NSA and other governments’ spies. Protonmail’s servers are in Switzerland, where strong privacy laws keep all governments out of email and other personal electronic data.

EncryptFree is another option that works much like an online translator. Write your message text. Copy and paste it into the online form. Enter a password of your choosing and click “Encrypt.” Copy the encrypted text generated by EncryptFree and paste into your email form and send it. Communicate the password to the recipient by some means other than email. (I personally prefer to send the lid of a Snapple bottle by carrier pigeon, with the understanding that the message inscribed on the underside is our secret decryption password. Shhh, don't tell the NSA...) The recipient can use the password and EncryptFree to decrypt your message. Yes, it’s a hassle, but it works with any email app.

What About Your Locally Stored Email?

Third, email stored on your local device should be encrypted in case the device is lost, stolen, or accessed without your permission. If you're on a mobile dewvice, Apple iOS has supported device encryption for years, and Android does too. Windows users can encrypt their hard drives using TrueCrypt or the built-in Bitlocker utility. Filelocker is the Mac OS X equivalent.

Some (perhaps most) users feel that encrypting email is not necessary or just too much trouble. If you feel that way, I'm not trying to change your mind. But for those who feel the need to be more proactive about email privacy, here are the tools you can use.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 29 Jan 2015


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 28 January 2015

The Top Twenty
Next Article:
Time to Start Encrypting Your Stuff?

Most recent comments on "Are You Encrypting Your Email?"

Posted by:

GregC
29 Jan 2015

Virtru is about as slick an e-mail encryption system as I have seen. I tried using PGP but getting anyone else to use it was a big hurdle.

For encrypting files that can be attached to a message or just stored on your drive, take a look at Minilock.io Be careful with TrueCrypt - it was end-of-life'ed due to some unresolved security issues.


Posted by:

Rhonda Lea Kirk Fries
29 Jan 2015

As a matter of principle, I think everyone should encrypt their email.

As a practical matter, I don't care. I don't put into email any information that would matter were it loosed upon the world at large, so it's just not an issue for me.

Besides which, just the idea of maintaining high privacy alert at all times makes my adrenal glands shrivel.


Posted by:

RandiO
29 Jan 2015

Germans are quite security conscious as well. The encrypted mail service TutoNota appears to be more flexible and robust than the simpleton ProtonMail. https://tutanota.com/


Posted by:

Judyth Mermelstein
29 Jan 2015

You might also want to mention that Thunderbird users can install Enigmail https://www.enigmail.net (Windows or Mac)
which is free and quite painless to use. Non-techies may think it hard to set up but the instructions are clear and it's worth the effort to install it. (It took me about 15 minutes, including creating my keys.)
Also, I don't encrypt everything I send, since most messages I send contain nothing sensitive and most recipients aren't (yet?) used to decrypting. With Enigmail you can choose whether to encrypt and/or digitally sign the individual message.
Another online service that seems to be popular is Hushmail, but I confess I would hesitate to use it for anything that would incur undue interest from third parties. There are other online services, chat applications and such which promise confidentiality but can't actually deliver since they are located in countries where practically anyone working for a government can get access to both the message and the decryption key.


Posted by:

Mac 'n' Cheese
30 Jan 2015

I understand where you're coming from, Rhonda, and you expressed it exquisitely: "The idea of maintaining high privacy alert at all times makes my adrenal glands shrivel."

Well, at my age, the adrenals are not the only ones to have shriveled. So I do things the old fashioned way. I assume that anything I send via email is about as secure as a postcard.

If I have to send something confidential, I'll mail it. If it's time sensitive, I'll fax it, using fax software.

If the recipient can't receive a fax, I'll create a PDF that's password-protected and send it as an email attachment. (I'll send the password in a separate email.)

That has worked for me for the last quarter-century.

Mac


Posted by:

jimeee
30 Jan 2015

THE TRUTH IS THAT "ALL" EMAIL SHOULD AUTOMATICALLY BE ENCRYPTED. PERIOD!!!

It should be that when a person sets up their email account it should have to be set up so that all email is automatically encrypted. All email clients and website email businesses should be structured so that all email is encrypted.

(I understand if you want to edit my capital letters out of the first paragraph. I felt that it should be strongly emphasized.)


Posted by:

Bruce Corston
30 Jan 2015

I have too many recipients to have encryption certificates between us on Thunderbird. I would need to do this only under legal issues?


Posted by:

MmeMoxie
30 Jan 2015

I don't worry about security, in my email. I mostly, get newsletter, like your Bob, and sale emails from Walmart, Sam's Club, Newegg and others just like them. Nothing is secure about any of those emails.

My financial institution sends me stuff, but, there again, nothing of any importance and NO financial secure information! Yes, Administrators and the like, if, the chose to ... Can see who I bank with, but, that is all. Plus, I know a Phish when I see one and my bank would NEVER send any thing like asking for your username and password, period!!!

Can I make a real observation??? Most people today, hardly ever use their emails anymore ... What they are using is Facebook ... There is way more security issues with Facebook, than with emails, today. That's how I look at it. :)


Posted by:

Greg
30 Jan 2015

What is the difference between encrypted emails and encrypted attachments? I have some software that can encrypt a pdf. I then separately email the password for the attachment so it can be opened. Is there a program that will encrypt email and attachment, or is that necessary?

EDITOR'S NOTE: The difference is minor. But emailing the encryption key in plain text (unless you do it in a very clever way) makes your encryption pointless. Refer to my carrier pigeon comment in the article.


Posted by:

Grumpy Mike
30 Jan 2015

I agree with Mac'n'Cheese. He & I must be of the same age group! There is nothing I send in an email that is of use to anyone except the recipient.
Never had any problems to date.


Posted by:

Raymond
30 Jan 2015

A very quick way, is to change the font! But you don't change it to 'Arial"... you change it to "Klingon"! Your recipient just changes it back to whatever you normally use! Not NSA proof, but will keep the the riff-raff out!


Posted by:

Bob
30 Jan 2015

Why is there a yellow triangle on my Yahoo Email address bar sometimes when I'm reading my Email. Does that mean people are reading my Emails.

EDITOR'S NOTE: No, it means you have a secure connection, but some element (probably an ad) was served from a non-encrypted site. Nothing to worry about.


Posted by:

Robert Kemper
30 Jan 2015

Thanks for the up to date information on the
importance of Encrypting Your E-mail. Glad I took the time to read it.


Posted by:

Joel
30 Jan 2015

I've always treated email the same way as a postcard. It probably won't ever be read by anyone, but it could be.


Posted by:

Unitary
31 Jan 2015

The approach that a message is either plain or encrypted is overly simplistic.

Do you know anything at all about the strength of the encryption protocols you discussed?

It is quite possible that the free services you had mentioned, and similar services, use encryption protocols that are trivial for those you want to hide your messages from. In this case, you are misled to believe that your messages are secure and feel free to send confidential information. This is even worse than treating e-mail as a non-secure communications link.

You can only trust an encryption protocol that was designed and verified by yourself. This is an extremely difficult challenge that can only be met by competent government agencies.

EDITOR'S NOTE: I couldn't disagree more! An open source encryption tool vetted by respected experts, with 256-bit (or higher) encryption is the only thing I could recommend. I wouldn't touch a government-provided encryption tool with a 1024-bit pole! As for why, I'll refer you to the British Prime Minister.


Posted by:

intelligencia
01 Feb 2015

Hello Mr. Rankin and Everyone Else!

. . . For now F-o-r-g-e-t Truecrypt as some dedicated people in Switzerland are working to improve it as it is no longer being supported by its original builders and thus there are still some security issues to be worked on. However, all is not lost as there is VeraCrypt which is based on the original TrueCrypt but only better!

Here is the link: https://veracrypt.codeplex.com/

Here is a review of VC: http://www.esecurityplanet.com/open-source-security/veracrypt-a-worthy-truecrypt-alternative.html

Hope you find the information provided above, useful.

i


Posted by:

Unitary
01 Feb 2015

Bob,

In response to my previous post you wrote, “I couldn't disagree more!”

Your refutation, however, referred to something that I definitely DID NOT write!

>>>> I wouldn't touch a government-provided encryption tool with a 1024-bit pole!

NEITHER WOULD I! A government-provided encryption procedure offered for public use is likely to have a built-in trapdoor, i.e., the designers of the procedure can decipher messages encrypted with the procedure that they designed.

I therefore wrote, “You can only trust an encryption protocol that was designed and verified by yourself.” “Yourself” surely does not mean “your government”.

As I wrote, a design of a strong encryption procedure is an extremely difficult challenge that can only be met by competent government agencies. The encryption procedure designed for these agencies are used by the government and are not released for public use.

>>>> An open source encryption tool vetted by respected experts, with 256-bit (or higher) encryption is the only thing I could recommend.

In the USA, competent experts work in Fort George Meade in Maryland. In the UK, they work in Benhall, Gloucestershire. The results of their analysis are not published to the general public.

A large encryption key (256 bits and above) DOES NOT ensure that there are no trapdoors and that there are no weaknesses that can be exploited by competent cryptanalysts.

If a strong encryption procedure were available to the public, the governments would ban its use. The British Prime Minister Cameron has just declared that the government would ban encrypted communications that cannot be deciphered by the government.

I hope that you can now appreciate the conclusion of my previous post,

“It is quite possible that the free services you had mentioned, and similar services, use encryption protocols that are trivial for those you want to hide your messages from. In this case, you are misled to believe that your messages are secure and feel free to send confidential information. This is even worse than treating e-mail as a non-secure communications link.”

EDITOR'S NOTE: I appreciate your comments, but we'll have to disagree on the notion that competent cryptanalysts are only found in government buildings. There's no evidence that TrueCrypt (for example) was ever broken.


Posted by:

bigbear639
01 Feb 2015

I get over 75 emails from various sources. Am I expected to ask Amazon, Home Depot, Walmart to use that encryption. As for friends it is hard enough convincing them that they should use Security on their cell phones and Tablets. The answer is I don't go those kind of websites. My best friends grandsons mother removes the A/V as soon as grandpop installs it.


Posted by:

Ed
07 Jul 2015

An issue I've come across re: using encryption is that it's a flag for some governments, whether they can break it or not. They figure if you feel the need to use it, they can't trust you, and if you are working in their country, you will be asked to leave, and if you are communicating with someone in a country of that nature, using a form of encryption, that person may be asked to leave. I know of specific cases where this has affected NGO workers as well as U.S. State Dept. workers. In fact I've been told by friends in an Asian country that the govt. is suspicious of anyone using Gmail or Yahoo mail. Paranoia lives.


Posted by:

Frank
30 May 2016

Bob, any 2016 updates on encryptions and some of the software mentioned in this thread? Thanks.
I asked because I wanted to send my kids some sensitive data now (while I am still around)that might be useful(health-wise)to them later in life.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Are You Encrypting Your Email? (Posted: 29 Jan 2015)
Source: https://askbobrankin.com/are_you_encrypting_your_email.html
Copyright © 2005 - Bob Rankin - All Rights Reserved